Edit tour

Windows Analysis Report
719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Overview

General Information

Sample name:	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe renamed because original name is a hash value
Original sample name:	719) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
Analysis ID:	1474895
MD5:	5c6891085e07e545d17151a95c09cf91
SHA1:	7fd72f615e08a093726200b6ecb3b79c0f4ffc90
SHA256:	ecec98c92cc04b0d294a56a3ab45956f19dbe5d1dad5f2f2beee48fd0eb1845b
Tags:	AsyncRATexe
Infos:

Detection

PureLog Stealer, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected XWorm

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses an obfuscated file name to hide its real file extension (double extension)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe (PID: 7700 cmdline: "C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe" MD5: 5C6891085E07E545D17151A95C09CF91)

719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe (PID: 7812 cmdline: "C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe" MD5: 5C6891085E07E545D17151A95C09CF91)

powershell.exe (PID: 7920 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8096 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7264 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7340 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 7380 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7812 -s 2196 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["104.250.180.178"], "Port": "7061", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2783853334.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000002.2783853334.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10068:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10105:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1021a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf55a:$cnc4: POST / HTTP/1.1
00000000.00000002.1685075768.00000000071A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1680947996.000000000245F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1680947996.000000000245F000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x13fd8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x262c8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x38c30:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x14075:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x26365:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x38ccd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1418a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2647a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x38de2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x134ca:$cnc4: POST / HTTP/1.1 0x257ba:$cnc4: POST / HTTP/1.1 0x38122:$cnc4: POST / HTTP/1.1
00000002.00000002.2789309072.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1680947996.0000000002401000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe PID: 7700	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe PID: 7700	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe PID: 7812	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2426ecc.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.71a0000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2475060.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2475060.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xe468:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe505:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xe61a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd95a:$cnc4: POST / HTTP/1.1
0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.71a0000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2426ecc.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10268:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10305:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1041a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf75a:$cnc4: POST / HTTP/1.1
0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2462d70.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2462d70.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xe468:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe505:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xe61a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd95a:$cnc4: POST / HTTP/1.1
0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2462d70.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2462d70.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10268:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x22558:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x34ec0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10305:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x225f5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x34f5d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1041a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2270a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x35072:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf75a:$cnc4: POST / HTTP/1.1 0x21a4a:$cnc4: POST / HTTP/1.1 0x343b2:$cnc4: POST / HTTP/1.1
0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2475060.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2475060.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10268:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x22bd0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10305:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x22c6d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1041a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x22d82:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf75a:$cnc4: POST / HTTP/1.1 0x220c2:$cnc4: POST / HTTP/1.1
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe", ParentImage: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, ParentProcessId: 7812, ParentProcessName: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe', ProcessId: 7920, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe", ParentImage: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, ParentProcessId: 7812, ParentProcessName: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe', ProcessId: 7920, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, ProcessId: 7812, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe", ParentImage: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, ParentProcessId: 7812, ParentProcessName: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe', ProcessId: 7920, ProcessName: powershell.exe

Snort Signatures

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.4 - Destination IP: 104.250.180.178

Timestamp:	07/17/24-12:53:31.696206
SID:	2855924
Source Port:	49747
Destination Port:	7061
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 104.250.180.178 - Destination IP: 192.168.2.4

Timestamp:	07/17/24-12:54:51.334995
SID:	2852870
Source Port:	7061
Destination Port:	49747
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.4 - Destination IP: 104.250.180.178

Timestamp:	07/17/24-12:54:33.906541
SID:	2852923
Source Port:	49747
Destination Port:	7061
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 - Source IP: 104.250.180.178 - Destination IP: 192.168.2.4

Timestamp:	07/17/24-12:54:25.367079
SID:	2852874
Source Port:	7061
Destination Port:	49747
Protocol:	TCP
Classtype:	A Network Trojan was detected

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.4 - Destination IP: 104.250.180.178

Timestamp:	2024-07-17T12:54:33.906541+0200
SID:	2852923
Source Port:	49747
Destination Port:	7061
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.4

Timestamp:	2024-07-17T12:53:17.886385+0200
SID:	2022930
Source Port:	443
Destination Port:	49746
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 104.250.180.178 - Destination IP: 192.168.2.4

Timestamp:	2024-07-17T12:54:51.334995+0200
SID:	2852870
Source Port:	7061
Destination Port:	49747
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.4

Timestamp:	2024-07-17T12:53:46.332240+0200
SID:	2022930
Source Port:	443
Destination Port:	49764
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.4 - Destination IP: 104.250.180.178

Timestamp:	2024-07-17T12:53:31.696206+0200
SID:	2855924
Source Port:	49747
Destination Port:	7061
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 - Source IP: 104.250.180.178 - Destination IP: 192.168.2.4

Timestamp:	2024-07-17T12:54:25.367079+0200
SID:	2852874
Source Port:	7061
Destination Port:	49747
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.2789309072.0000000002B31000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["104.250.180.178"], "Port": "7061", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 2.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.400000.0.unpack	String decryptor: 104.250.180.178
Source: 2.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.400000.0.unpack	String decryptor: 7061
Source: 2.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.400000.0.unpack	String decryptor: <123456789>
Source: 2.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.400000.0.unpack	String decryptor: <Xwormmm>
Source: 2.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.400000.0.unpack	String decryptor: XWorm V5.2
Source: 2.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.400000.0.unpack	String decryptor: USB.exe
Source: 2.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.400000.0.unpack	String decryptor: %AppData%
Source: 2.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.400000.0.unpack	String decryptor: XClient.exe

Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb# source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2805178089.0000000006AB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2802879049.0000000005EFB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: Accessibility.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: System.ni.pdbRSDS source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: System.Management.pdbxX source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2802879049.0000000005EFB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2805178089.0000000006ACD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32h source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2784522852.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2802879049.0000000005EFB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb- source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2805178089.0000000006AB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: o.pdb source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2802879049.0000000005EFB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: System.Core.ni.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: %%.pdb source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2802879049.0000000005EFB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: mscorlib.pdb source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2805178089.0000000006AE3000.00000004.00000020.00020000.00000000.sdmp, WER71E3.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2784522852.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb` source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2805178089.0000000006AB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbH source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: System.Management.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: System.Drawing.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: mscorlib.ni.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: System.Management.ni.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2784522852.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2802879049.0000000005EFB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: System.ni.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER71E3.tmp.dmp.17.dr

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 104.250.180.178:7061 -> 192.168.2.4:49747
Source: Traffic	Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 104.250.180.178:7061 -> 192.168.2.4:49747
Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49747 -> 104.250.180.178:7061
Source: Traffic	Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.4:49747 -> 104.250.180.178:7061

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 104.250.180.178

Source: global traffic

TCP traffic: 192.168.2.4:49747 -> 104.250.180.178:7061

Source: Joe Sandbox View

IP Address: 104.250.180.178 104.250.180.178

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178

Source: powershell.exe, 00000005.00000002.1733234460.0000000003257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 0000000A.00000002.1820030790.0000000006D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microC
Source: powershell.exe, 00000007.00000002.1773627752.00000000058BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1814594573.00000000055BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000A.00000002.1800892143.00000000046A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.1763690690.00000000049A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1800892143.00000000046A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2789309072.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1716414805.0000000004475000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1734504070.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1763690690.0000000004851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1800892143.0000000004551000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.1763690690.00000000049A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1800892143.00000000046A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, XClient.exe.2.dr	String found in binary or memory: http://services.sunlightlabs.com/api
Source: Amcache.hve.17.dr	String found in binary or memory: http://upx.sf.net
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000A.00000002.1800892143.00000000046A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683772611.00000000054F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.comK
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000003.00000002.1716414805.000000000449B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1716414805.00000000044AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1734504070.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1734504070.0000000004E4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1763690690.0000000004851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1800892143.0000000004551000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000A.00000002.1814594573.00000000055BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.1814594573.00000000055BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.1814594573.00000000055BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.1800892143.00000000046A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.1773627752.00000000058BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1814594573.00000000055BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, XClient.exe.2.dr	String found in binary or memory: https://www.google.com/search?q=

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2475060.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2462d70.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2462d70.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2475060.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000002.2783853334.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1680947996.000000000245F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
Source: initial sample	Static PE information: Filename: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_0224D404	0_2_0224D404
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_06ADA610	0_2_06ADA610
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_06ADC240	0_2_06ADC240
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_06ADC250	0_2_06ADC250
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_06AD2387	0_2_06AD2387
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_06AD2398	0_2_06AD2398
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_06ADA1C8	0_2_06ADA1C8
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_06ADBE18	0_2_06ADBE18
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_06AD9DA0	0_2_06AD9DA0
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_06FBA318	0_2_06FBA318
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_06FBA30E	0_2_06FBA30E
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 2_2_01124AC0	2_2_01124AC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0478B490	7_2_0478B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0079B4A0	10_2_0079B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0079B490	10_2_0079B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0079C67F	10_2_0079C67F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_08143A98	10_2_08143A98

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7812 -s 2196

Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1684544930.0000000006B10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1680947996.0000000002401000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCAA.dll4 vs 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1680947996.000000000245F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1685075768.00000000071A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCAA.dll4 vs 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1677435625.000000000067E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1681455567.00000000035DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2783853334.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2801581466.0000000005D69000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Binary or memory string: OriginalFilenameWjEr.exe4 vs 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2475060.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2462d70.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2462d70.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2475060.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000002.2783853334.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1680947996.000000000245F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XClient.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@16/22@0/1

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7288:120:WilError_03
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\f8RKHn3SOlVxjC9t
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7812

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

File read: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe "C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe"
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process created: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe "C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe"
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7812 -s 2196
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process created: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe "C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: XClient.lnk.2.dr

LNK file: ..\..\..\..\..\XClient.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb# source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2805178089.0000000006AB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2802879049.0000000005EFB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: Accessibility.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: System.ni.pdbRSDS source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: System.Management.pdbxX source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2802879049.0000000005EFB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2805178089.0000000006ACD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32h source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2784522852.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2802879049.0000000005EFB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb- source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2805178089.0000000006AB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: o.pdb source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2802879049.0000000005EFB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: System.Core.ni.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: %%.pdb source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2802879049.0000000005EFB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: mscorlib.pdb source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2805178089.0000000006AE3000.00000004.00000020.00020000.00000000.sdmp, WER71E3.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2784522852.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb` source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2805178089.0000000006AB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbH source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: System.Management.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: System.Drawing.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: mscorlib.ni.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: System.Management.ni.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2784522852.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2802879049.0000000005EFB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: System.ni.pdb source: WER71E3.tmp.dmp.17.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER71E3.tmp.dmp.17.dr

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_04EE04C0 pushfd ; ret	0_2_04EE04C1
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_04EEA9F7 push eax; mov dword ptr [esp], ecx	0_2_04EEAA0C
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_04EEAA08 push eax; mov dword ptr [esp], ecx	0_2_04EEAA0C
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_04EEFB40 push eax; ret	0_2_04EEFB73
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_06FBE631 push es; iretd	0_2_06FBE634
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_06FBE74E push es; ret	0_2_06FBE750
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_06FBE71A push ss; ret	0_2_06FBE729
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_06FBEA3A push es; ret	0_2_06FBEA3C
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_06FBEBC2 push eax; retf	0_2_06FBEBCD
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Code function: 0_2_06FBE9C2 push es; ret	0_2_06FBE9C4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0478633D push eax; ret	7_2_04786351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0079634D push eax; ret	10_2_00796361
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_06E54500 pushfd ; retf	10_2_06E5462E

Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Static PE information: section name: .text entropy: 7.9281189787456015
Source: XClient.exe.2.dr	Static PE information: section name: .text entropy: 7.9281189787456015

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	File created: \719#u665a) hbl# lmsin2407028 (by sea) po# 4500577338, by 1x40' hq.pdf.scr.exe
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	File created: \719#u665a) hbl# lmsin2407028 (by sea) po# 4500577338, by 1x40' hq.pdf.scr.exe
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	File created: \719#u665a) hbl# lmsin2407028 (by sea) po# 4500577338, by 1x40' hq.pdf.scr.exe
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	File created: \719#u665a) hbl# lmsin2407028 (by sea) po# 4500577338, by 1x40' hq.pdf.scr.exe
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	File created: \719#u665a) hbl# lmsin2407028 (by sea) po# 4500577338, by 1x40' hq.pdf.scr.exe
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	File created: \719#u665a) hbl# lmsin2407028 (by sea) po# 4500577338, by 1x40' hq.pdf.scr.exe
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	File created: \719#u665a) hbl# lmsin2407028 (by sea) po# 4500577338, by 1x40' hq.pdf.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	File created: \719#u665a) hbl# lmsin2407028 (by sea) po# 4500577338, by 1x40' hq.pdf.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	File created: \719#u665a) hbl# lmsin2407028 (by sea) po# 4500577338, by 1x40' hq.pdf.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	File created: \719#u665a) hbl# lmsin2407028 (by sea) po# 4500577338, by 1x40' hq.pdf.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	File created: \719#u665a) hbl# lmsin2407028 (by sea) po# 4500577338, by 1x40' hq.pdf.scr.exe	Jump to behavior

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

File created: C:\Users\user\AppData\Roaming\XClient.exe

Jump to dropped file

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.scr

Static PE information: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe PID: 7700, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Memory allocated: 2240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Memory allocated: 2400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Memory allocated: 4400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Memory allocated: 72D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Memory allocated: 6BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Memory allocated: 82D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Memory allocated: 92D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Memory allocated: 1120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Memory allocated: 2B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Memory allocated: 1190000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Window / User API: threadDelayed 7155	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Window / User API: threadDelayed 2683	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2316	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1139	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3293	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5867	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3964	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8673	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1051	Jump to behavior

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe TID: 7720	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe TID: 7404	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe TID: 7892	Thread sleep count: 7155 > 30	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe TID: 7892	Thread sleep count: 2683 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8076	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7464	Thread sleep count: 5867 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7500	Thread sleep count: 3964 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2188	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4608	Thread sleep count: 8673 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4608	Thread sleep count: 1051 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7572	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.17.dr	Binary or memory string: VMware
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.17.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.17.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.17.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.17.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.17.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.17.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.17.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.17.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.17.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.17.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.17.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.17.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.17.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.17.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.17.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.17.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.17.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.17.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2784522852.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.17.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.17.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.17.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe'
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe'

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Memory written: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process created: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe "C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2789309072.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2789309072.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-^q
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2789309072.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: @\^q@\^q'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2789309072.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2789309072.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^q4

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.17.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.17.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.17.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.17.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2426ecc.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.71a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.71a0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2426ecc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1685075768.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1680947996.0000000002401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2475060.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2462d70.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2462d70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2475060.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2783853334.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1680947996.000000000245F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2789309072.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe PID: 7700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe PID: 7812, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2426ecc.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.71a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.71a0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2426ecc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1685075768.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1680947996.0000000002401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2475060.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2462d70.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2462d70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.2475060.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2783853334.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1680947996.000000000245F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2789309072.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe PID: 7700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe PID: 7812, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	2 Registry Run Keys / Startup Folder	112 Process Injection	11 Masquerading	OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	112 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	58%	ReversingLabs	Win32.Trojan.Leonem
719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\XClient.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XClient.exe	58%	ReversingLabs	Win32.Trojan.Leonem

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.comK	0%	Avira URL Cloud	safe
http://services.sunlightlabs.com/api	0%	Avira URL Cloud	safe
https://www.google.com/search?q=	0%	Avira URL Cloud	safe
http://crl.microC	0%	Avira URL Cloud	safe
104.250.180.178	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
104.250.180.178	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000007.00000002.1773627752.00000000058BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1814594573.00000000055BF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000A.00000002.1800892143.00000000046A6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://services.sunlightlabs.com/api	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, XClient.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000007.00000002.1763690690.00000000049A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1800892143.00000000046A6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000A.00000002.1800892143.00000000046A6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 0000000A.00000002.1814594573.00000000055BF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microC	powershell.exe, 0000000A.00000002.1820030790.0000000006D10000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sakkal.comK	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683772611.00000000054F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000A.00000002.1814594573.00000000055BF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.17.dr	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search?q=	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, XClient.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000A.00000002.1800892143.00000000046A6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.micro	powershell.exe, 00000005.00000002.1733234460.0000000003257000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000003.00000002.1716414805.000000000449B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1716414805.00000000044AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1734504070.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1734504070.0000000004E4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1763690690.0000000004851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1800892143.0000000004551000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000007.00000002.1763690690.00000000049A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1800892143.00000000046A6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 0000000A.00000002.1814594573.00000000055BF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000007.00000002.1773627752.00000000058BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1814594573.00000000055BF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000002.00000002.2789309072.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1716414805.0000000004475000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1734504070.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1763690690.0000000004851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1800892143.0000000004551000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1683796517.00000000065C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.250.180.178	unknown	United States		9009	M247GB	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1474895
Start date and time:	2024-07-17 12:52:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe renamed because original name is a hash value
Original Sample Name:	719) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@16/22@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 97% Number of executed functions: 328 Number of non-executed functions: 55
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 13.89.179.12
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, 6.d.a.8.b.e.f.b.0.0.0.0.0.0.0.0.4.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7264 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7920 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8096 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
06:52:58	API Interceptor	1512077x Sleep call for process: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe modified
06:53:05	API Interceptor	20x Sleep call for process: powershell.exe modified
06:54:49	API Interceptor	1x Sleep call for process: WerFault.exe modified
11:53:19	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.250.180.178	LMSIN2407028 - PO# 4500577338, by 1x40' HQ .pdf.scr.exe	Get hash	malicious	PureLog Stealer, Remcos	Browse
	rSO0105-PI-514124SO0105,702(CFS-CY)FIRSYD.scr.exe	Get hash	malicious	XWorm	Browse
	DELAY NOTICE - ONE_FORTUNE - 001W (MD22425W).scr.exe	Get hash	malicious	XWorm	Browse
	ISF 10+2 Form+VGM - MX-M354N_20240709_134303.scr.exe	Get hash	malicious	Remcos	Browse
	.pdf.scr.exe	Get hash	malicious	Remcos	Browse
	.pdf.scr.exe	Get hash	malicious	XWorm	Browse
	ISF - SO.4985 KEL-RIO GRANPE HBL#KELRIG2406221.scr.exe	Get hash	malicious	DarkTortilla, XWorm	Browse
	710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	@#U570b#U5167DEBIT#U5e33#U55ae[#U4e2d#U6587#U672c#U5e63]-OI(K)_20240612161821.scr.exe	Get hash	malicious	DarkTortilla, XWorm	Browse
	17eb6f223723f4f80cc9c443b6f751fa690eb67e44643d688a305ab96e7dafae_payload.exe	Get hash	malicious	Remcos	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	LMSIN2407028 - PO# 4500577338, by 1x40' HQ .pdf.scr.exe	Get hash	malicious	PureLog Stealer, Remcos	Browse	104.250.180.178
	103.124.105.111-mips-2024-07-17T05_21_08.elf	Get hash	malicious	Mirai, Moobot	Browse	193.37.59.116
	https://login.hamgamtakhfif.ir/#afroditi.ladovrechis@innocap.com	Get hash	malicious	Unknown	Browse	91.202.233.193
	strathconaregistry policy for 2024 FYI.html	Get hash	malicious	HTMLPhisher	Browse	91.132.139.168
	strathconaregistry policy for 2024 FYI.html	Get hash	malicious	HTMLPhisher	Browse	91.132.139.168
	SecuriteInfo.com.Trojan.DownLoader46.63386.25844.4041.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	91.202.233.141
	Setup.exe	Get hash	malicious	AsyncRAT, HTMLPhisher, Clipboard Hijacker, Phorpiex, PureLog Stealer, Raccoon Stealer v2, RedLine	Browse	91.202.233.141
	sora.arm7.elf	Get hash	malicious	Mirai	Browse	135.84.213.214
	crosscheckrosefloweronhairbeauty.gIF.vbs	Get hash	malicious	Remcos	Browse	194.187.251.115
	swCQS5MMLX.rtf	Get hash	malicious	Remcos	Browse	194.187.251.115

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_CH5FQLPZHWQW5TXD_6eeabbae5e165c4a861c92134e9484f56eb98e6_b956fc39_9100153d-56bc-45e0-9f1e-ac46bf4ebbca\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3755725991852268
Encrypted:	false
SSDEEP:	384:ok+6SJdvjdBU/pAHa+4hezuiFLY4IO8Bln:z+6STjdBU/pAHaXezuiFLY4IO8Bl
MD5:	522DE7226B1AC63420AE052FE84E5D53
SHA1:	FDD4691A98C291A7374DF204BA246483C63DC398
SHA-256:	8C47B201D6A4CBDC0F62F50A29619EFB8846213969E8802DAA490E6ACC0AA334
SHA-512:	572BCBEB5A208164F136DBD9E86344B568D76792713044F879899E739A8248A04DC60380A77ECABD81F792429F545A8B5F89741C22EE2B68B7D95DD8528DE025
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.6.8.7.2.8.6.5.4.7.5.2.3.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.5.6.8.7.2.8.7.1.5.6.8.9.5.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.0.0.1.5.3.d.-.5.6.b.c.-.4.5.e.0.-.9.f.1.e.-.a.c.4.6.b.f.4.e.b.b.c.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.6.4.7.4.e.1.7.-.a.7.a.6.-.4.5.e.3.-.9.f.8.7.-.e.2.b.5.d.4.8.7.0.f.c.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.7.1.9.#.U.6.6.5.a.). .H.B.L.#. .L.M.S.I.N.2.4.0.7.0.2.8. .(.b.y. .S.E.A.). .P.O.#. .4.5.0.0.5.7.7.3.3.8.,. .b.y. .1.x.4.0.'. .H.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.j.E.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.8.4.-.0.0.0.1.-.0.0.1.4.-.c.e.6.7.-.9.6.7.c.3.7.d.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.e.6.b.7.0.9.4.0.c.4.1.7.f.d.f.d.f.7.7.0.0.d.f.d.2.f.8.3.0.d.9.0.0.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER71E3.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jul 17 10:54:46 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	381941
Entropy (8bit):	3.511741647442654
Encrypted:	false
SSDEEP:	3072:5xhSLc4uEqryUYUMZLTgfu59jwlFEmvx+DD8Ajqy980U:57SLc4ey/UoTgfunEf
MD5:	3E213623648F32D603AB4FD48815A6CF
SHA1:	C8BA21FCCEFE9746BD031916475382F607B08EA6
SHA-256:	BFA74C936BD8F55D2D10C0861B03BF01C80068AE4E2DA302AD4E37B0D6875DAB
SHA-512:	9A5AACEE151C4E879F01D9D7FC1DE153527D8E2F1A076821C9BFA36775F4953C9ED9950338D5004D9E6B3D4350BDD18CE8B44437EF520C1223A7DA997653ABC1
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f.........................&..........$....1.......,...{..........`.......8...........T............S..%............1...........3..............................................................................eJ......T4......GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER73C8.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6566
Entropy (8bit):	3.7481401908544556
Encrypted:	false
SSDEEP:	192:R6l7wVeJeKmjE6R3YZAAprd89bkDsfYsm:R6lXJeKoE6R3YK3kofS
MD5:	D8B88189407E97B4648DC5748BB1CDEE
SHA1:	660C5234DCB7ED4B45C97313F241AF0B21B5FE51
SHA-256:	A043AF0C8DFD3055CE61AE1EB17C1953743519B8A54CE513D417C707D27DD73F
SHA-512:	2ADF915D16A79437FB803BB6AED73872964C1B79C2349830EA8A594487205B726DB11A357BE1476B986890E233C54DCF9D5B26765141D15342FA943E92B27861
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER73E9.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4947
Entropy (8bit):	4.612700773159204
Encrypted:	false
SSDEEP:	48:cvIwWl8zsHJg77aI9w7WpW8VY7Ym8M4JahpFGw+q8vvhLNmZ8DwMKd:uIjfpI7KK7VfJaDKvhwZ8LKd
MD5:	0B70D6544F40AC4EB46E7ADA1225049F
SHA1:	E2FE4BA77116262A85868EC7ABAE4319BA0BA5EF
SHA-256:	59EC614AF78BB9D65923D6B94159B108535794463C578CCD9ECE2FA1733F01E0
SHA-512:	6E244198BE3429B0F3E2D517BADB6C1A2146FB6DC60A161F11C4E934B75DCF45E19581A04C26F9B46696EE8BA97B9009E5DE83C8EB6A21EAA619256D0E171D48
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="414837" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.log

Download File

Process:	C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.378656660173192
Encrypted:	false
SSDEEP:	48:YWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8vUyus:YLHyIFKL3IZ2KRH9OugMs
MD5:	606D32F377AD35DA05BE0F6988F0F25A
SHA1:	B440DEB8F5AC74255820CB26C37469156565AA7E
SHA-256:	8177E4D50280ECD8330FA9AD9E41176574FD455AD476705689955D5D4488F6E4
SHA-512:	4F94299F87F0103198EE42A9E60CF692E6F98C8868C59DFF9BA2B0DCC208CF10BCE07A1089130D329ECF4589F85C823EEBA8CD5B41E6D171FED612BC96BF4EC8
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.598349098128234
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsra:EFYJKDoWra
MD5:	2C11513C4FAB02AEDEE23EC05A2EB3CC
SHA1:	59177C177B2546FBD8EC7688BAD19D08D32640DE
SHA-256:	BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
SHA-512:	08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
Malicious:	false
Preview:	....### explorer ###..[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_01bay35h.on5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wddgtpb.1q3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3dxww1fj.1z2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dfpcwqfp.mgt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eq54itpa.dze.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g2mxthd3.tl5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hitzmhp2.yhd.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hkjvhu34.xn5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ompeodq2.eme.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ri3llwur.aoy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t0lfl0vd.bd1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yfkjlebk.mfz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Download File

Process:	C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Jul 17 09:53:15 2024, mtime=Wed Jul 17 09:53:15 2024, atime=Wed Jul 17 09:53:15 2024, length=528384, window=hide
Category:	dropped
Size (bytes):	764
Entropy (8bit):	5.041192177853118
Encrypted:	false
SSDEEP:	12:8/hSn/C24FWCB1dY//0lLyf3jAsA5rHkBxXBmV:8o/0k81+sBiTAsCY3XBm
MD5:	309BDB7248B6F1EF3419E1F552F7A11F
SHA1:	9D31B857A008DE87EF32FD0C3D5F76C41498ABCE
SHA-256:	09A100C95F0EDA6CD489E77342DA7F859D12E0DB415668BF28F1E3BA40B0176F
SHA-512:	8B04371C256A0B55803EF84FFFA17AD23D6D2C7BCE437868A75F5C141C7A6E5BBA0C20005E789E147D580A5E4B22B84BDB1F6255CC72952CF8A6857C27015FBA
Malicious:	false
Preview:	L..................F.... .....k.7.....k.7.....k.7...........................v.:..DG..Yr?.D..U..k0.&...&......vk.v.....oxw7....4r.7.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X.V...........................%..A.p.p.D.a.t.a...B.V.1......X.V..Roaming.@......CW.^.X.V..........................WH..R.o.a.m.i.n.g.....b.2......X.V .XClient.exe.H.......X.V.X.V....i.....................n(..X.C.l.i.e.n.t...e.x.e.......Y...............-.......X.............s......C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......855271...........hT..CrF.f4... .{.T..b...,.......hT..CrF.f4... .{.T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\XClient.exe

Download File

Process:	C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	528384
Entropy (8bit):	7.85019178612059
Encrypted:	false
SSDEEP:	12288:S5BSjHz3ptiKzMKShInyHR1TF3ohzl+HKpWNQdRlF6x:BaiSIny1pcS4Rv6x
MD5:	5C6891085E07E545D17151A95C09CF91
SHA1:	7FD72F615E08A093726200B6ECB3B79C0F4FFC90
SHA-256:	ECEC98C92CC04B0D294A56A3AB45956F19DBE5D1DAD5F2F2BEEE48FD0EB1845B
SHA-512:	B4A9C40A2F9F44020658207205E5992A35EBD5A3ECB016ECEF3174CE0BE5BE8570E7366B45B4FFDAA2BC21800548DB3E28FE788CE0ED3B94D7689F3C8AB696DE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q.f..............0......@........... ........@.. .......................@............@.....................................O........#................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc....#.......0..................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466059533900098
Encrypted:	false
SSDEEP:	6144:oIXfpi67eLPU9skLmb0b4GWSPKaJG8nAgejZMMhA2gX4WABl0uNkdwBCswSb0:9XD94GWlLZMM6YFHq+0
MD5:	1FB54941222B4F5C190A656C82F41E60
SHA1:	7C86D5CA1BD00B9C01C714CE729CAE974CA47CBA
SHA-256:	83A882B778BD7169775E8D36DB0F73D7274F623CE3C0BE1926BB367F8211D334
SHA-512:	B26D4226D77406D4A7598DC112A2F94621354AD6E0EB850FA6D518CA545FE5A1DA89BE7BC5FDD32B7FEF595BB7D1A1EE19745904E9E7DC228EC0FB7618366D91
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmF...7................................................................................................................................................................................................................................................................................................................................................8.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.85019178612059
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
File size:	528'384 bytes
MD5:	5c6891085e07e545d17151a95c09cf91
SHA1:	7fd72f615e08a093726200b6ecb3b79c0f4ffc90
SHA256:	ecec98c92cc04b0d294a56a3ab45956f19dbe5d1dad5f2f2beee48fd0eb1845b
SHA512:	b4a9c40a2f9f44020658207205e5992a35ebd5a3ecb016ecef3174ce0be5be8570e7366b45b4ffdaa2bc21800548db3e28fe788ce0ed3b94d7689f3c8ab696de
SSDEEP:	12288:S5BSjHz3ptiKzMKShInyHR1TF3ohzl+HKpWNQdRlF6x:BaiSIny1pcS4Rv6x
TLSH:	D8B412083AD8C369E5FF2B7035B1426A0331710BA972FA4F1F8D748C26267D64563BE2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q..f..............0......@........... ........@.. .......................@............@................................

File Icon


Icon Hash:	f1bc8fa3a78eade3

Static PE Info

General

Entrypoint:	0x47d6ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6695E851 [Tue Jul 16 03:26:09 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7d69c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7e000	0x2380	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x82000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7b6f4	0x7c000	fb09672f2216ac61555104488ee70343	False	0.9344403666834677	data	7.9281189787456015	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x7e000	0x2380	0x3000	59a4abbce02a8b0e701cafa3b7f85626	False	0.5648600260416666	data	5.9192360271714035	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x82000	0xc	0x1000	ffbe41c603481afbeee7a058ce08af01	False	0.00927734375	data	0.016408464515625623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x7e100	0x1535	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9720022103518143
RT_GROUP_ICON	0x7f648	0x14	data	1.05
RT_VERSION	0x7f66c	0x23c	data	0.47027972027972026
RT_MANIFEST	0x7f8b8	0xac1	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.3937522702506357

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/17/24-12:53:31.696206	TCP	2855924	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49747	7061	192.168.2.4	104.250.180.178
07/17/24-12:54:51.334995	TCP	2852870	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes	7061	49747	104.250.180.178	192.168.2.4
07/17/24-12:54:33.906541	TCP	2852923	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	49747	7061	192.168.2.4	104.250.180.178
07/17/24-12:54:25.367079	TCP	2852874	ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2	7061	49747	104.250.180.178	192.168.2.4

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-17T12:54:33.906541+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	49747	7061	192.168.2.4	104.250.180.178
2024-07-17T12:53:17.886385+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49746	52.165.165.26	192.168.2.4
2024-07-17T12:54:51.334995+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	7061	49747	104.250.180.178	192.168.2.4
2024-07-17T12:53:46.332240+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49764	52.165.165.26	192.168.2.4
2024-07-17T12:53:31.696206+0200	TCP	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	49747	7061	192.168.2.4	104.250.180.178
2024-07-17T12:54:25.367079+0200	TCP	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	7061	49747	104.250.180.178	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 17, 2024 12:53:16.770406961 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:53:16.775427103 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:53:16.775518894 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:53:16.894078016 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:53:16.899049997 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:53:25.435924053 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:53:25.475193024 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:53:31.696206093 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:53:31.702297926 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:53:32.064956903 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:53:32.066936970 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:53:32.071875095 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:53:46.507790089 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:53:46.512862921 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:53:46.829230070 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:53:46.832586050 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:53:46.837714911 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:53:56.156040907 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:53:56.156069994 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:53:56.156090021 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:53:56.156168938 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:53:56.156338930 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:54:01.319346905 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:54:01.324402094 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:54:01.568327904 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:54:01.577011108 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:54:01.581757069 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:54:16.131860971 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:54:16.151787996 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:54:16.396439075 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:54:16.398545980 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:54:16.403556108 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:54:25.367079020 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:54:25.412719965 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:54:30.788285971 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:54:30.793596983 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:54:31.202255011 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:54:31.203949928 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:54:31.208787918 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:54:33.600606918 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:54:33.605617046 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:54:33.904242039 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:54:33.906541109 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:54:33.911484957 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:54:50.763906956 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:54:50.975264072 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:54:51.045126915 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:54:51.045166016 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:54:51.334995031 CEST	7061	49747	104.250.180.178	192.168.2.4
Jul 17, 2024 12:54:51.381511927 CEST	49747	7061	192.168.2.4	104.250.180.178
Jul 17, 2024 12:54:53.249695063 CEST	49747	7061	192.168.2.4	104.250.180.178

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 17, 2024 12:53:44.467715025 CEST	53	60147	162.159.36.2	192.168.2.4
Jul 17, 2024 12:53:44.964343071 CEST	53	54364	1.1.1.1	192.168.2.4

Analysis Process: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exePID: 7700, Parent PID: 2580

General

Target ID:	0
Start time:	06:52:57
Start date:	17/07/2024
Path:	C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe"
Imagebase:	0xe0000
File size:	528'384 bytes
MD5 hash:	5C6891085E07E545D17151A95C09CF91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1685075768.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1680947996.000000000245F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1680947996.000000000245F000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1680947996.0000000002401000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exePID: 7812, Parent PID: 7700

General

Target ID:	2
Start time:	06:52:58
Start date:	17/07/2024
Path:	C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe"
Imagebase:	0x8c0000
File size:	528'384 bytes
MD5 hash:	5C6891085E07E545D17151A95C09CF91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2783853334.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.2783853334.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2789309072.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:53:02
Start date:	17/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe'
Imagebase:	0x7b0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:53:02
Start date:	17/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:53:03
Start date:	17/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe'
Imagebase:	0x7b0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:53:03
Start date:	17/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:53:05
Start date:	17/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Imagebase:	0x7b0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:53:05
Start date:	17/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:53:09
Start date:	17/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Imagebase:	0x7b0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:53:09
Start date:	17/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	06:54:44
Start date:	17/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7812 -s 2196
Imagebase:	0xff0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exePID: 7700, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	81
Total number of Limit Nodes:	3

Executed Functions

Function 06FBB845 Relevance: 5.1, Strings: 4, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06FBB933
$^q, xrefs: 06FBB8C8
$^q, xrefs: 06FBB8D4
$^q, xrefs: 06FBB93F

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: b2c2db2a8a314c02cf7d085826176729dfea8fbd1de26618f0dcba7ad2e483de
Instruction ID: adfe0bd32b196806481124d0cbabd7f9092ff48feab4c4518d2b67c332fe4021
Opcode Fuzzy Hash: b2c2db2a8a314c02cf7d085826176729dfea8fbd1de26618f0dcba7ad2e483de
Instruction Fuzzy Hash: 45416134B402089FDB189F7AD858BAE7AE3EF88740F108469E506EF399CF359C058B50

Function 04EE62C2 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 04EE6307
, xrefs: 04EE630E

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 11baeed2e676987de8de687711a1791fccf5e8cfd21f00220ba4cd6fdae71fc5
Instruction ID: b6acc5213961197184efb4c5fb26bc233d63a0981ded04ff5d98c46e94114bdf
Opcode Fuzzy Hash: 11baeed2e676987de8de687711a1791fccf5e8cfd21f00220ba4cd6fdae71fc5
Instruction Fuzzy Hash: C0718D31914701CFEB00EF29D885554BBF2FF86314B4186A8D949AF226EB75ED95CF80

Function 04EE5B94 Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 04EE6307
, xrefs: 04EE630E

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: e4cc7663fffe961f1bf8a51e493852c7cb6e8979c09421fea90f4832cb6cdcc0
Instruction ID: e5c6ba5ece71dd9b2b231d6e3ce933e223d93a8105d9422f2113474056bd972d
Opcode Fuzzy Hash: e4cc7663fffe961f1bf8a51e493852c7cb6e8979c09421fea90f4832cb6cdcc0
Instruction Fuzzy Hash: DF616D31910601CFEB00EF2AD884555BBF2FF85314B4186A8D949AF22AEB75FD94CF80

Function 04EEA848 Relevance: 2.6, Strings: 2, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 04EEB748
Hbq, xrefs: 04EEB7E6

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: f942ff50caccc533419b3acf2135aa54ddab4611e70a1d130366fdb4981157b7
Instruction ID: 84efebcc70593bd13cc21cfc12f2a638c7d76943e29f928470df19e4f211366f
Opcode Fuzzy Hash: f942ff50caccc533419b3acf2135aa54ddab4611e70a1d130366fdb4981157b7
Instruction Fuzzy Hash: 27418831B406148FDB49EB39C85062A7BE6EFC930471089BDD50AAB365DF35EC86CB84

Function 06FBB670 Relevance: 2.6, Strings: 2, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 06FBB706
Te^q, xrefs: 06FBB6BF

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: d421088023db2cd649a8959c9d675d7a61298515137f85f590b7151b320d4b76
Instruction ID: ce968d36792cfbd1163fe1d2cf38a1e9f8d6237a857b3f36c675dd8bf62c2209
Opcode Fuzzy Hash: d421088023db2cd649a8959c9d675d7a61298515137f85f590b7151b320d4b76
Instruction Fuzzy Hash: FA41B6B4B002149FDB05AF69D8547FE7AE7EF88795F104419E502AF388CF789D068BA1

Function 06FBB680 Relevance: 2.6, Strings: 2, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 06FBB706
Te^q, xrefs: 06FBB6BF

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 921172c3724f8756d8c8873eb4cf53324848f21ca7832c50a790c7b848a8a2a8
Instruction ID: fe088e1601f4d2112a15a297fbf734763fac09f65c31a323f681dd230c7f0356
Opcode Fuzzy Hash: 921172c3724f8756d8c8873eb4cf53324848f21ca7832c50a790c7b848a8a2a8
Instruction Fuzzy Hash: 3931B974B001049FDB05AF6AD4547BE7AE7EF88745F104419E502AF388CF78AD058BA1

Function 06ADCF44 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06ADD17E

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 08b73bd0ac7e3346b1ed04e22c06eea39e7f15ab19987abada6eb938270efeae
Instruction ID: 8e13897c2c54030eaa01bd8df035f0527d7214292339e1d62fb325a9d4e5d029
Opcode Fuzzy Hash: 08b73bd0ac7e3346b1ed04e22c06eea39e7f15ab19987abada6eb938270efeae
Instruction Fuzzy Hash: 23916C71D00219DFDB64EFA8C8407DDBBB2FF48314F1485A9E85AA7240DB749986CF92

Function 06ADCF48 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06ADD17E

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4bb0db4fab88bb97ceccc1217da897b915edadfcbc11553b26975821f933c3cc
Instruction ID: 65dceca44f6e6d7655b875330caef60d1fa891e93276e885ce0ec9a913df20a6
Opcode Fuzzy Hash: 4bb0db4fab88bb97ceccc1217da897b915edadfcbc11553b26975821f933c3cc
Instruction Fuzzy Hash: 40916C71D00219DFDB64EFA8C8407DDBBB2BF48314F1485A9E85AA7240DB749986CF92

Function 0224ADA8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0224AFFE

Memory Dump Source

Source File: 00000000.00000002.1680354087.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2240000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 85a841c5faa0ac1b00e0ff65a5f8f4eb0fd97494252f87fcafd5d4471fe51b98
Instruction ID: 0a41dc0dff445f1b5ebd2bc889ffd89c61aa0982c838e737ba4727a8125f9a57
Opcode Fuzzy Hash: 85a841c5faa0ac1b00e0ff65a5f8f4eb0fd97494252f87fcafd5d4471fe51b98
Instruction Fuzzy Hash: 45712270A50B058FD728DF69D45479ABBF2FF88304F008A2DD09ADBA54DB75E845CB90

Function 0224590D Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 022459C9

Memory Dump Source

Source File: 00000000.00000002.1680354087.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2240000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d600d85bb9befa672191ac76593307b3597eec6163282c8120719f35dafc511e
Instruction ID: 9977e4bcdb463459dc0c764b4a2ea54420cd656c9ef245a4b5e4079c1b6ec040
Opcode Fuzzy Hash: d600d85bb9befa672191ac76593307b3597eec6163282c8120719f35dafc511e
Instruction Fuzzy Hash: C841E5B1C00619CFDB24DFA9C884BCEBBF5BF44304F24806AD448AB255DB756986CF90

Function 022444D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 022459C9

Memory Dump Source

Source File: 00000000.00000002.1680354087.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2240000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 53dc119136aec0576cd69e1bc3e9f202b67f6a9f7045b02f853d37060c4ccf95
Instruction ID: 6f8a6bd918e7854304789c23a5d841e08bf61c5f9c9bc68e2b9ed558e3880589
Opcode Fuzzy Hash: 53dc119136aec0576cd69e1bc3e9f202b67f6a9f7045b02f853d37060c4ccf95
Instruction Fuzzy Hash: D741E2B0C1071DCBDB24DFA9C884B9EBBF5BF48304F64806AD448AB255DB756989CF90

Function 02245A84 Relevance: 1.6, APIs: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1680354087.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2240000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624ceecb6911e05ffd7fe496c1284ad2582afb2be3ef4db1d1558bbd603dee69
Instruction ID: e6659094e4ae22149b658ada5c124a50d4ce9d71ad3321de76a4ffefd8329bbf
Opcode Fuzzy Hash: 624ceecb6911e05ffd7fe496c1284ad2582afb2be3ef4db1d1558bbd603dee69
Instruction Fuzzy Hash: 2231FE70804349CFDB14DFE8C8447ADBFF1EF16308F94419AD085AB2A9DB79A94ACB51

Function 06ADCCBA Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06ADCD50

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 84dba501b3bfaaf113530914ce284399864e40a0e879185601f767560dd8d788
Instruction ID: c18c5fdb1995c1b13fd706a15ca90f1ceca6354fcff6d506ef29070ebe0159be
Opcode Fuzzy Hash: 84dba501b3bfaaf113530914ce284399864e40a0e879185601f767560dd8d788
Instruction Fuzzy Hash: 882144B1D002498FCB10DFA9C885BDEBBF4FF48320F10842AE959A7251C7789984CBA4

Function 06ADCCC0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06ADCD50

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4df91b04d28e23b71560970c00ce6061a0559f7d1c0e162afa2df0b93af6a0ab
Instruction ID: a1f49d14b31688458ab9b154022d864bd88df73a3f96b13219aa371fd390aaf2
Opcode Fuzzy Hash: 4df91b04d28e23b71560970c00ce6061a0559f7d1c0e162afa2df0b93af6a0ab
Instruction Fuzzy Hash: 7E2125B1D003599FCB10DFA9C885BDEBBF5FF48320F10842AE959A7250C7789944CBA4

Function 06ADCDA8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06ADCE30

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5f50bd385700cb5fc2b72059339e6ae2dae3f033f7acb5183e2cee2adaae4d3a
Instruction ID: a9818eb503d83ddae3a20fc301461df8e8f6e003c4b952e9089c7599056abca8
Opcode Fuzzy Hash: 5f50bd385700cb5fc2b72059339e6ae2dae3f033f7acb5183e2cee2adaae4d3a
Instruction Fuzzy Hash: 0E2136B1D002598FCB10DFA9C885ADEFBF5FF48320F50842AE999A7251C7389545CBA5

Function 0224BB20 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0224D656,?,?,?,?,?), ref: 0224D717

Memory Dump Source

Source File: 00000000.00000002.1680354087.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2240000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 306a86a672b58438730145e1a9be45d513332806a6505a13d8b2fa699501897a
Instruction ID: 273d285ed80ea3ea6d053f3567e5e1f0bcc8c08f45e2803c2a034a447a3ca77d
Opcode Fuzzy Hash: 306a86a672b58438730145e1a9be45d513332806a6505a13d8b2fa699501897a
Instruction Fuzzy Hash: B921E3B5900248DFDB10CF9AD584ADEFBF4EB48324F14805AE958A7350D374A950CFA4

Function 06ADCB22 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06ADCBA6

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d9fe31dd0969d779ce0d12a965f10d2044cebe08e8d5785107cad99c01542123
Instruction ID: c2d10aeca1a8d52324e9181546dd4d93ae715e74bb7faa3282a53bafc609f9c2
Opcode Fuzzy Hash: d9fe31dd0969d779ce0d12a965f10d2044cebe08e8d5785107cad99c01542123
Instruction Fuzzy Hash: C62149B1D002098FDB50DFAAC4857EEFBF4EF88324F50842AD859A7241D7789985CFA4

Function 06ADCDB0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06ADCE30

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a6061be2505a1f2f94244eaa92311f6d152fabbee5be6e76c6fcc144b1f9b24f
Instruction ID: 2739e4637fb79cf027bc3e0753dc7e09371afd7a0a98cab77743ffad2d23f7bd
Opcode Fuzzy Hash: a6061be2505a1f2f94244eaa92311f6d152fabbee5be6e76c6fcc144b1f9b24f
Instruction Fuzzy Hash: EA2128B1C002599FCB10DFAAC881ADEFBF5FF48320F508429E559A7250C7789544CBA4

Function 06ADCB28 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06ADCBA6

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4c8747902e87ef33b1f010ef64cc33af33ee608c2a2712299e742c7f1fe1363f
Instruction ID: 6162a88f0bfa81ef276b99081cfa82c44fbb784aae4eb847d1ed59520f3ed9eb
Opcode Fuzzy Hash: 4c8747902e87ef33b1f010ef64cc33af33ee608c2a2712299e742c7f1fe1363f
Instruction Fuzzy Hash: 6C2138B1D002098FDB10DFAAC4857EEBBF4EF88324F50842AD459A7241C7789984CFA4

Function 0224D688 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0224D656,?,?,?,?,?), ref: 0224D717

Memory Dump Source

Source File: 00000000.00000002.1680354087.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2240000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8eefa1fdcd301498f829d2944d7ef7283df66caf915a82ee749bd2a3155baa86
Instruction ID: 3e2820d76604678934bed71c6b1b487121b56b17374dd9898147818ccf775d20
Opcode Fuzzy Hash: 8eefa1fdcd301498f829d2944d7ef7283df66caf915a82ee749bd2a3155baa86
Instruction Fuzzy Hash: AA21E2B5900209DFDB10CFA9D584ADEBBF5FB48324F14842AE954B7360C378A940CFA5

Function 0224A148 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0224B079,00000800,00000000,00000000), ref: 0224B28A

Memory Dump Source

Source File: 00000000.00000002.1680354087.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2240000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 238c16ee52bded97bab255a47d0374f1496e7acb6a0e707ced94bd1c274cd761
Instruction ID: c5672a4cd121469e98323b38793bc40e6d49cccbee887b765f91adea803352c2
Opcode Fuzzy Hash: 238c16ee52bded97bab255a47d0374f1496e7acb6a0e707ced94bd1c274cd761
Instruction Fuzzy Hash: FC1114B6D003099FDB14CFAAD444ADEFBF4EB48724F10842AD819A7210C7B5A945CFA4

Function 06ADCBFA Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06ADCC6E

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3465941087c456c5433c421e1c6742e87ae7c46d79048303d8d772fcd979d384
Instruction ID: b384362b349833f1cea914947e7c537b24ef7e21e870289f456277a77447e8c3
Opcode Fuzzy Hash: 3465941087c456c5433c421e1c6742e87ae7c46d79048303d8d772fcd979d384
Instruction Fuzzy Hash: 411126729002498FCB10DFA9C945BDFBBF5EF88324F208419E55AA7260C775A594CFA4

Function 0224B218 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0224B079,00000800,00000000,00000000), ref: 0224B28A

Memory Dump Source

Source File: 00000000.00000002.1680354087.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2240000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 778fb640279d8892ad9e2f27e6c6171095f9c47c16b3e80a223e0bef23efd722
Instruction ID: 0f0a32bf71123e230ffe08ac5e9730b2992a77bb39e0b87a33da486217bc001b
Opcode Fuzzy Hash: 778fb640279d8892ad9e2f27e6c6171095f9c47c16b3e80a223e0bef23efd722
Instruction Fuzzy Hash: DB1156B6D0020A8FDB14CFAAC484ADEFBF4EB48314F10802AD818A7610C378A585CFA4

Function 06ADCC00 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06ADCC6E

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 527776f97413531a6f448f2edaca752cbd2666558c149ef838b4714a87670f5e
Instruction ID: 1556955cc5d0fbf232f8384653393b38860c74c258b56aebf1f29200baa20e69
Opcode Fuzzy Hash: 527776f97413531a6f448f2edaca752cbd2666558c149ef838b4714a87670f5e
Instruction Fuzzy Hash: 3A1126719002499FCB10DFAAC844BDEBBF5EF88324F208419E559A7250C775A944CFA4

Function 06ADCA72 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06ADCADA

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3d26d76c7e3f35c7bb148cf257733dfb2548be8b6ce13ca74a220365ec0a7e34
Instruction ID: ccb8e5ed30d623437b72a22352b39e21ebd092e84f604f4699874499ba963423
Opcode Fuzzy Hash: 3d26d76c7e3f35c7bb148cf257733dfb2548be8b6ce13ca74a220365ec0a7e34
Instruction Fuzzy Hash: 111128B1D002498FDB24DFA9C4457DEFBF5EF88324F20841AD55AA7250CB746585CF98

Function 06ADCA78 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06ADCADA

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b910d7285296c709286569d3ca52b0fa5cc39fa6c88c6c6fdee58ce5cfb71d51
Instruction ID: 2653dc3c271d5969003d2c990c1fe594f549ffeba7bf8daf8a310f5d37745a85
Opcode Fuzzy Hash: b910d7285296c709286569d3ca52b0fa5cc39fa6c88c6c6fdee58ce5cfb71d51
Instruction Fuzzy Hash: 0F113AB1D002498FCB10DFAAC4457DEFBF5EB88324F208419D45AA7250CB75A544CF94

Function 06ADB500 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06ADF2CD

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 035f2ff728ae0372d32e58b2b9729ec2662e25022f96ff49abe8db755188da97
Instruction ID: 9e618066c23b16cc9813bdbe836da2230a37e2a746cef68a5df75571057ad9a6
Opcode Fuzzy Hash: 035f2ff728ae0372d32e58b2b9729ec2662e25022f96ff49abe8db755188da97
Instruction Fuzzy Hash: 0111F5B58003489FDB10DF99D444BDEBBF8EB48324F108459E555A7210C375A984CFA5

Function 0224AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0224AFFE

Memory Dump Source

Source File: 00000000.00000002.1680354087.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2240000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4534fa06214162ac0b3b00d102e4d17eed7ee655030bea4d41d17c4ff774539f
Instruction ID: 61737349ffb638ef1401f07dcc5757871ebe933981d2d93daf7e1ecaa13d05eb
Opcode Fuzzy Hash: 4534fa06214162ac0b3b00d102e4d17eed7ee655030bea4d41d17c4ff774539f
Instruction Fuzzy Hash: 421110B6C002498FCB14CF9AD444BDEFBF4AB88328F10842AD868A7210C779A545CFA1

Function 06FB4BF0 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

(bq, xrefs: 06FB4CFC

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 232c9c55caa2e481429d3bf909fd106d8f354f9435c931a5e3af1f01c152edc9
Instruction ID: c0be3281d2f2d54ffe186bf615565bf40f2ad818e61ba56d13bcdbb782b3dd93
Opcode Fuzzy Hash: 232c9c55caa2e481429d3bf909fd106d8f354f9435c931a5e3af1f01c152edc9
Instruction Fuzzy Hash: 87919130B006048FDB54DF69D954AAEB7F2FF89700B118569E406EB3A9DB74EC45CB90

Function 06FB4CFB Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

(bq, xrefs: 06FB4CFC

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: efcecf774e6cc4cadaa89a9367055f56d1d3e0e75185f01a2f8cc7467b73ae8d
Instruction ID: 646fb50adce1ec63aa9950ede5c3d0108bdeba5470ab78a5fee6d43ed75777f1
Opcode Fuzzy Hash: efcecf774e6cc4cadaa89a9367055f56d1d3e0e75185f01a2f8cc7467b73ae8d
Instruction Fuzzy Hash: 4851C231B406008FDB59EB79C4546AE7BE2FF89300B158469E046DF3A9DB74EC42CB91

Function 06FB28F0 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

(bq, xrefs: 06FB2981

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 853b9c8dfa28c9cdbf397a8118528b3429b2ba4352dd8508bf354fc6eabfae65
Instruction ID: ba668b3ed4ae2e67db36a6dd28a08a9b74f37ee4b777dfa5e125244d23bfce06
Opcode Fuzzy Hash: 853b9c8dfa28c9cdbf397a8118528b3429b2ba4352dd8508bf354fc6eabfae65
Instruction Fuzzy Hash: 5841EE31F046209FDB59AB3EA42017E3BE7AFC96907154169C406DB3A4EF24DE02CBD5

Function 06FB4BE0 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06FB4B94

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 106761f5fdc737c3e22318f6f5388316424f7e98f71ae79197b44fed55c4a1e8
Instruction ID: 8ccdf434e9c9bce32ab48e44658341998ab55b2ab0279075d2ccd26ec08e1857
Opcode Fuzzy Hash: 106761f5fdc737c3e22318f6f5388316424f7e98f71ae79197b44fed55c4a1e8
Instruction Fuzzy Hash: B1413A70A006099FDB54DFA9DA94BEEBBF2BF48700F109528D406AB759CB31E944CB90

Function 06FB4A42 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06FB4B94

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 069ef577ab3b32f972f427a302237efc0c77c06e0f1efba84768342448559337
Instruction ID: f987f11c4062146effb9d9b28b90d1a7d286d98115c7f6fc43a49b6c6493fca3
Opcode Fuzzy Hash: 069ef577ab3b32f972f427a302237efc0c77c06e0f1efba84768342448559337
Instruction Fuzzy Hash: 91214835B402008FEB84DF66C698AAD7BF5BF49604B1555A9E112DB3AACB31DD00CF60

Function 06FBBA60 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

A, xrefs: 06FBBA71

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: 439d072edc890784019f2c824ebc35efaa2f674d390292c58e1ebf1bc79903fc
Instruction ID: e990fdb992e811ca4d4403b9870a5ecd91a25a181bdbc486945b3f9441632064
Opcode Fuzzy Hash: 439d072edc890784019f2c824ebc35efaa2f674d390292c58e1ebf1bc79903fc
Instruction Fuzzy Hash: 6FF04C353462419BC302A7B4A8559ED3FA7DBC6250F55806AE41ACB255CF384D1787A2

Function 06FB7F88 Relevance: .8, Instructions: 785COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9da6f31a93b56aef5ddd4a5c4eb7ef0db7b14317a0e0b8d8eeb5178e12a0105d
Instruction ID: 6831b3e603d694f2376109c6eaba235e1bd8169ddbb1c05f4c2fb772044f1c1c
Opcode Fuzzy Hash: 9da6f31a93b56aef5ddd4a5c4eb7ef0db7b14317a0e0b8d8eeb5178e12a0105d
Instruction Fuzzy Hash: 0C6222B0E05B459BDBB05F7684983EE7AA9FB81380F10591EC0BFCA6D4EB3594528F05

Function 06FB08F0 Relevance: .7, Instructions: 733COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44014aa81f8fc2a5d77d45841021db8ebd9cb85a77e01bac69f5e44aa3a0c270
Instruction ID: 95a3a5b9ea72a30be4aef50a1b26e6ecb66946ca59ad5769426c434b61a6869c
Opcode Fuzzy Hash: 44014aa81f8fc2a5d77d45841021db8ebd9cb85a77e01bac69f5e44aa3a0c270
Instruction Fuzzy Hash: AC720A31D10609CFDB14EF68C8946ADBBB1FF45304F0486A9D54AAB265EF34AAC5CF81

Function 04EEDB58 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17688ac5ca1a10f6ea10e0fdf2a56ed052cdbbf6ba52e583b37bbd6a930700dd
Instruction ID: 55788115499b1fa4404af1556dc407315c83d3c78738a9cc3cf3ad65b9132740
Opcode Fuzzy Hash: 17688ac5ca1a10f6ea10e0fdf2a56ed052cdbbf6ba52e583b37bbd6a930700dd
Instruction Fuzzy Hash: 7442CA31E1061ACFCB14DF69C8846EDB7B1FF89304F1196A9D459BB251EB70AA85CF40

Function 06FB1F90 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f01cb987b6218741d4b98c6d55ccff61195a9b49b268193c5e5476ce7831cc
Instruction ID: b744c3f3a601411284772c464a02818a53140ef7843add1888bb46bf06087734
Opcode Fuzzy Hash: c8f01cb987b6218741d4b98c6d55ccff61195a9b49b268193c5e5476ce7831cc
Instruction Fuzzy Hash: EB223534A10214CFDB54DF6AC894BACB7B2FF89304F1496A8D44AAB365DB30AD85CF50

Function 06FB7FC8 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1071899af288f7a4d7108efa09e2def3770e9738738a8990e329ea251afc8f97
Instruction ID: be09674de6e682c603f995224c4bfcc3d76da019f8f5d3d6dcfa793dccf0e42f
Opcode Fuzzy Hash: 1071899af288f7a4d7108efa09e2def3770e9738738a8990e329ea251afc8f97
Instruction Fuzzy Hash: 64225AB0E05B465BD7B45B6684883DFA698FB853C0F20591BC0FFCA299E73490978F46

Function 04EEDB48 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e86d98868ce4e2ffe1f7a68d44290778dd2255d74ad539e86b2572aa14d71f
Instruction ID: 5896b97507f862a97bd9946539509e73ddaa3d8a405efc2440f4689b54617104
Opcode Fuzzy Hash: 66e86d98868ce4e2ffe1f7a68d44290778dd2255d74ad539e86b2572aa14d71f
Instruction Fuzzy Hash: 2EE1E931E006198FCB24DF69C884AEDB7B1BF49304F1196A9D459BB261EB70BE81CF40

Function 06FB9952 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12955c8c6cb9e2ffce18c44b1964629ecd5b282f90f46b7ef699368c39074a4
Instruction ID: 2b443e10918cb7c06b5635e4823b6d2c69b17b07e18df4cf276c921dd2b1aa7d
Opcode Fuzzy Hash: b12955c8c6cb9e2ffce18c44b1964629ecd5b282f90f46b7ef699368c39074a4
Instruction Fuzzy Hash: E58159747007008FD746AF79D9586BEBBA3EFC9304F408968D41A9B354DF38AD4A8B91

Function 06FB1E8C Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2373ad5a71eb2f32e29db3ccb2352b2b64500f8f3ac56b9ab22184d7ccb821fb
Instruction ID: 807948745692c71350ec79e97f619ffcd6b03b3e64e2c2bce8d40eda497f79b6
Opcode Fuzzy Hash: 2373ad5a71eb2f32e29db3ccb2352b2b64500f8f3ac56b9ab22184d7ccb821fb
Instruction Fuzzy Hash: 2E91F635D00209DFDF55DFA9C840ADDB7B5FF48304F1486A9E949AB225EB30AA85CF90

Function 06FB9960 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0951d33d2d65294379619018fd00735f38267219798e01d9360f12a5451ba9c
Instruction ID: 61a42eaf39219f4825c25bbdf0778cf0200dc64c0f817a8ecc6305d8950352c9
Opcode Fuzzy Hash: a0951d33d2d65294379619018fd00735f38267219798e01d9360f12a5451ba9c
Instruction Fuzzy Hash: 188139747006008FD746AF79D9586BEBBE3EFC9304F408968D41A9B354EF38AD468B91

Function 06FB0280 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420ed845cb2b6427e9f3adf5f2416913ded31510ab91493babd0305de6447d98
Instruction ID: 61327c2f4ff445d38eb888196311e6ab62f41048565b68b254a1e935bd35079d
Opcode Fuzzy Hash: 420ed845cb2b6427e9f3adf5f2416913ded31510ab91493babd0305de6447d98
Instruction Fuzzy Hash: 39910775D1060ADFCB41DFA8C880999FBF5FF49310B14879AE819AB255EB30E985CF80

Function 04EEC1D1 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16fbe19233f2c39ff64139b36823aa8621b1cdecd6214f78d1f5c5769362e5ba
Instruction ID: 4c2d3d82c32c60d64b91327909039814015538afdb86d0dcd867ee3a744344e1
Opcode Fuzzy Hash: 16fbe19233f2c39ff64139b36823aa8621b1cdecd6214f78d1f5c5769362e5ba
Instruction Fuzzy Hash: 1371A074A01248AFCB15DFA9D884DAEBBB6FF49714B254099F905AB362C731EC81CF50

Function 06FB26F0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e02003d3a2b7985859b4cc7f5545bd3f0b73befd4dd6dff6a133a16f0ba91b2b
Instruction ID: c93d64b17c2183e9667eaf7b0478f9a957245bc39050ecf0e2c3ff05bd48ba37
Opcode Fuzzy Hash: e02003d3a2b7985859b4cc7f5545bd3f0b73befd4dd6dff6a133a16f0ba91b2b
Instruction Fuzzy Hash: 6E51AD30B042048FDB59DF69C8549BE7BF6BF89204B1400ADD406EB361DB34ED01CB60

Function 04EEB068 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06eeca4d14aaf39082d99071233af6a32082f91f76357af82cc7c55251f05193
Instruction ID: 1278bdb3bf9f2374d234bed2dcff6861239cf0317f69644faad747d1bc179be1
Opcode Fuzzy Hash: 06eeca4d14aaf39082d99071233af6a32082f91f76357af82cc7c55251f05193
Instruction Fuzzy Hash: CD51B230A003058FDB15EFA9D9946BEBBF2EF84304F148569D006A7355DF74AA86CB91

Function 04EEF7F0 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75848520cce483a32588f97b80a40d20ab26f44a7d6ee960f1474200dc64600e
Instruction ID: 2a7c773914f898b9bd364aaec2be8dc1f491a02b80f5ccb8a8f4e9e202463093
Opcode Fuzzy Hash: 75848520cce483a32588f97b80a40d20ab26f44a7d6ee960f1474200dc64600e
Instruction Fuzzy Hash: D371AE79700A008FC718DF2AC588959BBF2FF8931471589A9E54ACB772DB72EC41CB50

Function 04EEF7E0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7bf6bf4be3b3f02a3504595c1225053a262aa2f5737575231664b9b9677281e
Instruction ID: ee150d6368a2c88bf9f262ed79617c83958f31a3530e42c069032dd90433c146
Opcode Fuzzy Hash: e7bf6bf4be3b3f02a3504595c1225053a262aa2f5737575231664b9b9677281e
Instruction Fuzzy Hash: F171CFB9700A008FC718DF2AC488959BBF2FF8921471589A9E54ACB772DB71EC45CB50

Function 06FB1F70 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684da200fb8a9dbe0ba04c5b9a47bccbec4447c7bb7cad9ab74a4c11c6dfa600
Instruction ID: f5a01fde023f01ce0967b667cd33f0254accab5feecf3b290dda842dfcf58d6c
Opcode Fuzzy Hash: 684da200fb8a9dbe0ba04c5b9a47bccbec4447c7bb7cad9ab74a4c11c6dfa600
Instruction Fuzzy Hash: 21619930A106008FDB14EF7AC894BAC77B2BF89304F1496BDD4569F3A5DB71A949CB60

Function 04EEF600 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3aeaf08848f2695834338a4bb4d5b94e51a3eb3466ac0a7467b7bb247dde6
Instruction ID: 9ecc7cecb2fca6c5d191a12368151042f75216ee2d2db8449a96f251d9a0570d
Opcode Fuzzy Hash: a3d3aeaf08848f2695834338a4bb4d5b94e51a3eb3466ac0a7467b7bb247dde6
Instruction Fuzzy Hash: 1071A274A002069FCB04CF69D584999FBF1FF4D314B1986A9E80ADB726E734E885CF90

Function 06FB0270 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f966bac1ea87d9fa43a34ebc9d62ceda6b14d5a3bb5f24c4b8de75f71581f5
Instruction ID: f74a3ad3d8b22814e0692821a73d353035bc58c35f7789a216e56d1b58a16555
Opcode Fuzzy Hash: 11f966bac1ea87d9fa43a34ebc9d62ceda6b14d5a3bb5f24c4b8de75f71581f5
Instruction Fuzzy Hash: F0610A75D1070ACFCB41DFA8C8809DAFBB5FF49310B149796E859AB255EB30E985CB80

Function 06FBF558 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c9572077e631d141fec705b865b566b5f46786c557d49ec76ba3857cf86027
Instruction ID: 969adbb9b54f471705a9c6a5807fcd0c1a5c9433a470f1443e639b2afaeb3309
Opcode Fuzzy Hash: d8c9572077e631d141fec705b865b566b5f46786c557d49ec76ba3857cf86027
Instruction Fuzzy Hash: 5C512C79E0A209DFDB80CFAAD8849EDBBB5FB4E340F10A456D816E7315D7349811CB94

Function 06FBF568 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adeb02be3913bc094c171e98b8d6a0496445f9568a0560424e8cfa83d2903f6c
Instruction ID: 20b6633758cc972d3efb80b254197a189e439e5bb14250ade172d141bcc42b40
Opcode Fuzzy Hash: adeb02be3913bc094c171e98b8d6a0496445f9568a0560424e8cfa83d2903f6c
Instruction Fuzzy Hash: 99511B79E0A209DFDB80CFAAD8809EDBBB5FB4E350F10A455D816E7315D7349811CB94

Function 04EECA50 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0346078de67723566161c928eadf95bd3d77104a8f22085ec407dca4876f59cf
Instruction ID: ea71f4c2096d3dd4919d0b16508acee9796910f28582f590a87cbeb73d17bac2
Opcode Fuzzy Hash: 0346078de67723566161c928eadf95bd3d77104a8f22085ec407dca4876f59cf
Instruction Fuzzy Hash: CE51D434A10605CFCB04EF68C8989ACBBB6FF89704B1585A9E506EB375EB70AD45CB40

Function 04EECA60 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a06cb1bdc64821fc5427284ba21f48f1545477e612214c4ce8261adbc41039
Instruction ID: 9b17793219f72a21b4f35080c1933fce7ded374d795c286da415f84b3e6fdf98
Opcode Fuzzy Hash: 18a06cb1bdc64821fc5427284ba21f48f1545477e612214c4ce8261adbc41039
Instruction Fuzzy Hash: 7D51E534A10609CFCB04DF68C8989ADBBF6FF89704B1585A9E506AB371EB70ED45CB40

Function 04EED196 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2a4f3838219510635032afe56e351df24418d05813575f04b43763f50ac931
Instruction ID: a62b12eb97b66003061ff3dc8f465c69f627bab0301e3397f5083f354c8e287f
Opcode Fuzzy Hash: 2c2a4f3838219510635032afe56e351df24418d05813575f04b43763f50ac931
Instruction Fuzzy Hash: A041AB30B043468FCB15EF78D8548AEBBB2FF8920431045AED546DB352DB35AE06CBA1

Function 04EE5A18 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef34129ba95bbe8ad40e2f0386be011a2398136c1dc4c1f4f75dc154e5f1d01e
Instruction ID: 90d7819f776dd58f0b9da907c4f450075ed7015a94a98bdc08967c3f19381858
Opcode Fuzzy Hash: ef34129ba95bbe8ad40e2f0386be011a2398136c1dc4c1f4f75dc154e5f1d01e
Instruction Fuzzy Hash: C041D331640754DFCB19ABB984506BEB7A7EFC5319F04886ED01A9F360CF34A946CB91

Function 04EE6D80 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a6807a2e7ad6c14cfebdb5ca20549a4037abb4a649f5d5aeb980881f0cee39
Instruction ID: cfd1f7b2b8c3179bff848963426e8a18ac8a3b92d53429e0cceeaa77a7ef845a
Opcode Fuzzy Hash: e8a6807a2e7ad6c14cfebdb5ca20549a4037abb4a649f5d5aeb980881f0cee39
Instruction Fuzzy Hash: DA416B34A002198FCF15EFBAD5446EDBBF1EB48718F545129D805EB3A4EB34E945CBA0

Function 04EEB380 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6688d6122d3d0e98c2578931dbd2fcc4a79373467344f4421a96e849197399c8
Instruction ID: 1fed8cf6280f44d205f57886380eb784feb6a1eddde085fcf84a7ef87ee1e489
Opcode Fuzzy Hash: 6688d6122d3d0e98c2578931dbd2fcc4a79373467344f4421a96e849197399c8
Instruction Fuzzy Hash: AC511774A01209AFDB14DF95E594BAEBBB2FF48314F209068EA05AB360DB71BD40CB50

Function 06FB4D88 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78adfb5da292d3bf7fa2bb90c36ca97dc4e8944891b079965ac8b18de14ff835
Instruction ID: 6a6eb1b106dcc4e04a0fee9e807ec3b51e5bc6608c8de6bb1169915168acd3b2
Opcode Fuzzy Hash: 78adfb5da292d3bf7fa2bb90c36ca97dc4e8944891b079965ac8b18de14ff835
Instruction Fuzzy Hash: D4419F31B002048FDB58EF6EC544AAEB7E2FF89704B118569E106AF769DB70EC41CB90

Function 06FBF419 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95713353cd93f8adfefdd16114404fbfcf9e809f1e9a8f994174562a440e8e8
Instruction ID: d89f0fae4b2449ceb97e9be0ea6cbe1b6d429f67ea4409f3782741a503f8affe
Opcode Fuzzy Hash: b95713353cd93f8adfefdd16114404fbfcf9e809f1e9a8f994174562a440e8e8
Instruction Fuzzy Hash: BD412A75E0A218DFE784CF6BD9849FABBB8FB8E300B41A495D0599B226D730D915CB40

Function 04EE8D40 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0580d4c6e7ae90f967aa3669172c18260db89f350755f2279bb81dbfa5e363f4
Instruction ID: 4c7211073c07fc1bba9893ab438304cd8be8a54884d23416e4a4023c63f53015
Opcode Fuzzy Hash: 0580d4c6e7ae90f967aa3669172c18260db89f350755f2279bb81dbfa5e363f4
Instruction Fuzzy Hash: 5441D734A002188FDB54EFA9C894BEDB7B5BF48704F114069E505AB3A5DB79E805CFA0

Function 06FBF428 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2034bad75b862c1462e591ed8387ab19da0ae08e5ab50cb54ed238938a58a09
Instruction ID: bd9a981a60287642856df038b1d9f5154b726e4d46ef80c1e07d0569eabbe10c
Opcode Fuzzy Hash: d2034bad75b862c1462e591ed8387ab19da0ae08e5ab50cb54ed238938a58a09
Instruction Fuzzy Hash: 9F413875E0A218DFE784CFABD9849FABBF8FB8D300B41A495D0599B226D730D915CB40

Function 04EEE7E0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0dfaa5b0905c0ab225f5e1de510d7b9e1a5767ffb28a7aa11de1fb869b928cb
Instruction ID: 314d3bd040736b9eb86722a537ab0cf417d3d92fa10edfbfa707b60008ea0f07
Opcode Fuzzy Hash: b0dfaa5b0905c0ab225f5e1de510d7b9e1a5767ffb28a7aa11de1fb869b928cb
Instruction Fuzzy Hash: 1D414F34A10709CFCB04EFB8C4949ADBBB2FF89304F008569E156AB325EB71A945CB81

Function 04EE4AB8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86fe7fcef5296f48da3f972f36e4932429571de24ad40326c5b07b3ffb144fca
Instruction ID: d1508164ca3c8800ffdeb7ea1b115d9601b5c39bde7f492ddd6dacaaa345124f
Opcode Fuzzy Hash: 86fe7fcef5296f48da3f972f36e4932429571de24ad40326c5b07b3ffb144fca
Instruction Fuzzy Hash: 53411C30A10709CFDB14EFA8C4949ADBBB6FF89304F008569E516AB325EB71B945CB81

Function 04EEF5EF Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0af20b5e9be956b8cbf302596492b5a42e8c2bb4b9c83ef725ce660dcf0a669
Instruction ID: 1945dd8e44ea66e221e2d03fc9df42d2fc962d497612a828f4db97ab85e8d829
Opcode Fuzzy Hash: d0af20b5e9be956b8cbf302596492b5a42e8c2bb4b9c83ef725ce660dcf0a669
Instruction Fuzzy Hash: 8641F774A002069FC714CF29D5849A9FBF1FF49304B158AAAE44ADB762E730E945CF90

Function 06FB5C20 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a42af8e85480c07b8df422e6f1bccc9215d36cc92b844a1908d63d406d35c9
Instruction ID: d935f0790dd45ea94add00f2656eed6ecea90299177d04b9a30a09bc1987c2c9
Opcode Fuzzy Hash: 89a42af8e85480c07b8df422e6f1bccc9215d36cc92b844a1908d63d406d35c9
Instruction Fuzzy Hash: 40416F75E00209CFDB54DFA9C8446D9B7B1FF48300F1482AAD949AB255DB74AD85CF90

Function 04EE7537 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88910be7d9b5c9b596a9f3d6c77b9b1062d3088ac0670b045ef7f4703f5c90bc
Instruction ID: 263617675e9ce314389f9b0a575dc589eb34e6c6470254444232895e5aa700be
Opcode Fuzzy Hash: 88910be7d9b5c9b596a9f3d6c77b9b1062d3088ac0670b045ef7f4703f5c90bc
Instruction Fuzzy Hash: 9141F975A0020ADFCB44DF69D98499EFBB5FF49314B14C6A9E818AB311E730AD85CF90

Function 04EE60BF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf85ff7e6de5a2e8e04a48ee1a7af652f01d169af24d4528d5457c250b7b978c
Instruction ID: 902cc49dcdaca693814945531a543ea337bed98e22f50b27d4003b5c7ce3b968
Opcode Fuzzy Hash: bf85ff7e6de5a2e8e04a48ee1a7af652f01d169af24d4528d5457c250b7b978c
Instruction Fuzzy Hash: DC318071A04300CFEB45EF7AD8846A57BB2FF98314F4586B9DC496F206EB35A885CB50

Function 04EE5B44 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9773a032fbf88d0d1df6ab4b137b19ae7d8ec6fe711dcb669d427a67a672387e
Instruction ID: 27a6f45cd561b5fe01ca39c79fd943f1d3f71ef8feb911dde2a4941bbb79350e
Opcode Fuzzy Hash: 9773a032fbf88d0d1df6ab4b137b19ae7d8ec6fe711dcb669d427a67a672387e
Instruction Fuzzy Hash: 58319F31A04201CBEB44EF7AD8846657BB2FF98314F488679DC0A6F206EB35A884CB50

Function 04EE7548 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf2b91e6c839ce04caf6914c1f180c6d54ee8a8be4cbae550230db45c6efb89
Instruction ID: af6c0ffcf080b9d0d3a7c890093f6cbf57a0d89cb7e3bb5cf3e05ac9ede9131d
Opcode Fuzzy Hash: abf2b91e6c839ce04caf6914c1f180c6d54ee8a8be4cbae550230db45c6efb89
Instruction Fuzzy Hash: 15410675A0020ADFCB44DF69D98499EFBB5FF89314B14C669E818AB311E730E985CF90

Function 04EEE6E8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adfb6d1ac6343e7779e77f30aa0214eca70fab6543e10345986eca6d73aafe1f
Instruction ID: 1992f9419e944b25b967efd67dd3a298fbedad1c5ce1c50c224a608cb6d2c49e
Opcode Fuzzy Hash: adfb6d1ac6343e7779e77f30aa0214eca70fab6543e10345986eca6d73aafe1f
Instruction Fuzzy Hash: 2F314D35A006199FCF04EB69E8548EDF7B6FF89224B058569E506AB350FB31BD45CBC0

Function 06FB27FF Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 666798f1854e00ce48f8280a950880cf88942338725cf29382335de808aacf63
Instruction ID: d0d68a68d8414d842e8a5e8c4de1edb6087c12e956ca17176ff37f95ea859ff4
Opcode Fuzzy Hash: 666798f1854e00ce48f8280a950880cf88942338725cf29382335de808aacf63
Instruction Fuzzy Hash: 5B21D331B083409FC70A9B78985447A7BA7AF8620031544AED406CB7A2CF34DC45C761

Function 04EEB371 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1f1049f87633f8abde91b874e30e2598b4481ec0e6794b3f4ee9049fd872f9
Instruction ID: 9d1a70027f2d741047ed0c244ec23bad849d430094906d7c6b97c85ffc23d2ca
Opcode Fuzzy Hash: 6b1f1049f87633f8abde91b874e30e2598b4481ec0e6794b3f4ee9049fd872f9
Instruction Fuzzy Hash: E7314874A01209AFDB14CFA5D584BEEBBB2EF88314F119069EA05A7750DB70BD44CB60

Function 06FBA098 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625bd56704f0316b585b2e0cd012a041043ad4b4f343fd65eb19e784746e6a0e
Instruction ID: 6996e767df2474415e18268194480e5ae32d05df0893ecff40c4b39ce607123b
Opcode Fuzzy Hash: 625bd56704f0316b585b2e0cd012a041043ad4b4f343fd65eb19e784746e6a0e
Instruction Fuzzy Hash: F231C375600605CFD702EF68D854AAEBBB3EF84314F008559D556AB354DB34ED06CBA1

Function 04EED058 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd57f1284cb28cae94c274d20b410293916de66cf366e2f4a5c02d341d7460af
Instruction ID: 8c36ef48f2eedc6cda9829ced44561a8a42fd3d7e813bd8745580dd3703373f0
Opcode Fuzzy Hash: dd57f1284cb28cae94c274d20b410293916de66cf366e2f4a5c02d341d7460af
Instruction Fuzzy Hash: 3B2179303006118FCB19EB29D854E7A77E6AF85718B1991AEE506CB3B1DB72EC06CB50

Function 04EEBC21 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e20a5f33916211561d4d0d0b09122d719fac9196f139abf9797cc7028685b0
Instruction ID: 433b62492d4eefebf4b4d34e5b9d93367f7f4f7d56be0e5861c630af3d62aa21
Opcode Fuzzy Hash: a9e20a5f33916211561d4d0d0b09122d719fac9196f139abf9797cc7028685b0
Instruction Fuzzy Hash: 1721A331A107059FCB05EF68C894899BBB6FF8531474186ADE5496B332EB30ED59CB81

Function 04EEB661 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6229cfb5013f29ad5bb6910e102ba4ae83712520528b1a17e8b6509ab2ecb11c
Instruction ID: 9ce06996047ced97d810a2d38f8cc7eb3686c09a5c3e070cc3c286447159fbb4
Opcode Fuzzy Hash: 6229cfb5013f29ad5bb6910e102ba4ae83712520528b1a17e8b6509ab2ecb11c
Instruction Fuzzy Hash: 7721F271A007058FDB15EF29C84066ABBB6EF85318B00967EC409AF755DB31F886CBC4

Function 06FB1CF8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1da016e851c529a32d8cd1133d75ca5efa94e5fee1f8bc87d2b45dfc6b15ca
Instruction ID: 7294fac82a72efb6bce0bc94f6271abd5472458e0d13460b5278799aa0873ab4
Opcode Fuzzy Hash: 7f1da016e851c529a32d8cd1133d75ca5efa94e5fee1f8bc87d2b45dfc6b15ca
Instruction Fuzzy Hash: 34216F36B902149FCB549E5AD5C4AAFB3A6FF88711B04942EE90687750CB72FC41CB50

Function 06FB337A Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23a938198375d9ad1077156ef31cb808f1c0c4fe1d7c804ed392c362b569016f
Instruction ID: 79c7f31de60f099895d1e924767b073830010fa6001112b4f83a7c587dc53e75
Opcode Fuzzy Hash: 23a938198375d9ad1077156ef31cb808f1c0c4fe1d7c804ed392c362b569016f
Instruction Fuzzy Hash: CA219F36B503109FCB61DF16C4C0AABB7B6FF85610B04906EE9068B761CB71EC01CB60

Function 04EED068 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7da7af8e74b0a9c978910307bf208f39d8aa38c0dcd70cecfb9b29bb6389668b
Instruction ID: f0f5f03da865e65561a2fbad9a38a1ced3f15b67cd85695cdeadfac7df86c2e6
Opcode Fuzzy Hash: 7da7af8e74b0a9c978910307bf208f39d8aa38c0dcd70cecfb9b29bb6389668b
Instruction Fuzzy Hash: BA213B303106118FDB18EB2AD854E3A73E6EF89718B1594ADE506CB3B4DB72EC46CB50

Function 04EEA89C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e328bbdb03ba0dcd921de2f07a7c7abb40071778a14f1fff7079df6673981e41
Instruction ID: a8ca259605ffd0d51aacd2670e5ffcdb1dd53ea7f035e2bc24d9567f1b5bd1c1
Opcode Fuzzy Hash: e328bbdb03ba0dcd921de2f07a7c7abb40071778a14f1fff7079df6673981e41
Instruction Fuzzy Hash: 87219F31A107098FDB04EFADC8848A9B7B5FF8431474196A9E5496B325EB30F984CB80

Function 021FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678577020.00000000021FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21fd000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb1fb2894b42b3458d82bf58e5ca95cf82dd6e46e8c7a4eb3a84ae75adb697d
Instruction ID: 2ccfd84ddcfd00acda92c4292d34130871bfb5c44613fa018192ce974ad40093
Opcode Fuzzy Hash: 1eb1fb2894b42b3458d82bf58e5ca95cf82dd6e46e8c7a4eb3a84ae75adb697d
Instruction Fuzzy Hash: 59213471684200DFDB54DF14E9C4B26BFA5FB84314F20C66DEA1A4B756C33AD447CA62

Function 021FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678577020.00000000021FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21fd000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d42e62574e6644ee3606002c9a62f2a610f019979f3b2a6db56dcdfbed693e
Instruction ID: 8464ce9dbea581b3ee10658e8bfb62027c55068d60970afeb6a0acb89cc466b4
Opcode Fuzzy Hash: 56d42e62574e6644ee3606002c9a62f2a610f019979f3b2a6db56dcdfbed693e
Instruction Fuzzy Hash: 58213871584200EFDB45DF14E9C4B36BBA5FB88314F20C66DEA1A4B356C336D446CBA1

Function 06FB1430 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e0f4f63e5c4dcc94201c6ada34cd75aae4ddd2a8998d0ee55e2d4710dc0da7
Instruction ID: 3f1212aa92957a65dcc43c16d1a45c64aa5dfa64b19b8b220cd6b0cceaf7ada6
Opcode Fuzzy Hash: 01e0f4f63e5c4dcc94201c6ada34cd75aae4ddd2a8998d0ee55e2d4710dc0da7
Instruction Fuzzy Hash: 10215635D10609DFCB10EF6DD8405DAFBB4FF49310B50C369E558AB204EB30A995CB91

Function 06FBA0A8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28103931fa3a6b4b87c763562b306d77314c88a580f7da1dbed6cae4501d6c5
Instruction ID: 5bbb60ff7c48b2a17f7c6afa0bdd0b771ff8f54892caa55cd5d7f6042f782a65
Opcode Fuzzy Hash: b28103931fa3a6b4b87c763562b306d77314c88a580f7da1dbed6cae4501d6c5
Instruction Fuzzy Hash: 05216B74A00605CFDB02EF69D854AAEBBF3EF88314F008569D51AAB354DB34ED068B91

Function 04EECD90 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02429363f800009c11ed41058055780b810e40e6858634fdd0330ea9bc5710e
Instruction ID: 223fd44f6f59e8faa9aa2f751480705474df88b487daaff4ff634d9275bc5a42
Opcode Fuzzy Hash: d02429363f800009c11ed41058055780b810e40e6858634fdd0330ea9bc5710e
Instruction Fuzzy Hash: 3311A231F006154BDB20EFAE88402BEB7F6AB88714B14852AD505A7314DB74A9018BC1

Function 06FB393A Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fa48e4f907d6815561dad0e862a86096bc56c0dd0d7062e48d73c7ca40cb77
Instruction ID: 139df35e3371ff3eaa1cff4cd88a371b692e6fabe79c8a0f65fbc64de2d7bacc
Opcode Fuzzy Hash: 26fa48e4f907d6815561dad0e862a86096bc56c0dd0d7062e48d73c7ca40cb77
Instruction Fuzzy Hash: D9212971E1024A9FCB05DFA9C8409AFFBF5FF89300B11825AE418EB211E7B0A955CB90

Function 021FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678577020.00000000021FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21fd000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 599806424f155efd817d5a530682a99c7c1d87884b6dd58d59edbf16dee62e15
Instruction ID: 7d131621fbdae41b54c90289e3ef0643a62b4fadbf5752ddd4f9b125814f8742
Opcode Fuzzy Hash: 599806424f155efd817d5a530682a99c7c1d87884b6dd58d59edbf16dee62e15
Instruction Fuzzy Hash: 5921A1755493C08FCB03CF24D994715BF71EB46214F28C5EAD9498F6A7C33A980ACB62

Function 04EE5FE8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f13984fa9fa7ee7295a8a3d53f4bd1f20c6fc1c0919d5ff01249e2b685520de
Instruction ID: f3914b17add70f723bd0de40479122fc071695d227e07db7c2d6664c27403136
Opcode Fuzzy Hash: 0f13984fa9fa7ee7295a8a3d53f4bd1f20c6fc1c0919d5ff01249e2b685520de
Instruction Fuzzy Hash: C5219D31600B44CFDB65EB74C454ABAB7B7EF85319F0489ADC05A1F260DF35A98ACB81

Function 06FB3948 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be9ec2228a1a6c0037a8192ab95934943269fe45bd9bc4e4e90a437bb84da12
Instruction ID: c8526a0297d92aa96a96c0150d97e1ad37aeeed91a61deca8876a0e625465dda
Opcode Fuzzy Hash: 4be9ec2228a1a6c0037a8192ab95934943269fe45bd9bc4e4e90a437bb84da12
Instruction Fuzzy Hash: D621BA71E1020A9F8B04DFA9C9448AFFBF9FF99310B10855AE518E7215E770A952CB90

Function 04EECD8F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c6c93326fa90fb34313dd72b56abd31ae43d135d5b34329565c23747604cdc
Instruction ID: 3c4f4e86048bd56667594dbdae1195b24f415f9faabf01b5a58187b299636c3f
Opcode Fuzzy Hash: 48c6c93326fa90fb34313dd72b56abd31ae43d135d5b34329565c23747604cdc
Instruction Fuzzy Hash: 2311E532F016154FDB24DFAA88812BFBBF6EBC8714F24853AC515E7314DA34A9028BC1

Function 04EE5B24 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a9b67d51b0041d182b9160d7010568f6659faac49015fe0c7d70acc7bf75ec7
Instruction ID: ccf8af3dd0c23eac785cf44027289e4adfa88fd1f893901963cf4f83d895262e
Opcode Fuzzy Hash: 2a9b67d51b0041d182b9160d7010568f6659faac49015fe0c7d70acc7bf75ec7
Instruction Fuzzy Hash: D0219A30600B05CFDB64EB79C440ABAB3A6EF81319F00896DD05A1F260DF31F88ACB81

Function 06FBFCA2 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9bc7f82dac669bf68f24f0657086e386ad697d0dbf37ba55f19b1c37c4f95b3
Instruction ID: 80c692103cfb35aacb0931eb2f66b6f7c57e70a00f44673f1f929128a936fce3
Opcode Fuzzy Hash: a9bc7f82dac669bf68f24f0657086e386ad697d0dbf37ba55f19b1c37c4f95b3
Instruction Fuzzy Hash: 6F11A775D06208CFEB44CF66D8447EEBBBAEF8A300F10E159C8295B256DB744906CB81

Function 06FB334A Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37e9c9b52c3a7386d87e6a0976fd74ed3ff8ae39c103d7b87f2d5434033083d
Instruction ID: a4d1826ab2760b58b2dcc1a72f3c50350e70aa87b5e282b1380f6b16fae10b77
Opcode Fuzzy Hash: b37e9c9b52c3a7386d87e6a0976fd74ed3ff8ae39c103d7b87f2d5434033083d
Instruction Fuzzy Hash: 4711C232B80200EFCB55AF59D8908AABBB6FF84211714906EF6058B221DB73EC01CF10

Function 021FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678577020.00000000021FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21fd000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 5cee46d0d91a331f99a4eb0d47b6e7bd7c4ea0518183e9acb1624fcb64ae1140
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: A711BB75544280DFCB02CF10D5C4B25BBA1FB84218F24C6AAD9494B296C33AD40ACBA2

Function 06FB5BA0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 216efa36ffec7507cce7b8b097da34df3bda777548a3ad83b0d4aa8338373750
Instruction ID: 328cebe4dc14ea3c1300911009b3dba690dbc158ecd4a6354e676cf19f4da36c
Opcode Fuzzy Hash: 216efa36ffec7507cce7b8b097da34df3bda777548a3ad83b0d4aa8338373750
Instruction Fuzzy Hash: 39118675D043499FCF01DFA8C9505DEBFB0EF49210F14828AD864A7391E7306A51CB91

Function 06FBFC29 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0a59e93789b68440098127ae924893cc4110797ba31106da58340530b50d58
Instruction ID: 07597cd7bd089eb6be39ec59053c8d9fc58138ada7729b6cc4311d0a76b19f81
Opcode Fuzzy Hash: fb0a59e93789b68440098127ae924893cc4110797ba31106da58340530b50d58
Instruction Fuzzy Hash: D1019671D09204DFE744CF66D8087EEBBBAAF8A300F00E469C4186B342CB755545CF80

Function 06FB3A6A Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 134c4e779d6dfd6553f338e0f7f2c69aeb0d66ed12f2cb4fc9209ad2b6e141dc
Instruction ID: f040321fbe0d4aa9542b043895daff1c51228bd51f0adeeb9f141f5143d09c0b
Opcode Fuzzy Hash: 134c4e779d6dfd6553f338e0f7f2c69aeb0d66ed12f2cb4fc9209ad2b6e141dc
Instruction Fuzzy Hash: 0701F736B543005FCB19D626D8109AAB7AA9FC1310724C4BED805CB295DF71DC46CBE1

Function 06FB3C5A Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260e2d6502fcf1e9b2006cde96a78224405d0d96ac955ddb88713a2c27e7e0db
Instruction ID: a3c6a3ba821401895d0717a0d4a397faa1ceb249c1e19c05bfbdec930d532550
Opcode Fuzzy Hash: 260e2d6502fcf1e9b2006cde96a78224405d0d96ac955ddb88713a2c27e7e0db
Instruction Fuzzy Hash: 5701BC35B852108FC71ADB69D850DA6B7E6EFC5320B6481AEE0068B3A5CB30DC06CB90

Function 06FB39E2 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e4fb9840b1bbf8a060851d58d9f8e80d2ce13688f6d668656e83574a4d6374
Instruction ID: e5576f729aaf9e277ae95bf8086ce9e75f6d21f9782dc6261f875404e5fc79a2
Opcode Fuzzy Hash: 32e4fb9840b1bbf8a060851d58d9f8e80d2ce13688f6d668656e83574a4d6374
Instruction Fuzzy Hash: F001F735B053009FCB15DB29D840D6AB7EAEF86620B25C1BAD4198F365CB70DC06CF90

Function 06FB3A78 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f7c8465ad3329cadfea27142a954a3b89a98adf18f74b2037526ed35200803
Instruction ID: 37ee22750282391fab0073b46b1c1885c8b1637d2fe99fe91a3b3cf84a9fe23f
Opcode Fuzzy Hash: a6f7c8465ad3329cadfea27142a954a3b89a98adf18f74b2037526ed35200803
Instruction Fuzzy Hash: 7A01D63AF502044FCB58E62AD95096AB3DA9FC0310764D47DC406CB794DF71DC46CB90

Function 06FB2868 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e73b9be8b37df63b32808ff93e60837a97fe4a10b1c44e65eace17a09828cff
Instruction ID: 9b1bc4d9dcb8a8350c4494a20526073087289a884e2cccde0959cacc59376d1a
Opcode Fuzzy Hash: 6e73b9be8b37df63b32808ff93e60837a97fe4a10b1c44e65eace17a09828cff
Instruction Fuzzy Hash: 5D017C30B002149FD718DF2AD48897AB7E6FF8825471484ADE81A8B320CF71EC49CB60

Function 04EEEDF9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72037519d63fbee5fd3f173de882269fcfad2055d63f19dca4666c0b1c15abae
Instruction ID: e50d97dc840f4d5b75f446aae21445d1b34083d4becc646d5c418e73ed2f32e2
Opcode Fuzzy Hash: 72037519d63fbee5fd3f173de882269fcfad2055d63f19dca4666c0b1c15abae
Instruction Fuzzy Hash: D001DB31A00B05CFD706A77584105BE7B35EFC5214F45569FD4456B264EF30BA81C7D1

Function 04EEAF19 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a071b40b140370a2bc3de2bb9b6bb41eeb7ab4699dbceb3a3f3df1e345422b
Instruction ID: cad1b9259e01ab99f2855f530856c1f8f6790c978e3fba1fc2bc3e8215789fd1
Opcode Fuzzy Hash: c4a071b40b140370a2bc3de2bb9b6bb41eeb7ab4699dbceb3a3f3df1e345422b
Instruction Fuzzy Hash: 1E01F9303543104BE72A6B7684687BE36675F89B08F04059EE5459B3E3CFA5AD01C7D0

Function 04EEC901 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e95f8443545e768e7a317f280a45c26e9a7bf04d608546ad886f9c88c40b0f9
Instruction ID: af118775a914667451e6da5fe90549ff99177e45f50a72e0ae7f19e4d8bbae61
Opcode Fuzzy Hash: 0e95f8443545e768e7a317f280a45c26e9a7bf04d608546ad886f9c88c40b0f9
Instruction Fuzzy Hash: 65F04C716147910FC70AEB7AA800856BFF79FC9200309C1ABC50DCB26BD8218D018B81

Function 04EEEA28 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72618bc7826acb0f5e197560187c7890de8a9b6bb4a2554cc3e686482c68498c
Instruction ID: 71a06da082cc6d54406c69811869161a9c9e673d04ea83e6c53662941a231253
Opcode Fuzzy Hash: 72618bc7826acb0f5e197560187c7890de8a9b6bb4a2554cc3e686482c68498c
Instruction Fuzzy Hash: A8012931A007098FD724EF3AC4405BA77B6BF85308B10D56ED88A8B260EB71F981DB90

Function 04EEEA19 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8cee249f17debd374c61c76082b11a21d53837e1710d5f1fb8a780050e0301
Instruction ID: 02b449e7f093afe3f1b60f2f3e56063f45e1c663fd26a720e9045a72fb4d7aab
Opcode Fuzzy Hash: ac8cee249f17debd374c61c76082b11a21d53837e1710d5f1fb8a780050e0301
Instruction Fuzzy Hash: E101B1305057448FD725EF3AC4045B67BB2BF81304B04D6AED48A8B261EB30FA85DB90

Function 06FBFC38 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8089d04891a4a1d326d2b48aaf14e87efba2f09fc72fa71387cb320df5af9993
Instruction ID: 65d283e0dd9a2155f32e753082d0f7674c219fd0ecfda75163b0daa6cc3fa0cb
Opcode Fuzzy Hash: 8089d04891a4a1d326d2b48aaf14e87efba2f09fc72fa71387cb320df5af9993
Instruction Fuzzy Hash: B0012175D052049FEB44CF57D8047EEB7BAAB8A300F00E429881967356DBB45544CF90

Function 06FB3C68 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac2385bd4d4b92c14b415d9c6852ca64ff774965900464b1282e2e3c224d44d
Instruction ID: 0b993d359eb29be49fc39842061511c503d493ecb360755ba50f550290969b6d
Opcode Fuzzy Hash: fac2385bd4d4b92c14b415d9c6852ca64ff774965900464b1282e2e3c224d44d
Instruction Fuzzy Hash: 1D01A435B502108FC759DB6AD540E6AB3E6EFC5320B50C479D40ACB7A4DB71EC06CB90

Function 06FB39F0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8321691f3669f4077884770cd678be6c11a3e639f1585fc978295672429f59
Instruction ID: a54f58d4de420ae4ee65cef35b056dc1651c7de302271b3f0e849970f6807346
Opcode Fuzzy Hash: ef8321691f3669f4077884770cd678be6c11a3e639f1585fc978295672429f59
Instruction Fuzzy Hash: D5018139B502009FCB18DB2AD940D6AB3EAEF85710B65D4B9D409CB324DB71EC46CF90

Function 04EEF129 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de0f75ec3ebee0eb19da3034478ed5c2a3723c90b40d4e0386945d3a0f275b8b
Instruction ID: 8790221a2fc2ed315c147913b66bfe4ec112e7ada87ec667238a7355c40aca96
Opcode Fuzzy Hash: de0f75ec3ebee0eb19da3034478ed5c2a3723c90b40d4e0386945d3a0f275b8b
Instruction Fuzzy Hash: F6F0B4323447651FC7059B69EC449AA7BAADF85224305457AE106CB362CB61DD4A8BD0

Function 06FBA2B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c229c20d4d19dbd6e31a85c0dc9248f51b4d345309cd4caae034c449015284a
Instruction ID: 6bbbb570744df218ba11a3b3e03016d5b0a9e0be44c9261d79d714732ad3434d
Opcode Fuzzy Hash: 4c229c20d4d19dbd6e31a85c0dc9248f51b4d345309cd4caae034c449015284a
Instruction Fuzzy Hash: B0F0BE2254F3847FC3039B759C218D6BF76DB4710070902E7E049CB2A7D6264B5AD7A3

Function 06FB3E80 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f850e203d3616f37f28520ffef07349a32fde920bb84c425cfb34165309ed36
Instruction ID: 468581c6a0f178382016aa115577013427b835748a79de5713fb880a27538a93
Opcode Fuzzy Hash: 6f850e203d3616f37f28520ffef07349a32fde920bb84c425cfb34165309ed36
Instruction Fuzzy Hash: 5FF0B24248E3D06FC34B92354CA85D67F754A5700470E94DBD184DE0E3E419591FC3B3

Function 06FB3CE0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa2b68e327cc4a87055a1a7411ae6e55bd285c0537b83f41f8ee7f755f45bd8b
Instruction ID: 88debb1b8107aaf118d2f0197b48974e701bea8ef981f76b20bf892bbcc1ca89
Opcode Fuzzy Hash: aa2b68e327cc4a87055a1a7411ae6e55bd285c0537b83f41f8ee7f755f45bd8b
Instruction Fuzzy Hash: 44F0F6367443548FC355DB3ADC40AE53BA2AF8A210B0944ABD081CB2A1CF24DC45CF51

Function 06FB5BB0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9544af749720004cda12e0f8cdf9f3bd238a64e4f64c678cbd832aa09cb04a24
Instruction ID: a1ccc1061b728600b400da805f7617ede3da3f7cc6686c3b5c91d52785ffce66
Opcode Fuzzy Hash: 9544af749720004cda12e0f8cdf9f3bd238a64e4f64c678cbd832aa09cb04a24
Instruction Fuzzy Hash: 2B016775D0061DAF8B41EFA9C9419EEBBF5EF48210F10855AE858A7350E770AA508BA1

Function 04EEF598 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4982947fd0e990710be6986fed51bd4d2c085305feea5abf68c4feb68cce00
Instruction ID: 9f0211996ff273c1f9b96817e333bd5035702aa6c2a7c285fd51a6c20c605bf3
Opcode Fuzzy Hash: 7f4982947fd0e990710be6986fed51bd4d2c085305feea5abf68c4feb68cce00
Instruction Fuzzy Hash: CEF037352552508FC315DB28D898C96BBAAEF4A70930641E9E04ACF372CB62EC45CBA0

Function 04EEEE78 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ab4c4495a17c397081d095bdb129f04d42291ded5891ffde81029f932e46dda
Instruction ID: 3c68cd210c57532022b70964c7c4be5a98a3e566787004f49683996c0f9fd13f
Opcode Fuzzy Hash: 9ab4c4495a17c397081d095bdb129f04d42291ded5891ffde81029f932e46dda
Instruction Fuzzy Hash: 8BF0F6313047008FC725AB5AE49492AFBB6EFC5725B10056EE50987775DF35EC42CB91

Function 04EEAF28 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9e078e53a4e114475d5dd7a55efab97def3fabc1579906147fa1d9e68cb0e7
Instruction ID: 9ede6b616edd6988580b2af26e1dd88246028e109fc635277baa4148ec31c463
Opcode Fuzzy Hash: ca9e078e53a4e114475d5dd7a55efab97def3fabc1579906147fa1d9e68cb0e7
Instruction Fuzzy Hash: BFF090303907200BEA296B7AC46477E32AA6F88B08F00155CE50A9B3E2CFA5AC4187C4

Function 04EE7498 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbeed6ff50cb064e8a64343b131b5f09dcd92eecfcfa8dd5406eb3fd8b763e1
Instruction ID: 46300ca1a51698f81ec214daa75364f4b90f32f3a3c659a7c3fa329deea95d86
Opcode Fuzzy Hash: 8dbeed6ff50cb064e8a64343b131b5f09dcd92eecfcfa8dd5406eb3fd8b763e1
Instruction Fuzzy Hash: AF01E875D04249DFCB40EFA8D54589DBFF0EF49200B1585ABE858EB322EB709A44CF91

Function 04EEF138 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8ac0ca051d2ceeeeb882ceab0f5aa7cb4344d25feb8cb9ab6896c9e01e366b
Instruction ID: c48f2d890acbc697dc506ea0c83d41863ac9adc8641929e11a1b9398835e3c1a
Opcode Fuzzy Hash: bb8ac0ca051d2ceeeeb882ceab0f5aa7cb4344d25feb8cb9ab6896c9e01e366b
Instruction Fuzzy Hash: D7F0E9367007154F87149B6FF84486AB7EAEFC4224304467AE10AC7324CF71EC098790

Function 04EEEE08 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f4caba479c0d95624a9bf8bf2047f0bb1e091f8c5adbb70127f5ba442fc24b
Instruction ID: 28c9b4573cf513cf1958eb6db406afea695944c2c92a4c0afc5db0a1de772e9a
Opcode Fuzzy Hash: c9f4caba479c0d95624a9bf8bf2047f0bb1e091f8c5adbb70127f5ba442fc24b
Instruction Fuzzy Hash: B0F0CD31A00B0A8BDB15BB7A84105BEB779EFC1624F40466ED8492B310EF30BA8187D1

Function 04EECCFF Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67d70ddae23751dbe3051268a6d4aa8e9b61820fe1ae0604fddff31f61c1e45
Instruction ID: 0a65090c0a004bec37f76ba40c18e0f2b5f8234d5777837329ebd1a2891bb3ef
Opcode Fuzzy Hash: b67d70ddae23751dbe3051268a6d4aa8e9b61820fe1ae0604fddff31f61c1e45
Instruction Fuzzy Hash: BAF01D343101108FC7549B6DD4489797BEAEFC9A15B1480BAE50ACB370CE71EC42DBA0

Function 06FB1D08 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ec2f41d246836d23d17cdbf6f44c587208fecdaad80ab2a1410114977d2edd
Instruction ID: 50e7dbcfb0ab71d747e0d72198e7a72aa4ff6c434fbac9ddba72fcc86c4ee04f
Opcode Fuzzy Hash: 37ec2f41d246836d23d17cdbf6f44c587208fecdaad80ab2a1410114977d2edd
Instruction Fuzzy Hash: 4BF01D72D505098FDB90DF79C8457BDBBE0EB44305F0489BAE418D3655EA38DA458B81

Function 06FB3AFA Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c14c1e4db8af0d948f0fff8417c61988e781f268e4fa1f9f77a22d16316c4822
Instruction ID: 8499f4d0858eed02e01cf5abc69263a32188a01d879826f94f57aeb239f8d4c6
Opcode Fuzzy Hash: c14c1e4db8af0d948f0fff8417c61988e781f268e4fa1f9f77a22d16316c4822
Instruction Fuzzy Hash: 8EF09A72D542198FDB90DFB8CC417AC7FB1EB00300F0884BAE418D7292E6388A068B81

Function 04EEEE88 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c081c28f480c1b193068ee0e99aea05dbaff58008bd4fd155b466b7eb9fc1f1b
Instruction ID: ec84e2089640dce65f7de1c5c1936f8e0f20cee7f40f4ff1d27a8997d3ac5b6e
Opcode Fuzzy Hash: c081c28f480c1b193068ee0e99aea05dbaff58008bd4fd155b466b7eb9fc1f1b
Instruction Fuzzy Hash: E8F0BE313007008FC628AB5EE48492AF7AAEFC8725B00056EE50A87734DF31EC42CB90

Function 04EE74A8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91

Function 06FB3CF0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b64d929459957213ddbd62a5658c525fb6dac18a6c30bb1321b967875ea152
Instruction ID: 4a025903feebbd06877d3358069acbc6bed4ff4445d9c7b42b794d3e48ec1702
Opcode Fuzzy Hash: f4b64d929459957213ddbd62a5658c525fb6dac18a6c30bb1321b967875ea152
Instruction Fuzzy Hash: FEF03036B406188BC764DA2AE844AEA73AAEFC9721F145069E055C7350CE34E845CB90

Function 04EEC928 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d4c5c9bd8ef4f9fac3efbeffb1abea6b8ad80a97cb03793236d4276bb7b67d
Instruction ID: 278ef686ed1b0e844821e03655b9386814a77455ff1281940f618a6174cd1d62
Opcode Fuzzy Hash: 85d4c5c9bd8ef4f9fac3efbeffb1abea6b8ad80a97cb03793236d4276bb7b67d
Instruction Fuzzy Hash: 51E06571B107100B570CFBAE9400466F6DBAFC8610354C17AC50D87629EE71E9014A84

Function 06FB7F78 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0338ae6d957af98538b3d19d230dfcf99eca6c3e2326e2c03d233cf59d6a200d
Instruction ID: 384f6e8efd946cc511a065a60cf59f1a9e11a710d97b240de8bdcd32845e6918
Opcode Fuzzy Hash: 0338ae6d957af98538b3d19d230dfcf99eca6c3e2326e2c03d233cf59d6a200d
Instruction Fuzzy Hash: 55E0DF36A023708FD713A799D940ED47B69D781351F0681A6E845DF292C338CC528BF6

Function 04EEF5A8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f393f7f3bf1e9ec6b404a0e6bb1bbeb49a3a79dc8b5958e6e1905fa435eeea
Instruction ID: 819379f8a50abb2bbd9e19166ded704054adf0d13b62055fecea36c037d8117f
Opcode Fuzzy Hash: 99f393f7f3bf1e9ec6b404a0e6bb1bbeb49a3a79dc8b5958e6e1905fa435eeea
Instruction Fuzzy Hash: 2DF0F234240610CFC718DB6CD598D59BBE6FF49B1971185A9E10ACB372CB72EC44CB80

Function 06FB7F30 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a60ba8dcfc644a951222b52946dc724ab8e55d1276add62cacda90faa138a55
Instruction ID: 81f4c85a607bec376262630449d82e0b9f822dede1a8f8b14e3fe682015e724e
Opcode Fuzzy Hash: 9a60ba8dcfc644a951222b52946dc724ab8e55d1276add62cacda90faa138a55
Instruction Fuzzy Hash: 88E01237604624CBCF10DB9DF4815B6B7A9E785A653188966E50CCB611F33BDC92C7C4

Function 06FBBA90 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba39558cc746c3679b9811bf1333ab5b18d9b2c70e106eee53e4c901f8855fe
Instruction ID: 997d0e93db368e25f620071864969c462c7acb243585d87aa784bc00181a93f7
Opcode Fuzzy Hash: 9ba39558cc746c3679b9811bf1333ab5b18d9b2c70e106eee53e4c901f8855fe
Instruction Fuzzy Hash: 55E026393001149BD204BB7EE408AAE3ADBEBC4665B00C425E906DB348CF38DC0287A5

Function 06FBA2D2 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb87b3be41cd499374c64c850c97bf7c0083a7f6b2d28541f621d34b85a3fdad
Instruction ID: ff047b9f313ae094818af868e62512960f1d790426b544bfb5556a06b6a5f72b
Opcode Fuzzy Hash: fb87b3be41cd499374c64c850c97bf7c0083a7f6b2d28541f621d34b85a3fdad
Instruction Fuzzy Hash: C9E0CD72447108BFC701DF65D8014DA7FB6DB4910070041F7E504D7221EA354F1597D2

Function 04EE8CE7 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ae9f8dd5ae7c507f63b12f2a7c8523e5c65a65b8ea434ed0d5adf0fe2e6f40
Instruction ID: 907b4aec161d3eaebda80b3e8a2c904846a01d63ffefdc29d45e318802781561
Opcode Fuzzy Hash: 06ae9f8dd5ae7c507f63b12f2a7c8523e5c65a65b8ea434ed0d5adf0fe2e6f40
Instruction Fuzzy Hash: 45E0D8323483010FC606D658A88089BE793DFC5310745873BD16A8B329DB60994687D5

Function 04EED130 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 727e25a23e37b8f5a45cff9fe360892397ee1462a5298d4575acb098ba9157c8
Instruction ID: 973b4925deef9384437817bb3e8ae8445343bebbf4a0b68da405d52c38569ada
Opcode Fuzzy Hash: 727e25a23e37b8f5a45cff9fe360892397ee1462a5298d4575acb098ba9157c8
Instruction Fuzzy Hash: ADE086352492909FC7024738A9148A67FB69B4A1213058097F445CF322C6248D2587A5

Function 04EEB340 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f979f9aa4011553f302c0ba62980f666fa91e84004ad3fdaef8664917293234
Instruction ID: cbf1c8d641ef31b7be3623412b3d435110d2af9b6a7838cc0b08cf573c79e9bc
Opcode Fuzzy Hash: 1f979f9aa4011553f302c0ba62980f666fa91e84004ad3fdaef8664917293234
Instruction Fuzzy Hash: C0E0EC36145248BFCB02DF54D890CD67F76AF5E620F058096F5588B232D3359971DFA1

Function 04EEEEE0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0013ce21eb84946611ff58acb582ed3e4c36f6b8b9073ddea1adc7ca8614cc60
Instruction ID: ebf8cf46e1e1d4319e3ec2f891a91f6b9d6d062c18a78b9c20e26fdac909b824
Opcode Fuzzy Hash: 0013ce21eb84946611ff58acb582ed3e4c36f6b8b9073ddea1adc7ca8614cc60
Instruction Fuzzy Hash: 04E0122271E2A02F8706537D78140AD6F67CDC666174940DBE141DB252D9644D4A83A3

Function 06FB3C28 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca3085104c8f5ea439d7ca82880687348d5bc30d7a84350b5b019285a6beb4b
Instruction ID: 96f4ef05e93459bc65166437cbb3b86d89df4e623f8e088fb8f8f8498190fb47
Opcode Fuzzy Hash: eca3085104c8f5ea439d7ca82880687348d5bc30d7a84350b5b019285a6beb4b
Instruction Fuzzy Hash: 1DE08C3624A3806FD3829BA08C10DC67F29AB16250B14629BF4958F2A2C226491AC721

Function 04EEB538 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97ef08b2bb368a2ab9f246964c692c31ff49b1a40a4956170a70c96de254625
Instruction ID: cb292013beccc422c1e81feb1ece82deff49e4a180c7a76596f5607bcdda7b37
Opcode Fuzzy Hash: b97ef08b2bb368a2ab9f246964c692c31ff49b1a40a4956170a70c96de254625
Instruction Fuzzy Hash: B1D0A7317402384B9B093BFA740C2BD738DDB4556A300087EE40EC2300DE519D1146D8

Function 04EEB51B Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0fc16660e35a65a3a9bae45047daff7908b1ac5affe4a3207cc9508ed34373b
Instruction ID: 61f38b00b018d43bd1ac1c81d634253912455e3485a09457cc84a9418be84c1a
Opcode Fuzzy Hash: b0fc16660e35a65a3a9bae45047daff7908b1ac5affe4a3207cc9508ed34373b
Instruction Fuzzy Hash: 31E01A36601009AFDF00CFD0E944BEEBB32FB48315F104011EB0526290C7326A21DB91

Function 06FBFE9C Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247ff40a2601ef2a96126fe28771c924639e6f08a01b7ec8869a3655fc6d1b71
Instruction ID: 2d796f3796cc80bfb2bd4f566d13c099f19cd282f9067585de7cfc831af27e14
Opcode Fuzzy Hash: 247ff40a2601ef2a96126fe28771c924639e6f08a01b7ec8869a3655fc6d1b71
Instruction Fuzzy Hash: 09E0EC3584F304DFDB808F66E4489ECBBBDAF0F300B016085D8199B253C37898448B94

Function 06FBFEBA Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
Instruction ID: 9a38732fc638310ee2202d008e8613541864d74d6bba4fa4d89dca9afb66d032
Opcode Fuzzy Hash: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
Instruction Fuzzy Hash: 2BD06779D4F204CFE784DB5AD8449FDB76DBB0E300B10B445D82A5B212C6B4A4448A80

Function 06FBAFD0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df11bb97fa8e521beb6eeffc231600ba877ce7baeee1f18646f8fec119a7b60
Instruction ID: 1dea7d54c60a4f34367bf23cd8abba5cace8a7207a0d5970cc7527179cfec135
Opcode Fuzzy Hash: 8df11bb97fa8e521beb6eeffc231600ba877ce7baeee1f18646f8fec119a7b60
Instruction Fuzzy Hash: 5FD05B31419380DFC301EB74CCA5846BF745E93200B0585CFE0844B512DB25951AC761

Function 06FBEE01 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e930987ed9ff42a034d3c8df2634b20349d6d280ed23b38344d69c3cd003f047
Instruction ID: 99a4c814514bffbee538a7bd14039fec8cc0928756c39d5eb8736c00f0989360
Opcode Fuzzy Hash: e930987ed9ff42a034d3c8df2634b20349d6d280ed23b38344d69c3cd003f047
Instruction Fuzzy Hash: 62D05B76208001DFD605CF14E554E96B7F2DFC4A04F15859DF44417215C633AC17CB65

Function 04EED140 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87745c3b93aee6924f07f0db5f9a1c3c3f85d6d71c1c0e8a94c5bcae9d80bff2
Instruction ID: 76927977d48e970abb53e3add1b6459856a6762fc27b44096470d7eda3669b07
Opcode Fuzzy Hash: 87745c3b93aee6924f07f0db5f9a1c3c3f85d6d71c1c0e8a94c5bcae9d80bff2
Instruction Fuzzy Hash: 8AD0C9367101249F8B059B68E808CA97BE9EB4D6613118166F909C7321CAB1DC108BD8

Function 06FBA2E0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47aa1e4be586d7bc36ad18b6f4b9ad6f530c6d37fd12378d0a5d85705a16327
Instruction ID: 8d9605873fe61a8c75fc7b307c60f95957394fc2a0553bed8075329f920703e1
Opcode Fuzzy Hash: c47aa1e4be586d7bc36ad18b6f4b9ad6f530c6d37fd12378d0a5d85705a16327
Instruction Fuzzy Hash: 30D0C97594210CEFCB00DFA9D90099EBBFAEB49200B1045E6D909D7210EB329F109B91

Function 06FBEFB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2bbaafd11530da1c0c13ae97688b7ea2481b27cb58626d2ec35cf84f995cfc4
Instruction ID: 1c87b0df3ac4145e38886d879bfe25df42494879d8daa76206544eadcc7ead9c
Opcode Fuzzy Hash: b2bbaafd11530da1c0c13ae97688b7ea2481b27cb58626d2ec35cf84f995cfc4
Instruction Fuzzy Hash: 41D012B5614180DFC385C734C499486FFB0DF9A10471AC5DAD4098F11BDE378807DB14

Function 04EEB350 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
Instruction ID: 103967bf13f508402a192ef6221732069224ae084a114efb1bafc53f37aadea3
Opcode Fuzzy Hash: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
Instruction Fuzzy Hash: BCD0C93614010CEFCB01CF95D844D9A3BBAFF48720F008054FA084B232C332E821EB90

Function 06FB3C38 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35dd44cf9c86a7da8071f5f78061b1911efefe40ab9a625cf61746f5de2c2829
Instruction ID: 0c797073caf2928a349f9a338d0b86b6d703c2f0a122dd1aaf78ab8ab531059a
Opcode Fuzzy Hash: 35dd44cf9c86a7da8071f5f78061b1911efefe40ab9a625cf61746f5de2c2829
Instruction Fuzzy Hash: 1DC08C3624020CBFDBC0EFD8CC00D96776DAB08710FA0E010FE180E241C672E862DBA0

Function 06FB3358 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca53bf76c7363af765194207e377349f508c128936fa37000e4fb5c87a8eaff
Instruction ID: fb1e79fc7523d292202d746d637140523f0f499ec433e4e7d0d8b3723da71c9c
Opcode Fuzzy Hash: 4ca53bf76c7363af765194207e377349f508c128936fa37000e4fb5c87a8eaff
Instruction Fuzzy Hash: CFC01232040108BBCB42AA81CC00E89BF2AAB04290F208024FB140D061D673D522AB80

Function 04EEB536 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99cd2ed0dd90446bbce0ff1d810dd47031d3c8c6ca877be5be10a3769794a1d5
Instruction ID: f7a99c3255351ea4d3e21ae846f7309fb1aa84ec946d3b7a4d447074667338d5
Opcode Fuzzy Hash: 99cd2ed0dd90446bbce0ff1d810dd47031d3c8c6ca877be5be10a3769794a1d5
Instruction Fuzzy Hash: 45B022283800208A3A082AF2320822A230283C028A300A822C00AE8A80EA20AA0002C8

Function 06FBF86F Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d01a525a5d76046bb240cb6b4eb69201eab9843d6b4fe8dee516b85e8d35aaf5
Instruction ID: 2b66b542a038252b6ebd9d226cedbb0e5c6d4f5100576c666c12d64d19464b4d
Opcode Fuzzy Hash: d01a525a5d76046bb240cb6b4eb69201eab9843d6b4fe8dee516b85e8d35aaf5
Instruction Fuzzy Hash: 36C00236D0E284EFE7618F76D8544EC7B74AB0A211B20645A9026972A2D6605A40CF91

Function 04EEB640 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6c8f86fbb854b82e2d7d4bbb0d74da9b557ed243cc1a6a2e0ca3d353fabcf7
Instruction ID: 7bb925d94f5dafc3f513e3f057484725ef8eab0777b4f4978ac045a0a145ceeb
Opcode Fuzzy Hash: 6f6c8f86fbb854b82e2d7d4bbb0d74da9b557ed243cc1a6a2e0ca3d353fabcf7
Instruction Fuzzy Hash: 52B0928961A2801ED302B371689A4252F329B92210788B0FEA48996063E858540B8203

Function 04EEB512 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
Instruction ID: df1bb06185a727d8aa9d7fdae91ef06eda262ab33b15254152b0a59ebb2aa83f
Opcode Fuzzy Hash: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
Instruction Fuzzy Hash: D5B09237E0400889DB008A85B4417EEF720E780325F104023C2115204193B22168A6D1

Function 04EEA838 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3af3cc99d1def3427d13d5773bfeb5c49416f7d577e70e4bd59cddc079ec22
Instruction ID: 7d1764e6c1d423b78f6c97f9cefd9ca8ec658780498c2072c29610d924ccee66
Opcode Fuzzy Hash: 7d3af3cc99d1def3427d13d5773bfeb5c49416f7d577e70e4bd59cddc079ec22
Instruction Fuzzy Hash: 89B011A8BA20028AFA00FB3B088803B8003EBC02283C0FC2A2202A000C8828F002200E

Function 06FBF7FE Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78eff7c4ed08eb5f884eab816e2b44edc900f6049ea475e0ac3b666c03ec13a
Instruction ID: b5730bb7f9c9af04156dc5b45777af56c1a61546437669c192f465e98d2e48cb
Opcode Fuzzy Hash: e78eff7c4ed08eb5f884eab816e2b44edc900f6049ea475e0ac3b666c03ec13a
Instruction Fuzzy Hash: CEC04835D09208EFEB608FB6E8444ECBBB4EB0E211B20642D9026A7292D7205A40CF80

Function 06FBEF70 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Non-executed Functions

Function 06FBA30E Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06FBA3CB

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: d1161340c34ef899393b0c69fb781895196586cf4ab53d34918e56e35a8402f9
Instruction ID: 33efa36766c534a7a9d66e33ff191d57a4e00fe364d678b2284e317f3d168442
Opcode Fuzzy Hash: d1161340c34ef899393b0c69fb781895196586cf4ab53d34918e56e35a8402f9
Instruction Fuzzy Hash: BC511DB1A006048FD749EF7BE94069ABFE3FBC4304F14C979C015AF268EB74A9058B51

Function 06FBA318 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06FBA3CB

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 5ce3be938202fc89d4940a7c393d288115e001bbe774357d2dabb7f9990e4a7c
Instruction ID: 9ae38ffd64884e2fa9d1b9d6691eaadaffeb29e983ab9960144d3231bc514d11
Opcode Fuzzy Hash: 5ce3be938202fc89d4940a7c393d288115e001bbe774357d2dabb7f9990e4a7c
Instruction Fuzzy Hash: 6B510EB4A006458FD749EF7BEA4069ABFE3FBC4304F14C979C015AF268EB74A9058B51

Function 06ADA1C8 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21a1156108069234fd7cef972e7a0748705b6ef205d908ba6c8c5249b4be277
Instruction ID: 99655085d80a4a395e30fc7f7acee294642facc06d33d4937fef05b18878aabf
Opcode Fuzzy Hash: e21a1156108069234fd7cef972e7a0748705b6ef205d908ba6c8c5249b4be277
Instruction Fuzzy Hash: 03E11A74E002198FDB14DFA9C5809AEFBF2FF89304F248169D515AB356DB30A981CFA1

Function 06ADA610 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d695bcb6fdcc546d6a14529ebe07429e51d23d86979af26ce4da15aa3c3dea
Instruction ID: 9ea75fa48d0d0f0e4d1d9b845ece8f8580f8fc6f70ff0ea2a173e6aafc4449ca
Opcode Fuzzy Hash: 32d695bcb6fdcc546d6a14529ebe07429e51d23d86979af26ce4da15aa3c3dea
Instruction Fuzzy Hash: 0BE11974E101198FDB14DFA9C5809AEFBF2FF88304F248169D515AB35AD731A982CFA1

Function 06ADC250 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767eaa90e1afcdd1572b9c83043767e140f9c86d6e33fffb2951e30e32dca5a8
Instruction ID: bff33094565cb3ca40d3727281912134390a736c8aafe5057177979f48bbcf5d
Opcode Fuzzy Hash: 767eaa90e1afcdd1572b9c83043767e140f9c86d6e33fffb2951e30e32dca5a8
Instruction Fuzzy Hash: 61E11B74E002198FDB54DFA9C5809AEFBF2FF89314F248169E416AB356D730A941CFA1

Function 06ADBE18 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19130b8ca1f71d40793f9f5ab7a8704c7fbbba5e43e49a42c6785b731d4eb62c
Instruction ID: 538f9933f780e6ece7babce76e7e697f2b5b2215062b0a8555bd7fbd985c4463
Opcode Fuzzy Hash: 19130b8ca1f71d40793f9f5ab7a8704c7fbbba5e43e49a42c6785b731d4eb62c
Instruction Fuzzy Hash: DCE109B4E101198FDB14DFA9C5809AEFBF2FF89304F248169E455AB356DB30A941CFA1

Function 06AD9DA0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89897cf9d735a8ecab52bde359afdb1a03d49b533104c45a9fc47fb8e07f8060
Instruction ID: 97ed3a3e8d1d3e75d838de1810eb3304afce5c30ae38d1757143232b9d53671c
Opcode Fuzzy Hash: 89897cf9d735a8ecab52bde359afdb1a03d49b533104c45a9fc47fb8e07f8060
Instruction Fuzzy Hash: 21E11974E002198FDB14DFA9C5809AEFBF2FF89304F248169E455AB35AD730A941CFA1

Function 06AD2387 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa6f7b795e27602793b624ec1496a065f3afe8e46b0768d21bd6e0605b0ae960
Instruction ID: aa00adc185e5a1591a0ef20b7b79cb54e24f54d0d0ea64aa088fa52f0a1092fa
Opcode Fuzzy Hash: fa6f7b795e27602793b624ec1496a065f3afe8e46b0768d21bd6e0605b0ae960
Instruction Fuzzy Hash: 28D11831D1071A8ACB41EB64D950AAEB7B1FF95300F219B9AD04A3B225EF706AC5CF51

Function 06AD2398 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226b2a76960f32678f8829309742f523b620371a7904b0ecfbc9da48892f2231
Instruction ID: aaf5fbc7cd53bde6c18a6ad2f494b7070b408bf2f05c91f359dcdd0a87c5e1b1
Opcode Fuzzy Hash: 226b2a76960f32678f8829309742f523b620371a7904b0ecfbc9da48892f2231
Instruction Fuzzy Hash: 68D10931D1071A8ACB41EB64D950AAEF7B1FF95300F119B9AD04A3B225EF70AAC5CF51

Function 0224D404 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680354087.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2240000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd520bea260004bf9d4546c2f480ea6871590352c0d70f8d9d7bae8ab48f6148
Instruction ID: fc5c99ae5fff1f6aa50b4971835f6da6b792002b0380f505fec0b3595a6bc970
Opcode Fuzzy Hash: bd520bea260004bf9d4546c2f480ea6871590352c0d70f8d9d7bae8ab48f6148
Instruction Fuzzy Hash: 06A17B32E102058FCF09DFA4CA4099EBBB2FFC4304B15816AE901AB669DF35E955CF80

Function 06ADC240 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684484858.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac36b6872b62cc5f4b32bf2f0a44c233c3571bec4b1296c070e84bfcd86a4d49
Instruction ID: befd38a62bfab9e673f3464a45830130c2953a90fed7cf751d478e4b1e746486
Opcode Fuzzy Hash: ac36b6872b62cc5f4b32bf2f0a44c233c3571bec4b1296c070e84bfcd86a4d49
Instruction Fuzzy Hash: 67513E70E012198FDB54DFA9C5809AEFBF6FF89314F248169D419AB316D730A942CFA1

Function 04EE6531 Relevance: 41.7, Strings: 33, Instructions: 439COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04EE69B3
4'^q, xrefs: 04EE667B
4'^q, xrefs: 04EE681F
4'^q, xrefs: 04EE6A37
4'^q, xrefs: 04EE6888
4'^q, xrefs: 04EE6987
4'^q, xrefs: 04EE6842
4'^q, xrefs: 04EE6658
4'^q, xrefs: 04EE69DF
4'^q, xrefs: 04EE6A8F
4'^q, xrefs: 04EE6770
4'^q, xrefs: 04EE674D
4'^q, xrefs: 04EE6AE7
4'^q, xrefs: 04EE6865
4'^q, xrefs: 04EE6A63
4'^q, xrefs: 04EE6612
4'^q, xrefs: 04EE6793
4'^q, xrefs: 04EE6635
4'^q, xrefs: 04EE67D9
4'^q, xrefs: 04EE67B6
4'^q, xrefs: 04EE67FC
4'^q, xrefs: 04EE6A0B
4'^q, xrefs: 04EE669E
4'^q, xrefs: 04EE68AB
4'^q, xrefs: 04EE6903
4'^q, xrefs: 04EE672A
4'^q, xrefs: 04EE692F
4'^q, xrefs: 04EE66E4
4'^q, xrefs: 04EE66C1
4'^q, xrefs: 04EE695B
4'^q, xrefs: 04EE68D7
4'^q, xrefs: 04EE6707
4'^q, xrefs: 04EE6ABB

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-2697097662
Opcode ID: 20cdcd9b2fe6f8a78d45b32bb572bad5717e82c26f0bc1d309265457692e709a
Instruction ID: 68ac64bdeda3358b0643083f5408aac6c51d2a3f7dfa9cb460ea3c27b5775dd7
Opcode Fuzzy Hash: 20cdcd9b2fe6f8a78d45b32bb572bad5717e82c26f0bc1d309265457692e709a
Instruction Fuzzy Hash: 9F12DE30E4121A8FCB48EF75E9506ADBBB2FF41304F5085A9D049AB269DF346D89CF91

Function 04EE6540 Relevance: 41.7, Strings: 33, Instructions: 434COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04EE69B3
4'^q, xrefs: 04EE667B
4'^q, xrefs: 04EE681F
4'^q, xrefs: 04EE6A37
4'^q, xrefs: 04EE6888
4'^q, xrefs: 04EE6987
4'^q, xrefs: 04EE6842
4'^q, xrefs: 04EE6658
4'^q, xrefs: 04EE69DF
4'^q, xrefs: 04EE6A8F
4'^q, xrefs: 04EE6770
4'^q, xrefs: 04EE674D
4'^q, xrefs: 04EE6AE7
4'^q, xrefs: 04EE6865
4'^q, xrefs: 04EE6A63
4'^q, xrefs: 04EE6612
4'^q, xrefs: 04EE6793
4'^q, xrefs: 04EE6635
4'^q, xrefs: 04EE67D9
4'^q, xrefs: 04EE67B6
4'^q, xrefs: 04EE67FC
4'^q, xrefs: 04EE6A0B
4'^q, xrefs: 04EE669E
4'^q, xrefs: 04EE68AB
4'^q, xrefs: 04EE6903
4'^q, xrefs: 04EE672A
4'^q, xrefs: 04EE692F
4'^q, xrefs: 04EE66E4
4'^q, xrefs: 04EE66C1
4'^q, xrefs: 04EE695B
4'^q, xrefs: 04EE68D7
4'^q, xrefs: 04EE6707
4'^q, xrefs: 04EE6ABB

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-2697097662
Opcode ID: b0f0767b54be6dc4909849e5f947132229467caf82974d7fcd2350eb543ed4ec
Instruction ID: 0f580042e3b1c3b27aee41b77e78eb97c1e90b311c25dc74e83910c4a249bde6
Opcode Fuzzy Hash: b0f0767b54be6dc4909849e5f947132229467caf82974d7fcd2350eb543ed4ec
Instruction Fuzzy Hash: E412DE30E412198FCB08EF76E9506ADBBB2FF41304F5085A9D049AB269DF346D89CF91

Function 06FB480A Relevance: 16.4, Strings: 13, Instructions: 155COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06FB4894
4'^q, xrefs: 06FB48FD
4'^q, xrefs: 06FB48DA
4'^q, xrefs: 06FB4989
4'^q, xrefs: 06FB4966
4'^q, xrefs: 06FB49AC
4'^q, xrefs: 06FB48B7
4'^q, xrefs: 06FB484E
4'^q, xrefs: 06FB4871
4'^q, xrefs: 06FB49CF
4'^q, xrefs: 06FB4943
4'^q, xrefs: 06FB4920
4'^q, xrefs: 06FB482B

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-284850411
Opcode ID: 693c2c2220991c86a24c784fd834b4e3dc4c712320c7ed11eebc8197ee376cfd
Instruction ID: 759eae902b73a483d24fc0faaf0cb64d45846e315a4e8903e1bd8a3eb98c2d93
Opcode Fuzzy Hash: 693c2c2220991c86a24c784fd834b4e3dc4c712320c7ed11eebc8197ee376cfd
Instruction Fuzzy Hash: 7A51FE30E4020A9FCF0DEBA5E9505EDBBB2FF85604B1085A9D0566F369DF30694A8F91

Function 06FB4818 Relevance: 16.4, Strings: 13, Instructions: 118COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06FB4894
4'^q, xrefs: 06FB48FD
4'^q, xrefs: 06FB48DA
4'^q, xrefs: 06FB4989
4'^q, xrefs: 06FB4966
4'^q, xrefs: 06FB49AC
4'^q, xrefs: 06FB48B7
4'^q, xrefs: 06FB484E
4'^q, xrefs: 06FB4871
4'^q, xrefs: 06FB49CF
4'^q, xrefs: 06FB4943
4'^q, xrefs: 06FB4920
4'^q, xrefs: 06FB482B

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-284850411
Opcode ID: 5726d5a0b5c3276341701b968189235790d17050efd3b062cf7a80ede5a92ff8
Instruction ID: 959a0c4829b6ff2e8af08931f2bf4d215da27692ba6f8ca43511a1ec489e5124
Opcode Fuzzy Hash: 5726d5a0b5c3276341701b968189235790d17050efd3b062cf7a80ede5a92ff8
Instruction Fuzzy Hash: 7F518630E4110A9FCF0CEFA5E9949EDB7B2FF84604B1085A8D1567F268DF31694A8F91

Function 06FB47AA Relevance: 15.1, Strings: 12, Instructions: 140COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06FB49CF
4'^q, xrefs: 06FB4894
4'^q, xrefs: 06FB48FD
4'^q, xrefs: 06FB48DA
4'^q, xrefs: 06FB4989
4'^q, xrefs: 06FB4943
4'^q, xrefs: 06FB4966
4'^q, xrefs: 06FB49AC
4'^q, xrefs: 06FB48B7
4'^q, xrefs: 06FB4920
4'^q, xrefs: 06FB484E
4'^q, xrefs: 06FB4871

Memory Dump Source

Source File: 00000000.00000002.1684986944.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-242022331
Opcode ID: 59cecf400cf74d91172d26ff1f0e9c830333bad61b4809ea535df9c87a60b13f
Instruction ID: 3891132dc9169a03fc242e43188eaad1100874d5e0c9a04985e6eaa1e4cf6efb
Opcode Fuzzy Hash: 59cecf400cf74d91172d26ff1f0e9c830333bad61b4809ea535df9c87a60b13f
Instruction Fuzzy Hash: A451CA30E4020A9FCF0DEBA5E9509EDB7B2FF85704B1085A9D0566F369DF30694A8F91

Function 04EE3628 Relevance: 12.7, Strings: 10, Instructions: 178COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04EE379F
4'^q, xrefs: 04EE377C
4'^q, xrefs: 04EE382B
4'^q, xrefs: 04EE3759
4'^q, xrefs: 04EE3894
4'^q, xrefs: 04EE3871
4'^q, xrefs: 04EE3808
4'^q, xrefs: 04EE37C2
4'^q, xrefs: 04EE37E5
4'^q, xrefs: 04EE384E

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-518715366
Opcode ID: 7f238bafe5863807ee20652720386d7878ab6e96ee689ac10aaa8e3e7de5a8df
Instruction ID: b34b37a4fc3c32a885140b0e7675c20b8122dc7f7d966a047a8a093880b3a8de
Opcode Fuzzy Hash: 7f238bafe5863807ee20652720386d7878ab6e96ee689ac10aaa8e3e7de5a8df
Instruction Fuzzy Hash: 3F711931E4070A8FCB08EFA5D9506EDB7B2FF85304F619A28D1556B258DF70698ACF80

Function 04EE3638 Relevance: 12.7, Strings: 10, Instructions: 172COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04EE379F
4'^q, xrefs: 04EE377C
4'^q, xrefs: 04EE382B
4'^q, xrefs: 04EE3759
4'^q, xrefs: 04EE3894
4'^q, xrefs: 04EE3871
4'^q, xrefs: 04EE3808
4'^q, xrefs: 04EE37C2
4'^q, xrefs: 04EE37E5
4'^q, xrefs: 04EE384E

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-518715366
Opcode ID: 15ff32eba335724ad67e3a0956738918050c66f98efc3f658cbd5789ae8f8688
Instruction ID: 79ca5cc1b7b3876bd22512699d4bdaba09fefaf4eec8a18571a2f893f163de94
Opcode Fuzzy Hash: 15ff32eba335724ad67e3a0956738918050c66f98efc3f658cbd5789ae8f8688
Instruction Fuzzy Hash: 0971F831E4070A9FCB08EFA5D9506EDB7B2FF85304F619628D1156B258DB70698ACB80

Function 04EE3001 Relevance: 6.4, Strings: 5, Instructions: 106COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04EE30AB
4'^q, xrefs: 04EE30CE
4'^q, xrefs: 04EE3042
4'^q, xrefs: 04EE3065
4'^q, xrefs: 04EE3088

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-4202989938
Opcode ID: 600d959a4af9cffcbd26706bc90ee02408235b75aa092a6b4909ba50c210da87
Instruction ID: 4c980d0d9c266c680cccbb5b3005f87b766a52c85ed741b26694b08f2e4a6cbc
Opcode Fuzzy Hash: 600d959a4af9cffcbd26706bc90ee02408235b75aa092a6b4909ba50c210da87
Instruction Fuzzy Hash: 74414030E412069FCB08EFB5E854ADEBBB2FF48300B518569D1056B255DF786885CF90

Function 04EE3010 Relevance: 6.4, Strings: 5, Instructions: 100COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04EE30AB
4'^q, xrefs: 04EE30CE
4'^q, xrefs: 04EE3042
4'^q, xrefs: 04EE3065
4'^q, xrefs: 04EE3088

Memory Dump Source

Source File: 00000000.00000002.1683641309.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-4202989938
Opcode ID: 6b59da24b7818e7bb5a31a1e6c871a81b862b46e0990eba2c6867a7b8e0ddd2b
Instruction ID: 84b4395bd5835b3f4a78004a932353c811f02dfee2da2f8caaafd3aa220976b2
Opcode Fuzzy Hash: 6b59da24b7818e7bb5a31a1e6c871a81b862b46e0990eba2c6867a7b8e0ddd2b
Instruction Fuzzy Hash: B0410E30E512069FCB08EFB5E854AEEB7B2FF88310B518669D1056B254DF786D85CF90

Analysis Process: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exePID: 7812, Parent PID: 7700COMMON

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Executed Functions

Function 0112B0BC Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0112B6EE,?,?,?,?,?), ref: 0112B7AF

Memory Dump Source

Source File: 00000002.00000002.2788104464.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1120000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 730449c07aa3d058893f72a0ebefaefb3f8fc9b2a6a4b72ed836f56fbb8ec6aa
Instruction ID: 7b6f61deaa593afa35c3537b48ae85924addc1bf1844ce302f9e46bd3e07d0ed
Opcode Fuzzy Hash: 730449c07aa3d058893f72a0ebefaefb3f8fc9b2a6a4b72ed836f56fbb8ec6aa
Instruction Fuzzy Hash: 9B2103B5904218AFDB10CF9AD584AEEBFF5EB48310F14801AE914A7350D375A950CFA5

Function 011261F8 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 0112627B

Memory Dump Source

Source File: 00000002.00000002.2788104464.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1120000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: e8673bad880b44371d62ae2650977081cad4d2d02caea0b57811cd0da4e7a0a2
Instruction ID: f6c6f48112a131a994165ef2e8181bfa3ba58b297bd92df7471f92f5f09c41f9
Opcode Fuzzy Hash: e8673bad880b44371d62ae2650977081cad4d2d02caea0b57811cd0da4e7a0a2
Instruction Fuzzy Hash: E62135B1D00219DFDB14DF9AD944BEEFBF5EB88310F10842AD459A7290C774A940CFA5

Function 01126200 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 0112627B

Memory Dump Source

Source File: 00000002.00000002.2788104464.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1120000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 42a71ea381fa45576c849ff77d875457c99cca19a7d8c2c9d91f2258ec4ba50a
Instruction ID: 4738ac98f13809218008a0dc136c5690580ea10fb7edce5d8a687fba109d5339
Opcode Fuzzy Hash: 42a71ea381fa45576c849ff77d875457c99cca19a7d8c2c9d91f2258ec4ba50a
Instruction Fuzzy Hash: F52127B1D002199FDB14DF9AD944BEEFBF5EB88310F10842AD459A7290C774A944CFA5

Function 00EED24C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2786824427.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_eed000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d38107d1c8c3f9cad466660dc865891f6a4e61f13572b46f8d4ccb68256123
Instruction ID: 55aab0524a3f14b1ae2d0533e964204cfb6f3f2dc98df3b68dc639584ea5c8f8
Opcode Fuzzy Hash: a7d38107d1c8c3f9cad466660dc865891f6a4e61f13572b46f8d4ccb68256123
Instruction Fuzzy Hash: 61212871508288DFCF15DF15DDC0B2ABF65FB88314F20C569EA095B256C336D816CBA2

Function 00EED428 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2786824427.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_eed000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a4f66eb53facd3426d3472532d7700fd6e6e97e0ead353bde4d17f71c66d5c
Instruction ID: 7e94ee441655dc09cdc76b3cdd4f8141e0ae32546edb10232584838c629f5502
Opcode Fuzzy Hash: 29a4f66eb53facd3426d3472532d7700fd6e6e97e0ead353bde4d17f71c66d5c
Instruction Fuzzy Hash: 8F216A71108288DFDB01DF14CDC0B26BF65FBA4318F20C569E8095F296C336E846C7A1

Function 010DD0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2787236398.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10dd000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee278b520d37d9302f0f12f2954df920e5cdd9a866147f6841f396dc2cb5b2db
Instruction ID: 4529bfb0a9580fb2d1de8937b7cddbeef3f01a776f05621eea205639f7fd000c
Opcode Fuzzy Hash: ee278b520d37d9302f0f12f2954df920e5cdd9a866147f6841f396dc2cb5b2db
Instruction Fuzzy Hash: 9E212279500300EFDB05DF68C980B2ABFA5EB88314F20C5ADD8894B296C33AD446CB61

Function 010DD01C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2787236398.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10dd000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0c849035a7e9cef09e32aee50f35ccfcc4edfdb2e5beaa3f93cbcffad9f966
Instruction ID: 2905f98cfebc340ce1f6aa9a588664687895390fafb86571488cad0df4f85553
Opcode Fuzzy Hash: 8b0c849035a7e9cef09e32aee50f35ccfcc4edfdb2e5beaa3f93cbcffad9f966
Instruction Fuzzy Hash: B321F271644300DFDB15DF68C984B2ABFA5EBC4354F24C6ADE9894B292C336D846C761

Function 010DD006 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2787236398.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10dd000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c91f5dbb208221c2f1c68d4f667c711425e74374d7f939c3bc346cc9d0eb9f5
Instruction ID: 1cc82c444ff7a59c825771a357d14e88106923ffea0fd138441f96013d26076d
Opcode Fuzzy Hash: 9c91f5dbb208221c2f1c68d4f667c711425e74374d7f939c3bc346cc9d0eb9f5
Instruction Fuzzy Hash: 8A21C6755093808FD713CF24C590715BFB1EB85214F28C5DAD8898B6A3C33AD44ACB52

Function 00EED247 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2786824427.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_eed000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction ID: d131613a2c6096615b16119c24aafb179ec1b74a3219dd2dbfe0c82749feb1cd
Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction Fuzzy Hash: 5221E176408284CFCB16CF10D9C4B16BF72FB88314F24C5A9DD080B256C33AD81ACBA2

Function 00EED423 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2786824427.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_eed000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 51cd92a46b215d22ad2fc0ae3f941bf97d3a9a4406c4af400fe986854b6ee9fe
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 8D11E676504284DFDB16CF14D9C4B16BF71FBA4318F24C5AADC090B656C336D85ACBA1

Function 010DD0F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2787236398.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10dd000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 5ed5bb443e2dd572572916865761a33acf1d13a9cfd31c7fe3b579792d650a19
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 3211BB79504380DFDB06CF68D9C4B15BFA2FB84214F24C6AAD8494B296C33AD44ACB61

Analysis Process: powershell.exePID: 7920, Parent PID: 7812COMMON

Executed Functions

Function 07140860 Relevance: 14.5, Strings: 11, Instructions: 738COMMON

Download Yara Rule

Strings

tP^q, xrefs: 071408DD
4'^q, xrefs: 07140CF0
tP^q, xrefs: 071408E9
$^q, xrefs: 07140872
4'^q, xrefs: 07140E4A
Ll, xrefs: 07140955
$^q, xrefs: 071408A4
$^q, xrefs: 07140898
4'^q, xrefs: 07140E40
Ll, xrefs: 07140947
4'^q, xrefs: 07140CE6

Memory Dump Source

Source File: 00000003.00000002.1721759120.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7140000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$Ll$Ll
API String ID: 0-3181695948
Opcode ID: 2767f226bd0c13d1af51ee210357c7eef32fdbec787b4023a642432801d461e3
Instruction ID: 9bc981d75296693f4365378b0474262d3b4e5fa8146b7639840ce8f26c740974
Opcode Fuzzy Hash: 2767f226bd0c13d1af51ee210357c7eef32fdbec787b4023a642432801d461e3
Instruction Fuzzy Hash: 76326CB27042559FC7168B7A981176ABFA2AFCA310F1480FAD605DF3E2DB31D845C7A1

Function 043F4088 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1716277403.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b9801de4a517ac6ec4a5e2e522548d1d12494999702519ee4c308e1eb4120c8
Instruction ID: f08464c2ebd16b528ca8aeb7843a325067d0969255dd2f73edeaa7ee50f0a22f
Opcode Fuzzy Hash: 5b9801de4a517ac6ec4a5e2e522548d1d12494999702519ee4c308e1eb4120c8
Instruction Fuzzy Hash: 3F422774A002599FCB05CF98C984AAEFBB2FF58310F258569E915AB365C735FC81CB90

Function 043F4199 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1716277403.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4db057c79c7f5bb4b1333db3e807ddc44f2f40263994cbd6d64ce14698876d5f
Instruction ID: 6e8acc2c7620126157025be230a9fe635a4078f27d8297c2b79f04e76b9c7d0e
Opcode Fuzzy Hash: 4db057c79c7f5bb4b1333db3e807ddc44f2f40263994cbd6d64ce14698876d5f
Instruction Fuzzy Hash: 7D4148B4A001059FCB09CF99C5989AAFBB1FF58310B15856AD901AB364C736FD50CFA4

Function 043F2FCF Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1716277403.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2a309e00717ae2eab19124b81bfaaf046210d0a785b8f3e7d45eeaccd4f8f1
Instruction ID: d1d719b93240da8dab0152cfa646eeeb8a105a928eb6524c4bc5d4a508b2ad67
Opcode Fuzzy Hash: ba2a309e00717ae2eab19124b81bfaaf046210d0a785b8f3e7d45eeaccd4f8f1
Instruction Fuzzy Hash: 1531AB74A093968FCB01DF6CD8909AABFB0EF4A300B154197D945DB362C335ED49CBA1

Function 043F3ABD Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1716277403.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f274afbc500319d204eb52d89abf638c3816a3ee389f466c77fe88f95202c18f
Instruction ID: e5dbcefaf8238d10007bbfdcb3eebe4833ed6ba19b148793699db115c578c55b
Opcode Fuzzy Hash: f274afbc500319d204eb52d89abf638c3816a3ee389f466c77fe88f95202c18f
Instruction Fuzzy Hash: EB318AB4A005059FCB09CF98C998ABAF7B1FF58314B15866AD912AB265C736FC50CB90

Function 043F3010 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1716277403.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_43f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602f991d1d9353fac39c4bb68b5895a8bdb9eab07d923739c1f1cb5abe1f5776
Instruction ID: 2dd09093efc3eae21b2f1a323957ea4152225f497fa0e037b9b58c46c6cda9bb
Opcode Fuzzy Hash: 602f991d1d9353fac39c4bb68b5895a8bdb9eab07d923739c1f1cb5abe1f5776
Instruction Fuzzy Hash: C02129B4A0421A9FCB04CF5CC9909AABBB5FF89300B158496E919EB356C735FD41CBA1

Function 029AD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1715063810.00000000029AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43530f0cfa95fd7e3d75473b4a2035787ff8b6f0ae132999c42bcfcd0ac3f053
Instruction ID: 09859b98be3d32d0393c5d780ec8fc0e4e019f00d65cb6b67d956bde2216744a
Opcode Fuzzy Hash: 43530f0cfa95fd7e3d75473b4a2035787ff8b6f0ae132999c42bcfcd0ac3f053
Instruction Fuzzy Hash: 7A01F2711093509AE7108B29C994B6BBFDCEF41324F08C82AED480B646C3799881CAF1

Function 029AD006 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1715063810.00000000029AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7c4b70fe07e00586bd288f5a5134a99b7ef2283a4dd246d638747cbc2cedb9
Instruction ID: 4fd33d448625e59cdf9afccfc5079de3ed3d44edb09395be269fb06342463ab3
Opcode Fuzzy Hash: 2f7c4b70fe07e00586bd288f5a5134a99b7ef2283a4dd246d638747cbc2cedb9
Instruction Fuzzy Hash: 6101757150E3C09EE7128B258CA4756BFB8EF52224F1CC4CBD9884F6D7C2699844C7B1

Non-executed Functions

Function 07140148 Relevance: 12.8, Strings: 10, Instructions: 321COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07140257
Ll, xrefs: 071403FF
$^q, xrefs: 0714032A
#Fk, xrefs: 07140217
tP^q, xrefs: 071403A1
$^q, xrefs: 0714035C
tP^q, xrefs: 07140395
$^q, xrefs: 07140350
4'^q, xrefs: 0714024B
Ll, xrefs: 0714040D

Memory Dump Source

Source File: 00000003.00000002.1721759120.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7140000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$#Fk$$^q$$^q$$^q$Ll$Ll
API String ID: 0-3724334424
Opcode ID: c0100c35cc1dc5a94ed9efd33b5f5554dcbd0d692f0fa6db94aff47adcfad140
Instruction ID: 6d9e17cc9b59ae70d3a4661cabdc238a3926b38e331ed744f834b4a6c3009fae
Opcode Fuzzy Hash: c0100c35cc1dc5a94ed9efd33b5f5554dcbd0d692f0fa6db94aff47adcfad140
Instruction Fuzzy Hash: 53A14AB27043558FC7264A7A981066ABFE1AFCA620F1884ABD645CB3E1DB35C845C7A1

Function 07141F20 Relevance: 6.3, Strings: 5, Instructions: 71COMMON

Download Yara Rule

Strings

$^q, xrefs: 07141F2F
$^q, xrefs: 07141F5A
Ll, xrefs: 07141F9D
$^q, xrefs: 07141F66
Ll, xrefs: 07141FAB

Memory Dump Source

Source File: 00000003.00000002.1721759120.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7140000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$Ll$Ll
API String ID: 0-2289817599
Opcode ID: 52d07c2fda83edc9290d51618b3a93956ba2f7adf1f7e7628b73fd7656588b19
Instruction ID: 06383b9df8082c34b9841b8460f1d9dd8c88b7bc6a11cbc07006229f5213da90
Opcode Fuzzy Hash: 52d07c2fda83edc9290d51618b3a93956ba2f7adf1f7e7628b73fd7656588b19
Instruction Fuzzy Hash: F4112C7131030EBBDB29555A9804B27B7D6ABC1720F24842AA549CB3D4CF32C4CBD351

Function 07142428 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 0714243A
$^q, xrefs: 07142490
$^q, xrefs: 07142484
$^q, xrefs: 07142456

Memory Dump Source

Source File: 00000003.00000002.1721759120.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7140000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: b3bbd7206c0c647024e6c9c4d0ae79830e93ee95bf243aa7c37fd7b097ca1261
Instruction ID: c9ab54e85fc16c282020e279adde792cf7c89857dfe9ab21f8fa28c0663009b8
Opcode Fuzzy Hash: b3bbd7206c0c647024e6c9c4d0ae79830e93ee95bf243aa7c37fd7b097ca1261
Instruction Fuzzy Hash: 2F2147B17043069BDB38592E9C14B27A6D6FBC1720F28842AF809DF3C5CF39C8808361

Analysis Process: powershell.exePID: 8096, Parent PID: 7812COMMON

Executed Functions

Function 079B0860 Relevance: 14.5, Strings: 11, Instructions: 703COMMON

Download Yara Rule

Strings

4'^q, xrefs: 079B0E4A
tP^q, xrefs: 079B08DD
tP^q, xrefs: 079B08E9
Ll, xrefs: 079B0955
$^q, xrefs: 079B0872
$^q, xrefs: 079B08A4
$^q, xrefs: 079B0898
Ll, xrefs: 079B0947
4'^q, xrefs: 079B0CF0
4'^q, xrefs: 079B0E40
4'^q, xrefs: 079B0CE6

Memory Dump Source

Source File: 00000005.00000002.1740392213.00000000079B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$Ll$Ll
API String ID: 0-3181695948
Opcode ID: bda5c342cd4f21ca2e419fd31d826615a383ebdbd4eb6b56fc5b29ebf88e03c2
Instruction ID: 1ad8e068b062b4796d050b75fce1bff23c5680ff4f34cdc20f506d12fb1c5579
Opcode Fuzzy Hash: bda5c342cd4f21ca2e419fd31d826615a383ebdbd4eb6b56fc5b29ebf88e03c2
Instruction Fuzzy Hash: AF3226B2B042158FCB348B6D99157ABBBE6AFC1318F14846AD905CF362DB32D845C7A1

Function 04B242F0 Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1734120777.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4b20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab24deef7b8c2de56cde8ad3a39088f9fd97e7664bade8d45f43ee645f334655
Instruction ID: c671e9c6d924fd32d59b4ae0f7fda4fa0b125f8fc64841f1817079ec99b7b342
Opcode Fuzzy Hash: ab24deef7b8c2de56cde8ad3a39088f9fd97e7664bade8d45f43ee645f334655
Instruction Fuzzy Hash: D5125C74A00259DFCB05CF98C584AAEFBB2FF89310F158599E859AB765C731EC81CB90

Function 079B0997 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1740392213.00000000079B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 372eb14cfc59db5627276b8cb0ea37215670065b9bb6c9ce16db841e88dcd61a
Instruction ID: 75cd584bf992fa064b3cdb151dc35851e01479494ba8d091620860f37117297d
Opcode Fuzzy Hash: 372eb14cfc59db5627276b8cb0ea37215670065b9bb6c9ce16db841e88dcd61a
Instruction Fuzzy Hash: 2A41E7F0A10212CFCF308F2D8A51BAB7BA6AF8075CF1484A6D9059F666D735D980C7A1

Function 04B22FDF Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1734120777.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4b20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af1a4e6cc1c1429a0b548074373e4f3fde2ded5dda18c049879bb42ef9f4aac
Instruction ID: ac7dac1a1a7d1cad316f817d9b0776a4376fbfe609f1be2f3f6182adbb203f39
Opcode Fuzzy Hash: 6af1a4e6cc1c1429a0b548074373e4f3fde2ded5dda18c049879bb42ef9f4aac
Instruction Fuzzy Hash: A7219EB5E042598FCB01CF6CC590AAABBB0FF8A300B0545DAD848DB352C635FC45CBA1

Function 04B23010 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1734120777.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4b20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 535c93d0a7677633f95110974e0b43c1620754325ff63025f02386598e318fa9
Instruction ID: 8d595c4340a36bd53f55c20936cc1aab31d92b6c09dcca542a3cbf2769762efc
Opcode Fuzzy Hash: 535c93d0a7677633f95110974e0b43c1620754325ff63025f02386598e318fa9
Instruction Fuzzy Hash: D6212CB4A042199FCB04CF6CC5809AABBF4FF89300B158596E819EB356C735FD41CBA1

Function 0317D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1733047219.000000000317D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0317D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_317d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db6e6ec7fc68144f91eee0315a6fcdc5df6790ac9ef35189206b7a22443a763
Instruction ID: ba159989f48739e8a364c9f273c814f12c18096640157ace53f97c516716d376
Opcode Fuzzy Hash: 0db6e6ec7fc68144f91eee0315a6fcdc5df6790ac9ef35189206b7a22443a763
Instruction Fuzzy Hash: F701F2310083489BE714CA29E984B67FFA8EF49324F1CC46AED080A246C7799881C6B1

Function 0317D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1733047219.000000000317D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0317D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_317d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64696ee429aa0b05304636fe92fcc4071db97ef4dd4eaabce70998f7e7822a63
Instruction ID: 03d70c91db18197b0c43155e9c58dff27bc1e5a94cd8887282e48a7e2148d753
Opcode Fuzzy Hash: 64696ee429aa0b05304636fe92fcc4071db97ef4dd4eaabce70998f7e7822a63
Instruction Fuzzy Hash: 3101407100E3C49FD7128B25D894B52BFB4EF57224F1D81DBD9888F2A3C2699848C772

Function 04B2429E Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1734120777.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4b20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7712c0af34b62b864010d1d7a5654c65b19442643b58e8ed490af8a0962c2b82
Instruction ID: dff653123fdde3c5bbcdcd1465bd0afa09f57e235c7339a5ec4cd2c77bd88df9
Opcode Fuzzy Hash: 7712c0af34b62b864010d1d7a5654c65b19442643b58e8ed490af8a0962c2b82
Instruction Fuzzy Hash: 72F0DA35A001159FCB15CF9DD990AEEF7B1FF88324F208259E515A72A1C736AC52CF50

Non-executed Functions

Function 079B0148 Relevance: 12.8, Strings: 10, Instructions: 313COMMON

Download Yara Rule

Strings

4'^q, xrefs: 079B024B
Ll, xrefs: 079B03FF
4'^q, xrefs: 079B0257
$^q, xrefs: 079B032A
tP^q, xrefs: 079B0395
$^q, xrefs: 079B035C
tP^q, xrefs: 079B03A1
$^q, xrefs: 079B0350
Ll, xrefs: 079B040D
#Fk, xrefs: 079B0217

Memory Dump Source

Source File: 00000005.00000002.1740392213.00000000079B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$#Fk$$^q$$^q$$^q$Ll$Ll
API String ID: 0-3724334424
Opcode ID: 1d6246fbd8f56d25683c3bf0619f91f6747660eb335d445ddbec279d20ecc92f
Instruction ID: 7a83735e0daa36ccf730b37a47615e29291f2436fc148c5de8d9aa9d60ed82e4
Opcode Fuzzy Hash: 1d6246fbd8f56d25683c3bf0619f91f6747660eb335d445ddbec279d20ecc92f
Instruction Fuzzy Hash: 77A16AB27043158FC7358B6D9A146ABBBEAAFC2214F18847BD445CB361EF32C845C3A1

Function 079B1F20 Relevance: 6.3, Strings: 5, Instructions: 71COMMON

Download Yara Rule

Strings

$^q, xrefs: 079B1F5A
Ll, xrefs: 079B1FAB
Ll, xrefs: 079B1F9D
$^q, xrefs: 079B1F66
$^q, xrefs: 079B1F2F

Memory Dump Source

Source File: 00000005.00000002.1740392213.00000000079B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79b0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$Ll$Ll
API String ID: 0-2289817599
Opcode ID: ffc4496e34dfd7ab3599c27cff8e55d8a57d27593bee76ecd39192387c9ec89b
Instruction ID: 3d99b5cf915ade2d7cfc717fc71d23a1fd1fbac8df0504c9f012eadf14f9a6cf
Opcode Fuzzy Hash: ffc4496e34dfd7ab3599c27cff8e55d8a57d27593bee76ecd39192387c9ec89b
Instruction Fuzzy Hash: E5115C7135030E9BDB34491A9A16BA7B7AEEBC1724F24842BA544CB394CF72E441C351

Function 079B2428 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 079B2490
$^q, xrefs: 079B243A
$^q, xrefs: 079B2484
$^q, xrefs: 079B2456

Memory Dump Source

Source File: 00000005.00000002.1740392213.00000000079B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79b0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 9d36d6291b143da0b9799a0157abbe01b8fa878d38e5ee78a5ab7421afc6ca12
Instruction ID: 745a53746a409ae244f5b2b8b9a127592e73fa35f524709988f44707278668cf
Opcode Fuzzy Hash: 9d36d6291b143da0b9799a0157abbe01b8fa878d38e5ee78a5ab7421afc6ca12
Instruction Fuzzy Hash: 9A216BB17143065BDB385B2A9D14BA7B6DBFBC5718F24883AE805CF785CE75C8418361

Analysis Process: powershell.exePID: 7264, Parent PID: 7812COMMON

Executed Functions

Function 0478B490 Relevance: 2.8, Strings: 2, Instructions: 252COMMON

Download Yara Rule

Strings

{Y3n^, xrefs: 0478B6F0, 0478B6F5
Y3n^, xrefs: 0478B557

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID: {Y3n^$Y3n^
API String ID: 0-1654772040
Opcode ID: 9ed77f952da21d1b50ee565f38762cee3bd33b2eaaa86910bcf352f7a6d6ef04
Instruction ID: d87b0f0d6028f65b244b2a523d51141133a275ca26597899eb130ccdfe366a3f
Opcode Fuzzy Hash: 9ed77f952da21d1b50ee565f38762cee3bd33b2eaaa86910bcf352f7a6d6ef04
Instruction Fuzzy Hash: 9B915171F006145BEB69EFB585146AEB6E3EFC4704B10892DD10AAB340DF74AD0A8BD6

Function 07583CE8 Relevance: 5.6, Strings: 4, Instructions: 603COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07584030
4'^q, xrefs: 07584180
4'^q, xrefs: 07584026
4'^q, xrefs: 0758418A

Memory Dump Source

Source File: 00000007.00000002.1779774137.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7580000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 9ea57cd54d8db869454bd8e4bea44687f92d8283e6534ffeda70e6643781f909
Instruction ID: eddc4e5a5d958dc6b539edb294ca57c88434b3abb6244d0d38244e6bcb53d83b
Opcode Fuzzy Hash: 9ea57cd54d8db869454bd8e4bea44687f92d8283e6534ffeda70e6643781f909
Instruction Fuzzy Hash: 51127BB17042568FCB55AF68C8117ABBBE2BF82650F14846BD805EF262DF32D845C7A1

Function 075817B8 Relevance: 2.8, Strings: 2, Instructions: 336COMMON

Download Yara Rule

Strings

Ll, xrefs: 0758193A
Ll, xrefs: 0758192C

Memory Dump Source

Source File: 00000007.00000002.1779774137.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7580000_powershell.jbxd

Similarity

API ID:
String ID: Ll$Ll
API String ID: 0-1894504786
Opcode ID: 54ac3b733350d23bce92ce395d3fa5b4319f95d54d4f208eb60854b3e8328c85
Instruction ID: 583a4ecb9907fbe7e6366691bfd8934113a0860044122fe37c5f48e7b9d5eb73
Opcode Fuzzy Hash: 54ac3b733350d23bce92ce395d3fa5b4319f95d54d4f208eb60854b3e8328c85
Instruction Fuzzy Hash: 3DB139B1B046498FCB54AB69D4006EABBE6BF86210F18C4BFD405EB251DB31DC46C7A1

Function 04786FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

(bq, xrefs: 04787105

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: ee9a40585861e14ff01c772a02821ed51033a2dc11e405579a97986fc0b2fc87
Instruction ID: bc14b5dcbf68afe3cc0a701a1d6f803920fe8dd89ff2decfc52d91da56e143ee
Opcode Fuzzy Hash: ee9a40585861e14ff01c772a02821ed51033a2dc11e405579a97986fc0b2fc87
Instruction Fuzzy Hash: B5416F34B441148FCB18DFA9C854AAEBBF2EF8D311F244498E402AB395DB35ED01CB61

Function 0478AF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

(&^q, xrefs: 0478AFBA

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID: (&^q
API String ID: 0-2067289071
Opcode ID: 55ca62b0c21038e028aaa95d55aaf91c72fbafd56208e2e89c8d12b8284b7125
Instruction ID: 5f1c643d6dd023217566ccfd4fe3a89a457532dc46e7e893c41a71b3e5c135e7
Opcode Fuzzy Hash: 55ca62b0c21038e028aaa95d55aaf91c72fbafd56208e2e89c8d12b8284b7125
Instruction Fuzzy Hash: 8E21DE71A042588FCB14EFAED44469EBFF5EB89320F24846EE018E7350CA75A805CFE5

Function 0478DC88 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

+/3n^, xrefs: 0478DCBE

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID: +/3n^
API String ID: 0-1350244136
Opcode ID: 703bd06d559353846d3b59ad63eb95d20ccec28b97756a17fe6a3ac760115524
Instruction ID: d6c83f9ce52de8929e0ef69f8cc952b0b49e108d49ab3b6767504bff23e07ba3
Opcode Fuzzy Hash: 703bd06d559353846d3b59ad63eb95d20ccec28b97756a17fe6a3ac760115524
Instruction Fuzzy Hash: B5F024327842445F8726666EA8208EA7BA9DEC627170000AFE0888B381EA60BC0487F1

Function 0478DC98 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

+/3n^, xrefs: 0478DCBE

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID: +/3n^
API String ID: 0-1350244136
Opcode ID: 61f586211c683d72fd820e5904d83ca0e995128dcc2baf31aa33adbfca0ded24
Instruction ID: 9cade70d3bc1968f25d36769dace98f2b2e652864cf063f71b37e4cea77d4d12
Opcode Fuzzy Hash: 61f586211c683d72fd820e5904d83ca0e995128dcc2baf31aa33adbfca0ded24
Instruction Fuzzy Hash: B6E0C2317806140B8725BA2EA81485FB7DBDFC4771720403EE129CB380DFA0EC094BE5

Function 047829F0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78725759d5ea814b4d58b88b1225c017945fa0f37f6e2a6eb61a6871413b5244
Instruction ID: f2a906989d79197a5a8a351fe990c5fbf9c59d0a5faff83575ed1b67d8512ea7
Opcode Fuzzy Hash: 78725759d5ea814b4d58b88b1225c017945fa0f37f6e2a6eb61a6871413b5244
Instruction Fuzzy Hash: 19917AB4A002058FCB15DF59C5989BEFBB1FF88310B248599D815AB3A6C736FC51CBA0

Function 04787740 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b177ec883958668df8f63e5f4363031803c82bf0b027f1841d0dabee9a8d344
Instruction ID: a3c49d8daba28746e458912bb2363e732c081c81d99d302142c890e6b8364769
Opcode Fuzzy Hash: 8b177ec883958668df8f63e5f4363031803c82bf0b027f1841d0dabee9a8d344
Instruction Fuzzy Hash: 8451A0353042159FD718AB79DC44A6A77EAEFC9225F2444AAE50ACB351EB35EC01CBA0

Function 0478BAC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dccd27dee5d6e250c218afd591ce857bd373162ca4b507d805e9d29b4cebd3c6
Instruction ID: 183388581490cc74d6649072fbcc9998c7d4cee1c0a9b1892a6009b3a3d97de6
Opcode Fuzzy Hash: dccd27dee5d6e250c218afd591ce857bd373162ca4b507d805e9d29b4cebd3c6
Instruction Fuzzy Hash: 12611871E00248CFDB14DFA9D58469DFBF1EF98310F24816AE819AB354EB34AD85CB60

Function 075828E8 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1779774137.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a81efb556e05bccbc66c680e41687e137263d490be985fb188f245582d38b13
Instruction ID: 0f5d8fb2a53618ff752b3c9aa4928d2036947a55b2e1b6663c807d6931744a36
Opcode Fuzzy Hash: 6a81efb556e05bccbc66c680e41687e137263d490be985fb188f245582d38b13
Instruction Fuzzy Hash: 78512DB1710245CFCB65ABA888017AABFE6BF86210F1440BAD545DF362DE31DD85C7B2

Function 0478BAB0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca1db0cca6ec01546b95dda8cfe8c21c57547b3636bfce4189e0be6de0a33b8
Instruction ID: c0fb39b1cea69085bfe76a7dc7fea167e31f003e99d5133c95741de210a3c78b
Opcode Fuzzy Hash: aca1db0cca6ec01546b95dda8cfe8c21c57547b3636bfce4189e0be6de0a33b8
Instruction Fuzzy Hash: 92513770E002488FCB54DFA9D584A8DFFF1EF98310F24816AE819AB364EB34AC45CB50

Function 0758271F Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1779774137.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb56c059b11b10cfc9157fc2b9e420e1fe63532ec968f2f6daad07a9b553f4e8
Instruction ID: 7656c5531ecc55af5bb2423588e6f61768ab0fd0853d57c6f036f13b397f412e
Opcode Fuzzy Hash: cb56c059b11b10cfc9157fc2b9e420e1fe63532ec968f2f6daad07a9b553f4e8
Instruction Fuzzy Hash: DB4149B5700206DFDF646BA988406EABFE6FB85211F048466E901EF2A1DB35DC44CB61

Function 07583CCE Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1779774137.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293d31e936b399b6717a4de23bf159ea8c21112af7a4fcba2378053da8402e36
Instruction ID: a7b6516805558c41ddee0d0381612462de867049bd7275e5c6aae13020f4c39d
Opcode Fuzzy Hash: 293d31e936b399b6717a4de23bf159ea8c21112af7a4fcba2378053da8402e36
Instruction Fuzzy Hash: F5414EF1601202CBDBA5AB65C911BEE7BE2BF81B50F1444ABD800BF651D735D844C7A1

Function 04786FB0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90823c63446b0b0ed233409bd890fb79f18699bacc662a1b02e15684a5692d85
Instruction ID: e41c4cee5428853116a0516082bf9e2c71c5752dc7ea9c8f49dad2fb09b32677
Opcode Fuzzy Hash: 90823c63446b0b0ed233409bd890fb79f18699bacc662a1b02e15684a5692d85
Instruction Fuzzy Hash: 2241E9706483458FCB0ADF65C8589AABFF1AF8A310F1944DDE446AB3A2DB35DC01CB21

Function 04782B00 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586b5fdb5975e8c8e586f6b3aa42924ba785dfd8d346c25a44d9a0e4ab39ab50
Instruction ID: 87cfe33ed5b982a9d4bcc6782ece5fa2e96e574f5f1923d650f05655946c3cfb
Opcode Fuzzy Hash: 586b5fdb5975e8c8e586f6b3aa42924ba785dfd8d346c25a44d9a0e4ab39ab50
Instruction Fuzzy Hash: 3A4126B4A405059FCB09DF58C198ABAFBB1FF48310B1185A9D915AB365C736FC91CFA0

Function 0478C388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9540534ffb1ae830a6744db6e5cfe3713b956a57130e8876d31b3edfc602ab
Instruction ID: fdf6d0c39e7bc25c2a4f7a9f234df858cf42838a813b201b4df14d517cab1ae1
Opcode Fuzzy Hash: 3d9540534ffb1ae830a6744db6e5cfe3713b956a57130e8876d31b3edfc602ab
Instruction Fuzzy Hash: ED318F313402009FDB15EB68E894A9EB796EFD4311F20823DD50ACB365DF71AC85CBA1

Function 0478AE60 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97b0d71bfd150cf93eb757a6fa27330d5e642d1785886f4285340b8a3e4954a
Instruction ID: 2edb6a4e8d6c78feb5e0f735ddba3f54ad7cc0990e852ea4c89be96452769ce5
Opcode Fuzzy Hash: b97b0d71bfd150cf93eb757a6fa27330d5e642d1785886f4285340b8a3e4954a
Instruction Fuzzy Hash: 95316C70A402099FDB04EFA9D4956AEBBF6EF89310F24806EE405EB351EB349C418B61

Function 0478DFC0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d6faf563290a0c4cb44c4d0ff7b28dc1e2cefcb8c194619c25cd5e02b64139
Instruction ID: 75eb2092a622e93e0c162c88d73a8fd5a77638d832e7de03c7a97a1c03b50df4
Opcode Fuzzy Hash: 42d6faf563290a0c4cb44c4d0ff7b28dc1e2cefcb8c194619c25cd5e02b64139
Instruction Fuzzy Hash: 82315A70A402048FDB149F69D4586AEBBF2EF89320F24496DD406EB390EF75AC45CF60

Function 0478AD28 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ff17d28f11687b25bdf7add2307ec4d04faf8e1c770e3ff65a38e25600acf9
Instruction ID: 16c63d000eb8c1bb1f170da498d6fc80519d2d3cbf64069c3603fc666c75b7f8
Opcode Fuzzy Hash: d0ff17d28f11687b25bdf7add2307ec4d04faf8e1c770e3ff65a38e25600acf9
Instruction Fuzzy Hash: 273181B4E042459FDB05EFA8D454AAEBBB3EF85300F2184A9D105AB395CE78AD418F61

Function 0478AE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea34e22a56995de6f4732e08728bb20c4b16784bd041006996af904807960baf
Instruction ID: c11cd65302b04c8525430743a97785126f9fe4ba7c109d6b777fe51130ee94a1
Opcode Fuzzy Hash: ea34e22a56995de6f4732e08728bb20c4b16784bd041006996af904807960baf
Instruction Fuzzy Hash: 86314B70A402099BDF04EFA9D5947AEBAF6EF88310F25806EE405EB354EE349C418B61

Function 0478AD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cea28cb8b7d2ffb049703573dd1a5ace3a6977f99064ef3b8022907b17a7c89
Instruction ID: f392faf84a477c443a58e4f28785689000673dc48bca1c0049f6721730b81df4
Opcode Fuzzy Hash: 9cea28cb8b7d2ffb049703573dd1a5ace3a6977f99064ef3b8022907b17a7c89
Instruction Fuzzy Hash: 503123B4E002059FDB44EFA8D454AAEB7B3EF84304F2184A9D515AB394DE39AD418FA1

Function 0478DFD0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e077daef9e999f79182d90f9bf9987ebf452d7e050042a7541fe18fd1a94716a
Instruction ID: 232bda88e9f868ef71b27b68ab9d1540ac74730b8ebb620d0e47cda84855c814
Opcode Fuzzy Hash: e077daef9e999f79182d90f9bf9987ebf452d7e050042a7541fe18fd1a94716a
Instruction Fuzzy Hash: A6310670A402048FDB149F69D458A9EBBF2EF88310F24496DD406EB391EF75AC85CFA1

Function 02D4F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1762094630.0000000002D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f04ef93d314d166b93226a22860e90747ebad08cdbbd1f8486e459f49faff0
Instruction ID: d800ca9f03147090cd793b0e8d4f8b82df0aabea44753d8692e9afd6608b393f
Opcode Fuzzy Hash: 49f04ef93d314d166b93226a22860e90747ebad08cdbbd1f8486e459f49faff0
Instruction Fuzzy Hash: 73212172600200EFDF05DF14D9C0B26BFA5FB88314F24C5A9E94D4A766CB3AC856CBA1

Function 047893F0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0610980b510e5e8d3fe1b8c18a764bed7ed087007867ccc19949850787fc4e42
Instruction ID: e832cbbd948674016b9ccf0ec10f04d6baf535d4ac8cf40580827cc56042fe21
Opcode Fuzzy Hash: 0610980b510e5e8d3fe1b8c18a764bed7ed087007867ccc19949850787fc4e42
Instruction Fuzzy Hash: D3317AB0A057448EDB60DF6AC08839AFFF2EF89320F28805DD54DAB355D6B464858BA1

Function 02D4F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1762094630.0000000002D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 786c8016a57e77beb0ab2a925f75d9f284633c6bbe1f2c2917f2b595e2403141
Instruction ID: 86de55a88c02524c97bca6850f1c1540dd6eb14be3cde5718690005454df49d3
Opcode Fuzzy Hash: 786c8016a57e77beb0ab2a925f75d9f284633c6bbe1f2c2917f2b595e2403141
Instruction Fuzzy Hash: E5213471504240DFDB14DF24D9C0B26BFA5EB94314F30C56DD84A4B766CB3AE846CA61

Function 04789400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db17899476a2fe3226c517f3695418c27635d87424805f6b52e903fd31794a9
Instruction ID: b1af5cc262787c075afd2ab396a50e055b37fa1d2ba03910c35054deae13018e
Opcode Fuzzy Hash: 5db17899476a2fe3226c517f3695418c27635d87424805f6b52e903fd31794a9
Instruction Fuzzy Hash: 25216BB0A017448EDB60DF6AC0883DAFBF2EB88324F28C41DD94DA7345D6B464818FA1

Function 0478767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f310b6a81789e1afed58e41ca184df4593d84fc2cfd07f89e10899664532f1b
Instruction ID: a9704b248e415b5c34a593f4ec84f64e7f1016d49768522524f8439879e4c139
Opcode Fuzzy Hash: 1f310b6a81789e1afed58e41ca184df4593d84fc2cfd07f89e10899664532f1b
Instruction Fuzzy Hash: EC112E357001188FCB14DBACE9409DD77F6FBC9321B1440A9E509EB364DB35EC058BA0

Function 0478E290 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06dd47349a50d67b103650272a361da7376980417717c683a552d360a4642d6a
Instruction ID: f854fdc206d3d35b877c64549412c93e7678d3565ea4f8fb5ddfe4dec4551a1a
Opcode Fuzzy Hash: 06dd47349a50d67b103650272a361da7376980417717c683a552d360a4642d6a
Instruction Fuzzy Hash: 0C216A718053898FDB11DF5AC5447EEBFF4EB09324F1880AED488EB651D339A944CBA5

Function 075828E2 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1779774137.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e16fcd88e019892534237d54a9d794172bef5ef387b506a2d5f937e0254fc53b
Instruction ID: ecb92fa56db4d8390a210fc8984a1657a3227c334a86bce01945fbb7e24adc71
Opcode Fuzzy Hash: e16fcd88e019892534237d54a9d794172bef5ef387b506a2d5f937e0254fc53b
Instruction Fuzzy Hash: FA11B6B0A10206CFCBA4DF99C585BE6BFF5FF45221F0580A7D944AB261D771D881CB92

Function 02D4F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1762094630.0000000002D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction ID: e163e47feb3239f365bb99bb9d4d006a60c6398be7664dcf8514e6854f3ee74b
Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction Fuzzy Hash: A1219D76504240DFCF06CF10D9C4B16BF72FB88314F24C5A9D9494A766C73AD86ACB91

Function 02D4F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1762094630.0000000002D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction ID: 04518bec974826a16f18db97486647ac3830e1221a7dc7e2ac1f8f254c2c5a98
Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction Fuzzy Hash: A511DD75504280CFCB15CF14D5C4B15BFA1FB84328F28C6AAD8094BB66C33AE84ACB62

Function 0478E2A0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ce88f68909ac79d6bfafb45f51d36b252992c1986facfcd7adb0701987b8f6
Instruction ID: 31e3893d56bbb4acb3566a39f7193d93c2d716706621447567c80ed4bbe9a0ba
Opcode Fuzzy Hash: 41ce88f68909ac79d6bfafb45f51d36b252992c1986facfcd7adb0701987b8f6
Instruction Fuzzy Hash: 5D1155B19002498FDB10DF9AC50479EBBF4EB08324F28806EE448A7641D379A944CBA5

Function 04782C5C Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8edf65a791ed6b88e6277032988268ddd2d0d97d654b73ef13be7299195140b
Instruction ID: d97112ca56efb38a0baefae9e46a81a12acc0ebee3df63719342b9c505999a57
Opcode Fuzzy Hash: c8edf65a791ed6b88e6277032988268ddd2d0d97d654b73ef13be7299195140b
Instruction Fuzzy Hash: 2611A1355492D05FCB03DF6CD9609E97F70EF46220B0541C7D0949B2A3C226ED49CBA5

Function 0478BCE0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe138a7f84491e6077a806ca5f1b6b00a798c37debccb5eb1d5ca28d8f74753d
Instruction ID: b6a397c6428141760ff4f7dd837de0ad63883559b86a91cc9840623666954f0f
Opcode Fuzzy Hash: fe138a7f84491e6077a806ca5f1b6b00a798c37debccb5eb1d5ca28d8f74753d
Instruction Fuzzy Hash: 6711AD316083449FD718DF39D494AAA7FE1EF46210B2488EEE08AC77A2CA30F845CB10

Function 0478F330 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30cd80beaca67743ea5213f1f4d7df98f4a7469783f05b5df533642f7802860
Instruction ID: f9dd9fd210cd518dc20443c07e5f447d9c55c7f23eab7da6b0640021e5f5519c
Opcode Fuzzy Hash: d30cd80beaca67743ea5213f1f4d7df98f4a7469783f05b5df533642f7802860
Instruction Fuzzy Hash: FC11F3752047508FC728DF75D08085ABBF6AF8931532489ADD48A8BBA1CB36E845CB50

Function 0478DCD9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c4edf925e2529ecee790718b800f662588e65eb1933ba76a83054c678dd899
Instruction ID: cb34ec4815e48d80bdb17c9f7525ad4433ac2592b7278cb7d463c0d130cb3f30
Opcode Fuzzy Hash: 34c4edf925e2529ecee790718b800f662588e65eb1933ba76a83054c678dd899
Instruction Fuzzy Hash: 40014931B040809FCB26EB74D4548FD7FF1DFD9220B1884AED4419B3A6DA605C01CB60

Function 0478DE98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 607084f23f458317672323ffa07d57dea16cdce751014aedf181bca337412bde
Instruction ID: 1bd98d1596ab5016d6cfb4aec1a3c6cd4ce2174363a953b4758bc8d719e8e90b
Opcode Fuzzy Hash: 607084f23f458317672323ffa07d57dea16cdce751014aedf181bca337412bde
Instruction Fuzzy Hash: 0F015E35B012149FCF119FB4E808AAEBBF5FB99315F24406DE91AD3342DB32A951CB91

Function 0478BF10 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8081d5593e99cf4644a470fc7f96235b204e5ac21fa17201b405d33ca8f4fba5
Instruction ID: 9d17359772ca81809a1b9f73f28e60a0200cea099a2597a32ce96848b80fba93
Opcode Fuzzy Hash: 8081d5593e99cf4644a470fc7f96235b204e5ac21fa17201b405d33ca8f4fba5
Instruction Fuzzy Hash: AE0181323092A11FD7118A799CA49BB7FF9DF8A62071844AEF885C7262C9658D04C760

Function 02D4D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1762094630.0000000002D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91464b87619532cd7a670780cd9572e81123d8f6e075f89e111ab4097b5496da
Instruction ID: dace02c9512d8f4a9064e99d00b04a98dc937b87814203b7121eab0a2cee6568
Opcode Fuzzy Hash: 91464b87619532cd7a670780cd9572e81123d8f6e075f89e111ab4097b5496da
Instruction Fuzzy Hash: 1E01A2714093409BE7218A29C984B67BF99EF41324F28C52AED894B386CB79EC45C6B1

Function 02D4D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1762094630.0000000002D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8fe3a95efc40e23686810c33d3e04d0a2581be7555bbef96e42be63a50e3111
Instruction ID: b9cbccec0b2d4391909707b136ed6557f9d370a9d3446eb0bd3935b71a336140
Opcode Fuzzy Hash: f8fe3a95efc40e23686810c33d3e04d0a2581be7555bbef96e42be63a50e3111
Instruction Fuzzy Hash: 69014C6140E3C09FD7128B258894B52BFB4EF43224F1DC1DBE8888F2A7C2699849C772

Function 0478F7B1 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4118d5fdcdf6697f4cd7ef9b32d61ef6cf7e9b2ed4090e5b0a38781b975b4c4
Instruction ID: e10058032436c53507064e8731a5cce6e0a491cd85c65e6ff7fc16ae84c08e6d
Opcode Fuzzy Hash: b4118d5fdcdf6697f4cd7ef9b32d61ef6cf7e9b2ed4090e5b0a38781b975b4c4
Instruction Fuzzy Hash: B801C572D1074A9FCB05DFE4C9546EDBBB0FF9A310F24461AE041AA611EBB02686DB80

Function 047890D8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d471df62670417852c3fda9a254e3d82fd10c43b8411a70898e691f3946c6b9
Instruction ID: f01cf47cd370b90801dddd3d22609fa2705f59c106e07c5f2b20cbb17af7c545
Opcode Fuzzy Hash: 6d471df62670417852c3fda9a254e3d82fd10c43b8411a70898e691f3946c6b9
Instruction Fuzzy Hash: 4EF0F9715142404FD3115B78D0643E77BA2DFC2328F14419AD8494B391CE3D2C05C7A1

Function 04787958 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe509d36a21216b30d80d257a7c45cbcae9b49d43f6c545395862df07821ba49
Instruction ID: ea0d8a4537804aeff2543df3048e4b0a9312e83a80ccea0fbb59a2f3d25409d2
Opcode Fuzzy Hash: fe509d36a21216b30d80d257a7c45cbcae9b49d43f6c545395862df07821ba49
Instruction Fuzzy Hash: 97F0C2716053506FC70A9B68D89496FBBEDEF89221B11059EE049DB3A2DF306C05C771

Function 02D4D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1762094630.0000000002D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d566a086c42852a483fbf4d4272cb758bf8c8b4714c83d0f4c940e962de9130
Instruction ID: d9fe27f72e9bf97fce1064f91171da1208939cc241e3f40a2f6a99f4e81abdd3
Opcode Fuzzy Hash: 7d566a086c42852a483fbf4d4272cb758bf8c8b4714c83d0f4c940e962de9130
Instruction Fuzzy Hash: 5EF0F976600600AF97218F0AD985C27FBADEBD4670719C55AE84A8B755C671EC41CEA0

Function 0478DE38 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 018696ae87d0e06ffb79be9ace5345cbeed1ae583cd4a624737e81eb59099652
Instruction ID: b740b8f42a3b9cfc2595dd048366525660611c5e343b29d9fc7e438b0afd1f5f
Opcode Fuzzy Hash: 018696ae87d0e06ffb79be9ace5345cbeed1ae583cd4a624737e81eb59099652
Instruction Fuzzy Hash: 0AF05E353542409FC3119F2DD494C66BBF9EFCA715319009AE184CB372DA61EC02CB94

Function 02D4D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1762094630.0000000002D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b69ca8bf072532caba489d3b9f2e2730507508fab0d7077f4a37325544756e8
Instruction ID: 0c817ea9978f9d29ecf844a3dc870d2cb6252f03f589a59102cb31120fcc0c2e
Opcode Fuzzy Hash: 3b69ca8bf072532caba489d3b9f2e2730507508fab0d7077f4a37325544756e8
Instruction Fuzzy Hash: 09F06275100640AFD311CF05CD84D23BBB9EB85630B198489F84A8B352C770FC41CFA0

Function 0478F7C0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a293c13bc6b31788c13b7b0eaca55f4ec4c6ddd384974cc623e0ae6b5f5dd61
Instruction ID: f8ab682dd501cc11d1d5679bd17f35a5f21b4ec8e12d1a214c7fda49ee6cc159
Opcode Fuzzy Hash: 7a293c13bc6b31788c13b7b0eaca55f4ec4c6ddd384974cc623e0ae6b5f5dd61
Instruction Fuzzy Hash: C801AFB1D5075ADBCB44DFE5C9446EEBBB5FF99300F20072EE015A6A40EBB06695CB80

Function 04789158 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f181be64709ea5ea11054dcec3e8f940ab754719fca1cc3d3f2101cf11373652
Instruction ID: 7637737df94dbb8ff511b62269a13326164a31ad55be165e0cdbd2c9fc91b5db
Opcode Fuzzy Hash: f181be64709ea5ea11054dcec3e8f940ab754719fca1cc3d3f2101cf11373652
Instruction Fuzzy Hash: F2F030719093808FD761DB7894A83EABFE1EF46310F14489ED18EC7252CB356985CB51

Function 04787968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f8a8170c33a985e92adbf2243ea33950c05ad934a158a6d48cd6aed20aab5c
Instruction ID: 36ab2638a720e956855036c447807b145b6e46635212426e40a4d0c4f41e3fa9
Opcode Fuzzy Hash: 27f8a8170c33a985e92adbf2243ea33950c05ad934a158a6d48cd6aed20aab5c
Instruction Fuzzy Hash: C7F0A0317007149FDB14AE6AE844A6FB7EEEB88261F11052DE14AD3390DF30AC418BA0

Function 04787697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 281dac1d569b15e986abd729c2f84ab0ff44a871ab0e0f04a76f928546df268d
Instruction ID: 12bde343d2299a8902f35c05d733b5315543d5a73577819bbf3517ad5e71a397
Opcode Fuzzy Hash: 281dac1d569b15e986abd729c2f84ab0ff44a871ab0e0f04a76f928546df268d
Instruction Fuzzy Hash: D5F0A0393401248FCB14EB6CA800A9A7BE2FBC9351B254199E40ACB324DF35EC068FA0

Function 047890E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7fbe2e84bf1515ca1fa0a479340f14971d5c7a7904a27d036dc2c24cbd596f
Instruction ID: 111fd71a7081199f00d767788c3db77bb52dd46b78c26c711a27a155caf59358
Opcode Fuzzy Hash: 6e7fbe2e84bf1515ca1fa0a479340f14971d5c7a7904a27d036dc2c24cbd596f
Instruction Fuzzy Hash: 76F0E2716001048BE710AB68D0583EB77D6DBC0728F20816ED90A47384CE3D2C06CBE1

Function 0478896A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce13b27cc549680e698c0b37ff2912b2176b9fbff9d72b6c17ad8779828b899
Instruction ID: cba3b5fb568ac884f14d2a4f3acc932d02504bebceeef0860ed139ebb25a199f
Opcode Fuzzy Hash: 7ce13b27cc549680e698c0b37ff2912b2176b9fbff9d72b6c17ad8779828b899
Instruction Fuzzy Hash: 69F082353092C08FDB07A774646C2AD7FA2DFC6225F2900DEE5498B253CE650C46C795

Function 0478DE48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 170c834a14dd7a779a2fff380da20bb81032bdc1c30fc97e94e279d5e9380512
Instruction ID: e2028e75add8cd003564b00c917eb5a9c2af025eab55f24d5ebfc687deafd999
Opcode Fuzzy Hash: 170c834a14dd7a779a2fff380da20bb81032bdc1c30fc97e94e279d5e9380512
Instruction Fuzzy Hash: 02E065353401108F8310AB2DD488C66B7FAEFCE72531900AAE549CB330CA61EC01CB90

Function 0478AF88 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29985336a2c0891a95d5a83d40e7fc5ae3449bdc0d412bd43cb6c88a8593961e
Instruction ID: 5e9dbfe55a8d006301c8fad09ae1039c3a94228f9bd4d3b8bf323532c8db3521
Opcode Fuzzy Hash: 29985336a2c0891a95d5a83d40e7fc5ae3449bdc0d412bd43cb6c88a8593961e
Instruction Fuzzy Hash: A7E09A7275C3D51B9B16A22AA8640A6BFB78AD362030984FBE080CF353D851A80283A0

Function 04789549 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c1ecd6ffd11a24ddfff75ce91569c040b176a00aad006ca130690eb8bdf6c2a
Instruction ID: 8d66a67acc44faefa1f7282993745172fc59a41b82d3f0e783f0ed266fb79521
Opcode Fuzzy Hash: 6c1ecd6ffd11a24ddfff75ce91569c040b176a00aad006ca130690eb8bdf6c2a
Instruction Fuzzy Hash: 3FE02BB27D11216B265430B98A142B7B5CECFC40AA306003DEA05D3341ED40EC0143F2

Function 04789168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc2a993a90574a652aa159efb5a567166198e992e966e59fd45248b520903a28
Instruction ID: 3ab2a05f844d582a239076bce947d6b10d31c5b6f5c378b5e44f9e4d8dcb1f23
Opcode Fuzzy Hash: bc2a993a90574a652aa159efb5a567166198e992e966e59fd45248b520903a28
Instruction Fuzzy Hash: 23F06D709003048BD760DF78E49C39ABBE5EB44310F20446DE64EC3340DF396881CB90

Function 04788978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d6ac3b327f32aae2df9af43267fcb7c86333570703717deedfc6a2c5df599a
Instruction ID: d3c8ab006e9d3b913df71883626f9e560854fe85508277ab7c9df3d9ced2cb3d
Opcode Fuzzy Hash: 45d6ac3b327f32aae2df9af43267fcb7c86333570703717deedfc6a2c5df599a
Instruction Fuzzy Hash: C5E0263130421487CF09B778B40C2AEBA57EBC4728F24002EE60E83342CF791C4683E9

Function 04789550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3438e424565df8f07ea4493e62f0c3ed0811d8d557aab78f81325a36df2b94e1
Instruction ID: 27bf6d7d0a56c129a43a229273c9e79a54b733cd6fb390955a1b3c8babba9260
Opcode Fuzzy Hash: 3438e424565df8f07ea4493e62f0c3ed0811d8d557aab78f81325a36df2b94e1
Instruction Fuzzy Hash: C9D0A7B27D113157165470FE1A146BBA5CECFC84A9746003EEB09D3381EC40EC0143F2

Function 0478DCE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: cb5275faeba96cf0bfd300771ace57068d2d7ba8d76ae3f4be89be997c51942b
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 13E08631B10014978B1C99AAD4104EDF7AADBCC220F04807FD90AA7380DA72691586E1

Function 04788739 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f17ae55441e6de06fc72c8e9b016594fd5779b1a0ce6e57cbe00c9449747e7
Instruction ID: 077260e662a071a9d447b81ee39de9d5c9f4a6708269bed138b0d2b97dd728de
Opcode Fuzzy Hash: f6f17ae55441e6de06fc72c8e9b016594fd5779b1a0ce6e57cbe00c9449747e7
Instruction Fuzzy Hash: 4BE01231914149DFDB09FBB4E45E4BE7F74EA26311B50019DE55286152DE201A86CBC5

Function 0478F850 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46238b387a804d229259a5d2212e5ed45f3208b6eada5a4aac637e85af2802dd
Instruction ID: 39129a9b1c132873b53b636823bba44f8604427587acdc950571d5c4c1973e09
Opcode Fuzzy Hash: 46238b387a804d229259a5d2212e5ed45f3208b6eada5a4aac637e85af2802dd
Instruction Fuzzy Hash: 1AE0ED70E012899ECB80DF798445759FFF0AF09310F14C5AFD988EB241EA314615DB81

Function 04788800 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94faeaf5b77d41bde20096d9fcb108a6a76265b755043c2873e73336026e88a5
Instruction ID: a713aeb1ff793f7276d4f5a3f420796b69b1302dbbeb247bcf2e1ad4177d72d0
Opcode Fuzzy Hash: 94faeaf5b77d41bde20096d9fcb108a6a76265b755043c2873e73336026e88a5
Instruction Fuzzy Hash: 32E09235A1C2868FCB04DB74D0564ADBFF0EB1A214B24459CDD869B362DA200840CB80

Function 0478F860 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: b44ddf3653553c879b9166cf275ed5096bd1484273ebd91a4f8c16bc6c7b8ac0
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: C8D04C70D0520D9F8780EFA9894156DFBF4AB48210B5085AA8919E7301E63156128BD1

Function 04788748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce223744c7ead707b56dad40b97617b8b9d0fe50471134209111a2ea2ad7cb6
Instruction ID: 24325cbf915ae372b33826b8de245dd96344ba5140acd823d4faac647315789a
Opcode Fuzzy Hash: 9ce223744c7ead707b56dad40b97617b8b9d0fe50471134209111a2ea2ad7cb6
Instruction Fuzzy Hash: F0D06735904109CBCF48FBA5F85E4BDBB74FA24301F60416EE91752291EE352A9ACBC5

Function 04788810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6bd2acdc749ec9a000ca01c102fe06d26a61ffac2b4485308e895e28fdb9a9
Instruction ID: 16fb88b8c7e6b2a226ccc318bbf4d86c2a9e70570138f733661196b2cf056311
Opcode Fuzzy Hash: ef6bd2acdc749ec9a000ca01c102fe06d26a61ffac2b4485308e895e28fdb9a9
Instruction Fuzzy Hash: 5CD01734A0820ACF8B48EFA4E44A86EBBB5EB44200F20416DEE0A93351EE306C41CBC1

Function 04787932 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec292c78b0124d59ef659abc55b45b2eaddcf3217d3c4d9cef9f66ff9aa006e7
Instruction ID: 12f8b84b8eb24b3ef0e49fb31a976f211353f928acab5ae8e1e812c053b19560
Opcode Fuzzy Hash: ec292c78b0124d59ef659abc55b45b2eaddcf3217d3c4d9cef9f66ff9aa006e7
Instruction Fuzzy Hash: 2CD0A93404D3C4AFC71B9F39D898C063FB96E0312430A05CED88A8F1B3CA228408CB17

Function 04787EA0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8dc34ace66443d033943eb635659436d54862ddbf6dd6ea4fd95ce25650e5b9
Instruction ID: b9e5795182dabe91bc773e1ce791860e5c29b77068fbfff0c41a6c984ffdff67
Opcode Fuzzy Hash: a8dc34ace66443d033943eb635659436d54862ddbf6dd6ea4fd95ce25650e5b9
Instruction Fuzzy Hash: 83C0022545E2815FEF0B972889A9B467F75995321070B11CAE181CA5A3C624580ACB22

Function 04787940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8261f7d1f7a3ec140e51c72145aa97c91964fe1c1c589244f518cb6fb7020928
Instruction ID: 5ad802432c269229444f3ee807e7e0f3a4b18e521e32de5516ebd5035340a30e
Opcode Fuzzy Hash: 8261f7d1f7a3ec140e51c72145aa97c91964fe1c1c589244f518cb6fb7020928
Instruction Fuzzy Hash: F6B092360447098FC3496F76E409814732DBB4021978108E8E90E4A292CE36E889CA46

Non-executed Functions

Function 07581BE0 Relevance: 20.4, Strings: 16, Instructions: 414COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07581C92
JWl, xrefs: 075820C2
84Tl, xrefs: 07581F76
rVl, xrefs: 07581C5D
JWl, xrefs: 075820CE
rVl, xrefs: 07581C53
4'^q, xrefs: 07581F95
tP^q, xrefs: 07581FEB
tP^q, xrefs: 07581FDF
JWl, xrefs: 07582017
4'^q, xrefs: 07581C86
JWl, xrefs: 0758200B
84Tl, xrefs: 07581F6C
4'^q, xrefs: 07581F89
$cIk, xrefs: 075820B4
JWl, xrefs: 07581FA1

Memory Dump Source

Source File: 00000007.00000002.1779774137.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7580000_powershell.jbxd

Similarity

API ID:
String ID: $cIk$4'^q$4'^q$4'^q$4'^q$84Tl$84Tl$tP^q$tP^q$JWl$JWl$JWl$JWl$JWl$rVl$rVl
API String ID: 0-2704879209
Opcode ID: 92fb2f52f41d94348cd4396f6ac5a4899559b1cefde2e06edd4e45f8410375b4
Instruction ID: 25e6f92eec3a3a881acd893b35678419c885e1a37d5b8015a4efe2241a602ae3
Opcode Fuzzy Hash: 92fb2f52f41d94348cd4396f6ac5a4899559b1cefde2e06edd4e45f8410375b4
Instruction Fuzzy Hash: 11D17BB1B0460ACFCBA4AB6894046E6BFE6BFC5310F1484AFD415AF251DB31C887C7A1

Function 07583928 Relevance: 12.8, Strings: 10, Instructions: 325COMMON

Download Yara Rule

Strings

tP^q, xrefs: 075839A5
4'^q, xrefs: 07583B35
tP^q, xrefs: 075839B1
$^q, xrefs: 0758393A
$^q, xrefs: 07583960
4'^q, xrefs: 07583B29
Ll, xrefs: 07583A1D
Ll, xrefs: 07583A0F
$^q, xrefs: 07583C0E
$^q, xrefs: 0758396C

Memory Dump Source

Source File: 00000007.00000002.1779774137.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7580000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$Ll$Ll
API String ID: 0-1884767114
Opcode ID: 4e1bea1ae32e79512d30c882630004d4fb70e50e6f479d18e2eb30bec97a5eae
Instruction ID: d54f77d34264995e7d539b2f0691cd717c1376a17515eb4a537a5a2347bebe3b
Opcode Fuzzy Hash: 4e1bea1ae32e79512d30c882630004d4fb70e50e6f479d18e2eb30bec97a5eae
Instruction Fuzzy Hash: 63A158B27043558FC754AB69C8156AEBBE6BFC2A20F1484ABD405DF3A1DE32CC45C7A1

Function 07583678 Relevance: 8.9, Strings: 7, Instructions: 191COMMON

Download Yara Rule

Strings

$^q, xrefs: 07583836
Ll, xrefs: 0758386D
4'^q, xrefs: 07583722
$^q, xrefs: 075837FF
Ll, xrefs: 0758387B
$^q, xrefs: 0758382A
4'^q, xrefs: 0758372E

Memory Dump Source

Source File: 00000007.00000002.1779774137.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7580000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$Ll$Ll
API String ID: 0-2844568421
Opcode ID: 2fe5916e182d08efe9b3aa49dfe23db680658dcc536824061cc031462cfb7760
Instruction ID: de27040abbda8be9bd1c74196b053542f5e347b34dc5d20873a3ec91902aa56e
Opcode Fuzzy Hash: 2fe5916e182d08efe9b3aa49dfe23db680658dcc536824061cc031462cfb7760
Instruction Fuzzy Hash: 59517BB17043069FDB646A69C8106EEBBF6BFC2A10F24847BD405DB351DB35C945CBA1

Function 04787A21 Relevance: 6.5, Strings: 5, Instructions: 238COMMON

Download Yara Rule

Strings

tMVl, xrefs: 04787AD4
`_q, xrefs: 04787C44
`_q, xrefs: 04787CC2
`_q, xrefs: 04787B23
`_q, xrefs: 04787BA2

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID: tMVl$`_q$`_q$`_q$`_q
API String ID: 0-558380399
Opcode ID: 75f4654ac4d7f612e3109621e30338dec45638cfaa7ae7050400e3a450b3ff5b
Instruction ID: fcc7f8bc16810855e764e78a3b740eca7a5359534cbd6361251e28eb6113af8e
Opcode Fuzzy Hash: 75f4654ac4d7f612e3109621e30338dec45638cfaa7ae7050400e3a450b3ff5b
Instruction Fuzzy Hash: A7B1B574E002099FDB54DFA9D990A9DFBF6FF88300F20862AD419AB354DB30A945CF90

Function 04787A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

tMVl, xrefs: 04787AD4
`_q, xrefs: 04787C44
`_q, xrefs: 04787CC2
`_q, xrefs: 04787B23
`_q, xrefs: 04787BA2

Memory Dump Source

Source File: 00000007.00000002.1763436601.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4780000_powershell.jbxd

Similarity

API ID:
String ID: tMVl$`_q$`_q$`_q$`_q
API String ID: 0-558380399
Opcode ID: be966dc48997b7b9adc62c69c9021930c0c634d4eaa67dd156a974d0cfaf13bc
Instruction ID: d21153562f17645991516dc1ea9b453d377d24220df0ed0e4f3dd1f05883c334
Opcode Fuzzy Hash: be966dc48997b7b9adc62c69c9021930c0c634d4eaa67dd156a974d0cfaf13bc
Instruction Fuzzy Hash: 5AB19574E002099FDB54DFA9D990A9DFBF6FF88310F208629D819AB354DB70A945CF90

Function 075833D8 Relevance: 5.1, Strings: 4, Instructions: 140COMMON

Download Yara Rule

Strings

,SVl, xrefs: 07583469
,SVl, xrefs: 0758345D
p5Fk, xrefs: 0758344F
RVl, xrefs: 0758342B

Memory Dump Source

Source File: 00000007.00000002.1779774137.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7580000_powershell.jbxd

Similarity

API ID:
String ID: ,SVl$,SVl$p5Fk$RVl
API String ID: 0-3075652356
Opcode ID: 80a216e9a4b94811617f977823f4da75d6a06ffc7f237bc2fa1d839135652029
Instruction ID: 68c45d2826d6defc447fe8c3d7b85aa63cdd11392edd67cd63918cabad317ec6
Opcode Fuzzy Hash: 80a216e9a4b94811617f977823f4da75d6a06ffc7f237bc2fa1d839135652029
Instruction Fuzzy Hash: 48413AB1B043059FC761AB6D8C05BEEBFE1AF86A10F18847BD409DB762DA31D941C7A1

Function 07583907 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

tP^q, xrefs: 075839A5
$^q, xrefs: 0758393A
$^q, xrefs: 07583960
$^q, xrefs: 0758396C

Memory Dump Source

Source File: 00000007.00000002.1779774137.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7580000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$$^q$$^q$$^q
API String ID: 0-3061638629
Opcode ID: da3ec9386587ee8b249e7d24fb8e4a40e3dd9960685db9d67906bf7b18aa52c4
Instruction ID: 900cabcc0608b5dd6dc843045ddc01bf6f33b4b476fa3fd412c16888599cbdd6
Opcode Fuzzy Hash: da3ec9386587ee8b249e7d24fb8e4a40e3dd9960685db9d67906bf7b18aa52c4
Instruction Fuzzy Hash: 4A3167B26093849FC7265F288800AE97FB5BF46A20F1945DBE444DF2A3CA31C844C760

Function 07585798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 075857AA
$^q, xrefs: 075857F4
$^q, xrefs: 07585800
$^q, xrefs: 075857C6

Memory Dump Source

Source File: 00000007.00000002.1779774137.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7580000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 39bd909ede3fadcc333c46246dd11de23a05e6fd7d48e486d7712114d9be3d1f
Instruction ID: 82f9003c45ffaf963cda35bd80b4542d799d294002703a923babf23465a7868c
Opcode Fuzzy Hash: 39bd909ede3fadcc333c46246dd11de23a05e6fd7d48e486d7712114d9be3d1f
Instruction Fuzzy Hash: 5B218BB170020A9BEBB8697A8C00BB7BBD67BC0710F34842BE405EF385ED75C8518761

Function 0758218F Relevance: 5.1, Strings: 4, Instructions: 54COMMON

Download Yara Rule

Strings

TcIk, xrefs: 075821F2
JWl, xrefs: 075821C4
JWl, xrefs: 075821BA
$^q, xrefs: 07582166

Memory Dump Source

Source File: 00000007.00000002.1779774137.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7580000_powershell.jbxd

Similarity

API ID:
String ID: TcIk$$^q$JWl$JWl
API String ID: 0-3797987245
Opcode ID: 24d513a21d3495cde55b6d3351d9ff7c0ae37da8d9ad319cf62065b9b6ac0569
Instruction ID: 153093f0a166e4a10e055273758ff545ec408d2a6de5d2c7f6bfddb919553bfd
Opcode Fuzzy Hash: 24d513a21d3495cde55b6d3351d9ff7c0ae37da8d9ad319cf62065b9b6ac0569
Instruction Fuzzy Hash: 70110CF160C391CFC3665B689C519D1BFF1BFA2210B1984A7C240AF66BC7309845C7E2

Function 07582107 Relevance: 5.1, Strings: 4, Instructions: 52COMMON

Download Yara Rule

Strings

JWl, xrefs: 0758214A
$^q, xrefs: 07582172
$^q, xrefs: 07582166
JWl, xrefs: 07582156

Memory Dump Source

Source File: 00000007.00000002.1779774137.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7580000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$JWl$JWl
API String ID: 0-169093843
Opcode ID: 5f3fa48ecbf2883ecef30d0744155bc6e417d1b066207fc1f1fbbf663dfa697a
Instruction ID: d34254deda11e2156d9574672e53722e92370483f262d8818d420adbe823bd47
Opcode Fuzzy Hash: 5f3fa48ecbf2883ecef30d0744155bc6e417d1b066207fc1f1fbbf663dfa697a
Instruction Fuzzy Hash: FD01FEF1A583818FC37656244C165926FF6FF93610F1984DBC580AF26BC5358C49C7E6

Function 0758030A Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07580373
$^q, xrefs: 0758035E
4'^q, xrefs: 0758037F
$^q, xrefs: 07580352

Memory Dump Source

Source File: 00000007.00000002.1779774137.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7580000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: c2eaa5bae55fb9a7a2f5ef5156387d06d3e3a7b8f4b06aa757dbcc9ca76a3c41
Instruction ID: 0d1e01f79f1264fcb457b1066d078a9e83083782578f7f7eb7d7669b18c28d3b
Opcode Fuzzy Hash: c2eaa5bae55fb9a7a2f5ef5156387d06d3e3a7b8f4b06aa757dbcc9ca76a3c41
Instruction Fuzzy Hash: BE012671B583894FC76A22286C206A65FF6AFC3510B2905EBC084EF3A7CD158C0E8766

Function 07580C1A Relevance: 5.0, Strings: 4, Instructions: 27COMMON

Download Yara Rule

Strings

JWl, xrefs: 07580C4E
4'^q, xrefs: 07580C58
$, xrefs: 07580C30
4'^q, xrefs: 07580C64

Memory Dump Source

Source File: 00000007.00000002.1779774137.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7580000_powershell.jbxd

Similarity

API ID:
String ID: $$4'^q$4'^q$JWl
API String ID: 0-1219636804
Opcode ID: d5be493dde50e941e71f82b63ef1fc87da3693ff8916bc774b41c155fd716fb6
Instruction ID: 67ae736280b26ba4c4708e85b3c330fca3c95120b742b0006517d6080db04291
Opcode Fuzzy Hash: d5be493dde50e941e71f82b63ef1fc87da3693ff8916bc774b41c155fd716fb6
Instruction Fuzzy Hash: 0CF0F25468E3C46FC72B6B3418256A53FA29F43604B5A04CFC0809F6E7CA2A4C8CC766

Analysis Process: powershell.exePID: 7340, Parent PID: 7812COMMON

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 0079B490 Relevance: 4.0, Strings: 3, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{U2r^, xrefs: 0079B738, 0079B73D
[2r^, xrefs: 0079B529
kU2r^, xrefs: 0079B770, 0079B775

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID: kU2r^${U2r^$[2r^
API String ID: 0-947501266
Opcode ID: dc20b119b1176622de8445595a61862dbe7ace5adc459dfef3f7aeceb6e84ed6
Instruction ID: 87d622fc54ccf1ec3c67c1b540f8f5f6aad01018f4b0ef63e2269cc8ab9a5373
Opcode Fuzzy Hash: dc20b119b1176622de8445595a61862dbe7ace5adc459dfef3f7aeceb6e84ed6
Instruction Fuzzy Hash: 6F918671B006145BDB29EFB4D9156AEB7E3DF84704B00C92DD11AAB340DF746E0A8BD6

Function 0079B4A0 Relevance: 4.0, Strings: 3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{U2r^, xrefs: 0079B738, 0079B73D
[2r^, xrefs: 0079B529
kU2r^, xrefs: 0079B770, 0079B775

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID: kU2r^${U2r^$[2r^
API String ID: 0-947501266
Opcode ID: e820f219d5c851e7966e81cba49c6833674d37ec82912888daca4b5a5410a494
Instruction ID: bff0e593d886c182b219e8295751c8f68c5ac0eaad47e28501883ebbb5573e5e
Opcode Fuzzy Hash: e820f219d5c851e7966e81cba49c6833674d37ec82912888daca4b5a5410a494
Instruction Fuzzy Hash: 25916671B006145BDB29EFB4C9156AEB7E3DF84704B00C92DD11AAB340DF746E0A8BD6

Function 06E52308 Relevance: 14.4, Strings: 11, Instructions: 637COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06E52619
4'^q, xrefs: 06E5260D
rVl, xrefs: 06E52559
JWl, xrefs: 06E523C5
rVl, xrefs: 06E5254F
|, k, xrefs: 06E525DB
JWl, xrefs: 06E523D1
JWl, xrefs: 06E5237F
JWl, xrefs: 06E525F6
JWl, xrefs: 06E525EA
JWl, xrefs: 06E5259E

Memory Dump Source

Source File: 0000000A.00000002.1821745451.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e50000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$|, k$JWl$JWl$JWl$JWl$JWl$JWl$rVl$rVl
API String ID: 0-464746590
Opcode ID: 9ca091b6ac3061a1e65cb4ef195e8f9b2e7634504a62d3a4dbeaf9c257ca8f2c
Instruction ID: 97c13a2748576c6919ec86558da004c4114e12bf5f49704bf5af012db72dc5b5
Opcode Fuzzy Hash: 9ca091b6ac3061a1e65cb4ef195e8f9b2e7634504a62d3a4dbeaf9c257ca8f2c
Instruction Fuzzy Hash: 32223731F003099FDB64DF68C8416AABBE6AF84210F15907AEE05DB251DB35DE45C7A2

Function 06E53CE8 Relevance: 2.8, Strings: 2, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 06E54026
4'^q, xrefs: 06E54030

Memory Dump Source

Source File: 0000000A.00000002.1821745451.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e50000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 494ccfd02a0cb4ad12f5e792e392648535b7d041b92123b5f4c82730490ac5ac
Instruction ID: e27a59ecc0ee12fcee9a29be6db241cd8d76455def599eb948eb058c0c17fa78
Opcode Fuzzy Hash: 494ccfd02a0cb4ad12f5e792e392648535b7d041b92123b5f4c82730490ac5ac
Instruction Fuzzy Hash: 15B12A31F003158FCB958B6888116ABBBE69B91394B26906ADD01CF661EF31DD85C7E2

Function 08147458 Relevance: 1.6, APIs: 1, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 081474C2

Memory Dump Source

Source File: 0000000A.00000002.1827566992.0000000008140000.00000040.00000800.00020000.00000000.sdmp, Offset: 08140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8140000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 9ccfa2f9e2c15745f8ba68a6adabf3b25801b7da9d8022b173c422aceaecd108
Instruction ID: 58fbc81e2e526d3764bfe0e48de0b6b33c9ee9ba7a7a60520054504b82f7e63b
Opcode Fuzzy Hash: 9ccfa2f9e2c15745f8ba68a6adabf3b25801b7da9d8022b173c422aceaecd108
Instruction Fuzzy Hash: 981116B59002098FCB10DF9AD544BEEFFF8EF48320F248859D458A7250D774A945CFA1

Function 08147460 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 081474C2

Memory Dump Source

Source File: 0000000A.00000002.1827566992.0000000008140000.00000040.00000800.00020000.00000000.sdmp, Offset: 08140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8140000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 546bdd39a776e93063ae6ef79c2461b4f326e18bf0531780a834ff764bfa22f7
Instruction ID: 2d11bdf1ee18d9029f4dc24cd51191bd3862197b513dec28eac2fd6f68b7f4ab
Opcode Fuzzy Hash: 546bdd39a776e93063ae6ef79c2461b4f326e18bf0531780a834ff764bfa22f7
Instruction Fuzzy Hash: 6511F5B59002488FCB10DF9AC544B9EFFF8EF48324F248859D458A7350D774A945CFA5

Function 00796FC8 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 007970ED

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 19a911bbbb5e52b0f767086d27bc62b945d32c16d3f1df801745042697c5e593
Instruction ID: 79e2ebf18eeaeec0d809d0c89a9cc7ba2042d502642c5862b800c6b1e0a3d3d6
Opcode Fuzzy Hash: 19a911bbbb5e52b0f767086d27bc62b945d32c16d3f1df801745042697c5e593
Instruction Fuzzy Hash: DE415F74B142048FDB08DF68D558AAEBBF2EF8D310F154099E406AB395DB36EC01CB60

Function 0079AFA8 Relevance: 1.3, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&^q, xrefs: 0079AFCA

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID: (&^q
API String ID: 0-2067289071
Opcode ID: bc5b3e591735a13a340ab6d892ab4aa7d5468390a9526b1d9452eed404745fd5
Instruction ID: 4ee13fd70b08acf2739ae841e612f54757db68867d6ff6f5ffcea2278e41bcb4
Opcode Fuzzy Hash: bc5b3e591735a13a340ab6d892ab4aa7d5468390a9526b1d9452eed404745fd5
Instruction Fuzzy Hash: A121A175A002588FCB14DFAEE4046DEBFF5EB88320F24846AD018A7350CB7499458BA5

Function 0079DC90 Relevance: 1.3, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.2r^, xrefs: 0079DCC6

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID: .2r^
API String ID: 0-4290168639
Opcode ID: 89fe96797d81fb8f5817bd463dd25bf19d52e724b808d9e85a8d423a9f0b6137
Instruction ID: 62287784f13e534f7ff56c47f0bca69f8769f54fa20cd5feb5fd9ce97564e896
Opcode Fuzzy Hash: 89fe96797d81fb8f5817bd463dd25bf19d52e724b808d9e85a8d423a9f0b6137
Instruction Fuzzy Hash: 2BE022326006101BC722526EB8018DF7B8FCFC5231305402AE02887300CEA8DC4183F5

Function 0079DCA0 Relevance: 1.3, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.2r^, xrefs: 0079DCC6

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID: .2r^
API String ID: 0-4290168639
Opcode ID: 90b311c4e4a9942cfec785fe5cba28c3381f9736e7fbb81dc038b25b563fc92c
Instruction ID: 6cb51453f48a3c25aaa929bd5f1b783d748582ab85fc0edaa6cd452ec0bb2e99
Opcode Fuzzy Hash: 90b311c4e4a9942cfec785fe5cba28c3381f9736e7fbb81dc038b25b563fc92c
Instruction Fuzzy Hash: F3E0C2317406141B8622676EB81489FB7DBDFC5771300803EE029C7300DEA8DD0587E5

Function 007929F0 Relevance: .2, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2d45de3b0c0b12b4a0e5a22c4c8bcaa4e4b4e416326d6f9cad2a56fefba9aa
Instruction ID: 3448eaad0e192850ece5950b135ae2cd73b3087483ad66b6bd3c6b4cdfaf9ef7
Opcode Fuzzy Hash: 7c2d45de3b0c0b12b4a0e5a22c4c8bcaa4e4b4e416326d6f9cad2a56fefba9aa
Instruction Fuzzy Hash: A6918AB0A002459FCB15DF58C4949AEFBB1FF89310B248599D815AB366D739FC52CFA0

Function 0079BAD0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe0070c8ce30e7124418f0d81c96e45ad9a057703cd472f8f044a8bc9700ff5
Instruction ID: bb314f9d1f85b7391469081e1e49120f5b10e64fd65febcff7493bb637b14075
Opcode Fuzzy Hash: cfe0070c8ce30e7124418f0d81c96e45ad9a057703cd472f8f044a8bc9700ff5
Instruction Fuzzy Hash: DF610671E00248DFCB14DFA9E584A9DFBF6EF89310F14816AE809AB364DB349D45CB60

Function 0079BAC0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c61f7744825f3656c49c4b4f1644f565755243f2991ef70a1a748cce0dd50c4
Instruction ID: d0369928c9670a7ed356213b000bc0e3d3213785725b7d22ff9a52836655dace
Opcode Fuzzy Hash: 2c61f7744825f3656c49c4b4f1644f565755243f2991ef70a1a748cce0dd50c4
Instruction Fuzzy Hash: 7F510671E00248DFCB54DFA9E584A9DFBF6EF89310F14806AE809AB364DB349D45CB60

Function 00797728 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0fd562b7eaa1b638f8d72e9869f5bb35ddd107ff819aee2546c7ab67a785f55
Instruction ID: ed5d59736c168fd4e9cd9be7d240ab60718b3befc4b665812c9bbf7410d12392
Opcode Fuzzy Hash: b0fd562b7eaa1b638f8d72e9869f5bb35ddd107ff819aee2546c7ab67a785f55
Instruction Fuzzy Hash: F9419E347142159FDB18DB69D848E3AB7EABFC8314F148869E509CB355EB39DC01CBA0

Function 06E519AF Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821745451.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e05784d6cc1243cd11e7369c1174cb4771205631e7271a50adbc3d49ae314a53
Instruction ID: 6f0bda8b682ca2aa063b574bbbf4e949ddac2dcd96910ca5df9ba00d6dfb40d7
Opcode Fuzzy Hash: e05784d6cc1243cd11e7369c1174cb4771205631e7271a50adbc3d49ae314a53
Instruction Fuzzy Hash: 53318C71B443449FDB1197A888407EEBBE2EF85214F15947AD9018F252DF31CC49C351

Function 06E53CE3 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821745451.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50de614f68d4ecca7be92da43e99b9b3aac7a0f9c25b777ce819fb478f8ebb0c
Instruction ID: 1ec1067b6f6d3847739a9a52d0d12f81b4c6faa81d1a509dfb326d7ee40c144c
Opcode Fuzzy Hash: 50de614f68d4ecca7be92da43e99b9b3aac7a0f9c25b777ce819fb478f8ebb0c
Instruction Fuzzy Hash: 9731C630E00305CFCBA58F258951A6ABBF3AB847D8F169066DD019F361EB35DD44CBA1

Function 00792B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 406b1a16c47bd964d47d75be8cfec6ca6c87af7e8c1af7b846f251e4a9085bb4
Instruction ID: e3f9c506c8c01faecd8208e09a405e024ec637903cd9fe1726627753a7584401
Opcode Fuzzy Hash: 406b1a16c47bd964d47d75be8cfec6ca6c87af7e8c1af7b846f251e4a9085bb4
Instruction Fuzzy Hash: F74125B0A005059FCB05DF58C5989AEFBB1FF48310B158199D815AB365D736FC52CBA0

Function 0079C398 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213a5f45b50640e6f166cb90e194f4c6a7655d5f3e82fa3c5d2126faf121bcc4
Instruction ID: dd5cc978c463ce7434c7afe8661e5f0815585e4638cbcb26f48603c52c5990a5
Opcode Fuzzy Hash: 213a5f45b50640e6f166cb90e194f4c6a7655d5f3e82fa3c5d2126faf121bcc4
Instruction Fuzzy Hash: DE31AE353006019FDB05DB78E854B9ABBA6EFC4314F008239E60ACB365DF74AD45CBA1

Function 00796FB9 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bee949a54a0dcd99609de95939211801cc6d7f16033d0d3997dad9bc219e34a
Instruction ID: 851199de5455bd06b5b0c833ce7fd2fc74d8753570b8e319c072839dd803b4df
Opcode Fuzzy Hash: 4bee949a54a0dcd99609de95939211801cc6d7f16033d0d3997dad9bc219e34a
Instruction Fuzzy Hash: 4D314F34B142058FDB18DF69D558AAEBBF2AF8D311F145158E406AB391DB36DC41CB60

Function 0079AE70 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49fabc622b0d569d86cce8db68d11d5a90a5e86a5740e0bcbe028aeae5267a4a
Instruction ID: dba1723e2e91b803bc2194f60271a9d79d878e276406c527a64a9dd27afd148c
Opcode Fuzzy Hash: 49fabc622b0d569d86cce8db68d11d5a90a5e86a5740e0bcbe028aeae5267a4a
Instruction Fuzzy Hash: 14315E74E016099FDF04DFA9E5956AE7BF7AF88310F148069E405EB754EB388C418B92

Function 0079AE80 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de757fde8f89c9f6e637687ed36856afd5837762e3554b782b9539389acede97
Instruction ID: 4f76b9803d64b4ff249e849f02a10d70a7701a7471bb8d8ee523a110d2ba2c3c
Opcode Fuzzy Hash: de757fde8f89c9f6e637687ed36856afd5837762e3554b782b9539389acede97
Instruction Fuzzy Hash: 95314170E012099FDF04DFADD4957AE7BF6AF89310F148069E405EB354EB788C418B91

Function 0079E051 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999f3d026acddf2fb1d5b229090c05c2339ca7c4bf8c1db03b68e1fdb7a81d87
Instruction ID: 76a884f2aa5e35ecd3570f0de3b36bff363b1f6edb21d608abdcadcb85a177a2
Opcode Fuzzy Hash: 999f3d026acddf2fb1d5b229090c05c2339ca7c4bf8c1db03b68e1fdb7a81d87
Instruction Fuzzy Hash: 63315C75A002048FCB14DF68E5586AEBBF2BF8D310F148169D406EB3A1CB75AC85CFA0

Function 0079AD38 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd2837318d09d4210a9fb1565667733a459589afa6608d3098dbe45d8095dc9
Instruction ID: 1197d3fb8a9e44ed4e1f2b91ecf4d26fd6d3617ddfc92edb2e36b5847abbfcf2
Opcode Fuzzy Hash: bbd2837318d09d4210a9fb1565667733a459589afa6608d3098dbe45d8095dc9
Instruction Fuzzy Hash: D33170B4E002059FDB04EBA4D855AAEBBB3EF84300F1184A9D119AB395DA389D418BA1

Function 0079E060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e41ca667ce5fde59d2ab953ce931877236204ecc6077a32a381c438ca13c63
Instruction ID: d1ebe46d05fab431ef8c1afdb44a865eb0aa93f8405c713137101d82475b81a1
Opcode Fuzzy Hash: 54e41ca667ce5fde59d2ab953ce931877236204ecc6077a32a381c438ca13c63
Instruction Fuzzy Hash: A6314B74A002048FCB14DF68D458A9EBBF2BF89310F148569D406EB3A1DB75AC81CFA0

Function 007993F8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0d204fb9ba44fa291e17a92d56bdea90d40ff8144d88a050d967be176ea059
Instruction ID: 82c4d84ec1816952bb5072f5492a5c7e39b9bbd9566c6c5051230ec95a8d2ee7
Opcode Fuzzy Hash: 5c0d204fb9ba44fa291e17a92d56bdea90d40ff8144d88a050d967be176ea059
Instruction Fuzzy Hash: D43189B59017448EEB60CF6EE0897CAFBF2EB88320F28C41ED55D9B254D7786482CB51

Function 0079AD48 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b4cda16a920d7fa3d4dd013dc675d815321ad2aa35d789cea20b0c069b0327
Instruction ID: 1ddac0ee967f4cf3c2efb3e24af016a054292e46b6dc7343792d2d1053537b31
Opcode Fuzzy Hash: e5b4cda16a920d7fa3d4dd013dc675d815321ad2aa35d789cea20b0c069b0327
Instruction Fuzzy Hash: 3C315EB4E002099FDB44EFA4D955ABEB7F3EF84300F118479D119AB399DA399D018F91

Function 0067F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798069713.000000000067D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0067D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_67d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccd3f3b7ae52bd3cc663f02dbad3de2ed7d0f1a5809ced700db51ad4f96af579
Instruction ID: 314cf2595ac3a1ea87cf8f5dee429466b02156180202df279b6924e6d0fcc43a
Opcode Fuzzy Hash: ccd3f3b7ae52bd3cc663f02dbad3de2ed7d0f1a5809ced700db51ad4f96af579
Instruction Fuzzy Hash: 7821D171504200EFCB05DF14D9C0F27BBA6FB88314F24C5B9E9094A35AC736D856CBA1

Function 0067F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798069713.000000000067D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0067D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_67d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb2001740ff52cb0174294ccd037f71f5ee96432b3245e3fee24a625e65edfe
Instruction ID: 83a1972ddd5687617ea63bb85aaaab6e411f38c071ef4ad23a8ab3680da33fe1
Opcode Fuzzy Hash: 1fb2001740ff52cb0174294ccd037f71f5ee96432b3245e3fee24a625e65edfe
Instruction Fuzzy Hash: BC212F75604200DFCB10DF24C9D0F26BBA6EB88324F20C6B9D80E4B396C33AD846CA61

Function 00799408 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 290376190dfb6162907c93cf6596cd97a12fe7d5de11237013963901bf7e154e
Instruction ID: f55514f11a804cbb15dbd0f2ade40f234f0954daaabf0dc0434d2846b2e76069
Opcode Fuzzy Hash: 290376190dfb6162907c93cf6596cd97a12fe7d5de11237013963901bf7e154e
Instruction Fuzzy Hash: C32168B49017448EEB60CF6ED08878AFBF6EB88310F28C42ED95D97255D77868818B61

Function 0079782E Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a45d939583189c3dd169853465460c35300698baba64e7fb69896f470216e7
Instruction ID: b871d04fb467a860eaf8da700ddf9e9e861b844527d19ab8627ad948f8033f98
Opcode Fuzzy Hash: 45a45d939583189c3dd169853465460c35300698baba64e7fb69896f470216e7
Instruction Fuzzy Hash: 51119E353002149FDB08DB69E894D7ABBEAFB88720714456AE509CB395DF35DC02CB90

Function 00797664 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45fa0ba313a38f0d85086ae9cc6d7bc8be5440936551b0cd2444512246802aff
Instruction ID: 7feddf5ad7c8acba3c488f5f2884695cd7ae7f9ec15f54ead5f69a27d5b511b6
Opcode Fuzzy Hash: 45fa0ba313a38f0d85086ae9cc6d7bc8be5440936551b0cd2444512246802aff
Instruction Fuzzy Hash: 9911E9757001188FCF04DBA8E9409ED77F6EBC8325B0540A5E509EB725DA35DD15CB90

Function 00792C5C Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2373b66f432640f23fe6d64c675b36516568e8425805bdd2170b29e583dc2b7
Instruction ID: 7fb746eeedbedd5f7566c940da76eb67509a07a0236fe588015a06aade4b3b10
Opcode Fuzzy Hash: b2373b66f432640f23fe6d64c675b36516568e8425805bdd2170b29e583dc2b7
Instruction Fuzzy Hash: E4217F705092D05FDB03EF6CD8A05E9BF71EF47314B1580D6C0909B1A7C62A9C56DB65

Function 0067F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798069713.000000000067D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0067D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_67d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction ID: 3603eeae5001546c71d41cd31169ed3d0cb59f6a2e4c17c01296e04a7471b402
Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction Fuzzy Hash: 17219A76504240DFCB06CF10D9C4B56BFB2FB88314F24C5A9D9094A25BC33AD86ACB91

Function 0067F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798069713.000000000067D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0067D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_67d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction ID: bd4c75c649ea432f2811053367308503ba001c851aaa3b8a0c4fec16c14506e1
Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction Fuzzy Hash: F211DD75504280CFCB11CF14D5D4B55BFA2FB84328F28C6AAD80D4B756C33AD85ACB61

Function 0079E320 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a82c6fafa4bca314bce9592fd4c5ede306623f598b088a51d9b46bdd450e34
Instruction ID: a22457d71c00eb60f5db406b805b3a2ee8f9796e16ec7c3a9afb96337f8200ae
Opcode Fuzzy Hash: c4a82c6fafa4bca314bce9592fd4c5ede306623f598b088a51d9b46bdd450e34
Instruction Fuzzy Hash: EE119DB2800645CFDB10CF9AD5047DEBBF4EF48310F28846ED458A7251D3389981CFA1

Function 0079E330 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e4cdff8e6a44e8a1584842d0337af08ee7d63fa6f0a354a040228c8d1aa84cd
Instruction ID: d17414b4caf42acab5f3a43a89ea8e9077d0e9984af03491f055ffe64ac2cf43
Opcode Fuzzy Hash: 2e4cdff8e6a44e8a1584842d0337af08ee7d63fa6f0a354a040228c8d1aa84cd
Instruction Fuzzy Hash: 581166B19003098FDB20CF9AC50479EBBF4EB48320F28846DD448A7241D379A980CFA5

Function 0079BCF0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a02bdef29feba70f36a914419c7db2646e42334099502e275af3baab1258ac4
Instruction ID: 9fb16ebf18318d5c295390d177e999f7c6b1dd3d8b448d2e27a574e36112ceac
Opcode Fuzzy Hash: 5a02bdef29feba70f36a914419c7db2646e42334099502e275af3baab1258ac4
Instruction Fuzzy Hash: 6D0192316083449FC718CB75E594AAA7FF5EF45310B1484AEE09ACB6A2CB34EC45C701

Function 0079DEA0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c318656556917a7e518b658051299bb8890aa95cff793f8e0519d94e2dcf4e3d
Instruction ID: da15676ff111e254faa4b7885bac6ab2b0e276e8d77e8f9ab914533c3dc19bd5
Opcode Fuzzy Hash: c318656556917a7e518b658051299bb8890aa95cff793f8e0519d94e2dcf4e3d
Instruction Fuzzy Hash: 43019E35B00214DFCB119B74E818AAEBBF5FB88315F004069E90AD7351DB369901CB90

Function 0079DFD8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0736ecb913d79471f3517a2ff21362f71dcd99722f430deb60536df28127d089
Instruction ID: b1e17589f35cf7fa61a15b88993414eaf0e94f0edc41f998440a690a53255cf7
Opcode Fuzzy Hash: 0736ecb913d79471f3517a2ff21362f71dcd99722f430deb60536df28127d089
Instruction Fuzzy Hash: CB11F335204750CFC728DF79D08086ABBF6AF8921532489ADD48A8B7A1CB36EC45CB50

Function 0067D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798069713.000000000067D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0067D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_67d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5d97058e2537dcb5ee4131b4a3bd8f32158db80e9b88a6797df99f4d2aca7f
Instruction ID: 6abcfc733c339d1ecd9dcde6a1fc6f867f25a013b8968768710f306626ab0eb9
Opcode Fuzzy Hash: 2a5d97058e2537dcb5ee4131b4a3bd8f32158db80e9b88a6797df99f4d2aca7f
Instruction Fuzzy Hash: 6C01DB714093449EE7104F25CD84BA7BFA9DF51324F1CD929ED4C4B246C679D882C7B1

Function 0079DCE1 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04e208ee10fb82a8323ab8e3e524f7edbf356ff00699c3ceb8f88b822200976f
Instruction ID: 8e809d0af0aebf98db8cdadb88838ffc952ee893eef4733d1a135ceb8c45081e
Opcode Fuzzy Hash: 04e208ee10fb82a8323ab8e3e524f7edbf356ff00699c3ceb8f88b822200976f
Instruction Fuzzy Hash: 0601F736B04144ABCB149764E8048E9BFB19FD8320F1884BAD8059B351DE755C8287A1

Function 0079BF20 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83593dee885edab8d9c37a86f96a19b110a3bc6b473c5a1eb3030c3b8b223212
Instruction ID: 64e5952f7c8fa971443f24e1cb5c6cabef2e0432a80992bc765ff5123c21137c
Opcode Fuzzy Hash: 83593dee885edab8d9c37a86f96a19b110a3bc6b473c5a1eb3030c3b8b223212
Instruction Fuzzy Hash: 0AF0F6727092606FD7108A7AAC80AB7BFEDEFC9620B19447BF544C7391CA74CC0087A0

Function 0079F7C1 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85d11a00f9410315b15b9809d07a49f8145a69566bc210d4403c3ff6072b3f5
Instruction ID: 2b484549ae110f83a39529df98e956634d1edabe3131cc85cfe231b8b926cd19
Opcode Fuzzy Hash: a85d11a00f9410315b15b9809d07a49f8145a69566bc210d4403c3ff6072b3f5
Instruction Fuzzy Hash: CB011672D0074ADBCB00CFE4D9405EDBBB1FF99310F204B2AE415AB644EBB46686CB80

Function 00797940 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5eb9d3f60e53853fe6754294e519bb5401cca61d9f26bae80d56c4abc06fec5
Instruction ID: bde10625a3115e7a6919140fb27e7f90aec7c3e6715fa94717b60e505c2daccb
Opcode Fuzzy Hash: a5eb9d3f60e53853fe6754294e519bb5401cca61d9f26bae80d56c4abc06fec5
Instruction Fuzzy Hash: 84F02B717052149FCB509765EC4596F77E9DF88330700062DE11A87390DE34AC4083A5

Function 0067D993 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798069713.000000000067D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0067D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_67d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2a3be9848f851cae59ee59443560e43664cc374140d5fcdf8bbc898bab10d0
Instruction ID: 93680407d403fbb65a1e0aeccb3d34ea45325bf3bc3f158d2c8f0ee20b1d1c31
Opcode Fuzzy Hash: ad2a3be9848f851cae59ee59443560e43664cc374140d5fcdf8bbc898bab10d0
Instruction Fuzzy Hash: 2AF0F976200600AF97208F0AD984C23FBBDEFD4770319C56AE94A4B756C671EC42CEA0

Function 0067D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798069713.000000000067D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0067D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_67d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d389a1e3cc20702b35ebf220de89be2261f9455baf0b198fd099b5e0a046d6db
Instruction ID: d814e60ca27784bca7a6a4f109b2cb40c0473d2ecd075971b467821df195b84c
Opcode Fuzzy Hash: d389a1e3cc20702b35ebf220de89be2261f9455baf0b198fd099b5e0a046d6db
Instruction Fuzzy Hash: 9EF06272405344AEE7108E16C984BA6FFA8EF51734F18C95AED4C4E286C2799845CBB1

Function 0079794E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef63532f6eee794781659b72137d091b2b7263f053c916c39b1d7a1f2b45f18
Instruction ID: 0c6eed021a6609c0487721b20a0e576e290785dec329f14533beb8847bb8488b
Opcode Fuzzy Hash: 8ef63532f6eee794781659b72137d091b2b7263f053c916c39b1d7a1f2b45f18
Instruction Fuzzy Hash: BFF027713002189FCB509769E84496FBBEAEB88330B00052DF10ED3310DF34AC418764

Function 0067D984 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798069713.000000000067D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0067D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_67d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029f6c150894400f6572dc521adaaef7fc91126e4ec00d4c0d48d7f8e91e2aee
Instruction ID: 40c3c4556f6a232b73e475516e312f6684de1f4fe2a68fbc06e620ed5857e713
Opcode Fuzzy Hash: 029f6c150894400f6572dc521adaaef7fc91126e4ec00d4c0d48d7f8e91e2aee
Instruction Fuzzy Hash: 8EF0F976100640AFD725CF06C984D23BBB9EF95720B29C49DA85A5B752C631FC42CFA0

Function 007990E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4840fe1620dc637e8cadf0e96539baacc2e2dbdfca18fe501751aee2b2f80bc
Instruction ID: 25350b65ccfb5b67a63d04a5d5698f585b37650c200448c8169749592a090863
Opcode Fuzzy Hash: e4840fe1620dc637e8cadf0e96539baacc2e2dbdfca18fe501751aee2b2f80bc
Instruction Fuzzy Hash: D0F0F0B6B041148BE354AB24D0197ABBBA2EBC0329F14816ED44A4B385CE392906DBD1

Function 0079F7D0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 394bde2b79c153838f08ad2fc887d645c3a88a7e705f8f356aa24ead10446859
Instruction ID: 98f7d1a8e9c0c04c5beea3434e7b3c6967f671fc8d34062b7910b013e7900363
Opcode Fuzzy Hash: 394bde2b79c153838f08ad2fc887d645c3a88a7e705f8f356aa24ead10446859
Instruction Fuzzy Hash: 1B01D271D0074ADBCB44CFE4C8446EDBBB1BF99300F20472AE015A6644EBB02686CB80

Function 00797950 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0656c60b850a07ec64ccf52224cdc81099e6296fe5ca47af77c7517367b92bd2
Instruction ID: c6c347cd147e7792ab6ad709acbfcdc41df975c8f2e86b80005b07694c5bf411
Opcode Fuzzy Hash: 0656c60b850a07ec64ccf52224cdc81099e6296fe5ca47af77c7517367b92bd2
Instruction Fuzzy Hash: 8FF0A0717006289FCB549A6AE844A6FB7EAEB88371B00092DE10ED7350DF75AD4187A4

Function 0079DE40 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e2ed10d0e97fbb7823aee6664afafa95aa8e16e3014a91db6c21b897daca05
Instruction ID: c717f4ababdf3c654119a3979f76775a6c5b9c285c450576842fd84c7fe24418
Opcode Fuzzy Hash: b4e2ed10d0e97fbb7823aee6664afafa95aa8e16e3014a91db6c21b897daca05
Instruction Fuzzy Hash: D1F08C3A7041408FC7208B2CE494866BBF6AFDA71531A00DAE488EB332CA61CC12CB40

Function 007990F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a762a84b39e3a21f8eab31e35e323bf7569b66ade3942c12fd5b2839de9c1f4
Instruction ID: cdc78737780b944fe323557fe583808d3d5beeaa0da4467e4f073a06a5996260
Opcode Fuzzy Hash: 4a762a84b39e3a21f8eab31e35e323bf7569b66ade3942c12fd5b2839de9c1f4
Instruction Fuzzy Hash: BEF027B16001089BE744AB64D0197AFB7D6DBC1328F10C12ED90D473C5DE392906C7D2

Function 0079767F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55be38f708077e5a213a99e9951661b38d6949903cbf18c6f356ec07122a7924
Instruction ID: 526fd30d48c360cd6269e255c6077128537832dde862e545a5d5bd17b3c178e3
Opcode Fuzzy Hash: 55be38f708077e5a213a99e9951661b38d6949903cbf18c6f356ec07122a7924
Instruction Fuzzy Hash: 5AF0A0753005148FCF08DBADA8409A977A2EBC83547054158E50DDB328DF39DC028B80

Function 00799160 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33e0cd64ad5d5016d7c0eaa6cb6cfb0f3afdccbbc5b5c1332844de3f626d3e6f
Instruction ID: b2bc4cab6ffc536d2ef787183a6a3b78cd005518f6dcf898426bab07506e231b
Opcode Fuzzy Hash: 33e0cd64ad5d5016d7c0eaa6cb6cfb0f3afdccbbc5b5c1332844de3f626d3e6f
Instruction Fuzzy Hash: C3F082719043044BD7609F78D49D3DA7BD5FB44320F00442ED54DCB381DB3968818791

Function 0079DE50 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a023b56dc4a95b3c7f0d855bbd8701c5ff6af77c051071d5d1b72291a374277b
Instruction ID: b39e6b747756932f523e9324577495719659d7aedec7ff2044e9a2e55a3ca028
Opcode Fuzzy Hash: a023b56dc4a95b3c7f0d855bbd8701c5ff6af77c051071d5d1b72291a374277b
Instruction Fuzzy Hash: D4E0E5363001158F86209B1DE498C2AB7EAEFDEB6571900AAE949DB335DA61EC018B90

Function 00799549 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8965beb330b7e2ae1f3a628a70075bc3b8c7d63c8ea5a127bdb06a9c24dc8221
Instruction ID: 1497c8245957864e6c54915b943ed532a6ee931a306b1629926939fcd4673065
Opcode Fuzzy Hash: 8965beb330b7e2ae1f3a628a70075bc3b8c7d63c8ea5a127bdb06a9c24dc8221
Instruction Fuzzy Hash: A1E0D892708115179D5151BD78142BB95CF8AC377070A02769615CB6C1DC08CC0143F3

Function 00799170 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f2f0db17c96f58b0cd9a9743c8605e2fd078d31bcb44197c3f9ed7d726e037
Instruction ID: 736a0ce3c7d70630ffb810cd6a7d4bd949d5648c0b04a96184eb5c4c89b574fd
Opcode Fuzzy Hash: 02f2f0db17c96f58b0cd9a9743c8605e2fd078d31bcb44197c3f9ed7d726e037
Instruction Fuzzy Hash: 99F0ED709007189BD764DF79D89D79ABBE9FB44310F00442DE65EC7390DB396981CB91

Function 0079896A Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd8dc4a3dadd43cb8403578e1348b2f5140a1b2104c406fc6cbb57e35cadea7a
Instruction ID: fa207f6a0e2f2c433872a98bb9c597cb476386fae6752fe5cff7e2e6214ad84b
Opcode Fuzzy Hash: cd8dc4a3dadd43cb8403578e1348b2f5140a1b2104c406fc6cbb57e35cadea7a
Instruction Fuzzy Hash: BEE09B36708510CBCB092774E41C2DD2957AFC4725F05006ED50987382CF7C4E1597D6

Function 0079F860 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea36175a71a451b2f1784ef0946ecf14f5c6e7e8c270965079fea8cc18cd2c18
Instruction ID: 2407c0afbbf65fdcdf59953e8b8aa6d24364ef81df6695777b2c4f4c3270298c
Opcode Fuzzy Hash: ea36175a71a451b2f1784ef0946ecf14f5c6e7e8c270965079fea8cc18cd2c18
Instruction Fuzzy Hash: CCE01274D0010AAF8784DF78D8415A9FBF4EF04200F20856ADD09D7201E7725952CBD1

Function 00798978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d93df60fe64c3ecf458f6127b23b4f059f1c4450d67415d80bd7435f2fbcd67
Instruction ID: 1b5884af97e76cf6cf689fde824e6f9f41f418752312a498ce47e5c707069edb
Opcode Fuzzy Hash: 2d93df60fe64c3ecf458f6127b23b4f059f1c4450d67415d80bd7435f2fbcd67
Instruction Fuzzy Hash: 08E04F35704A1497CB093779E81D2EE7A9AABC4725F04002EE60A87381DF6D5E0293DA

Function 0079AF98 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375b3b08525cd049866a54157e1b579eb2e465f44f9a680b37039315285257d0
Instruction ID: 7cc0ac9c93bdfa120b70b9685841fdd94aa14fe41ece7d7dd3837c28d61f48b1
Opcode Fuzzy Hash: 375b3b08525cd049866a54157e1b579eb2e465f44f9a680b37039315285257d0
Instruction Fuzzy Hash: 4FD02B2BB0D265278F16507E74206A67B9BC7C923074D8476F408C7740DC55DC0302E6

Function 00799558 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9d28175938aa6867ca860b0af13cf5fa35b961f34764edcc73d7d3ed6d9652
Instruction ID: 3e13a4c9177234c6860b9c827d89cd9a4f84d3a0f617da351b7c2632edb82f10
Opcode Fuzzy Hash: cd9d28175938aa6867ca860b0af13cf5fa35b961f34764edcc73d7d3ed6d9652
Instruction Fuzzy Hash: 71D05E9270912A2B9D9420AE38056BFD2CFCAC77A070A017AAB05D3382EC48CC0103F2

Function 0079DCF0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: bc58391063747eebc266526a97b81a82be713050c3c6d31fd92f5fc1b3df7de2
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 05E08631B04018978B189599E4504E9F7B5DBCC320F14847ED90AA7340DA725D1686E1

Function 00798739 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12c2fd6c0725eb4701e78056f33e165670a62125435966814f6e57255b3aef3
Instruction ID: 38e6307c853c8343d908a0539791409e0c069fa586011ad5b593507bbd15a64f
Opcode Fuzzy Hash: d12c2fd6c0725eb4701e78056f33e165670a62125435966814f6e57255b3aef3
Instruction Fuzzy Hash: 6CE08C3680414A8BCB18ABA4F80B4FDBF78FA10311B50016AE9064B3A0DF341A8BCFC1

Function 00798800 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8ff54d64ba427a776b8adc3e96949ed19013bb53ce2407acc1309c2d164394
Instruction ID: 04c7273d4639d53cb8af1e49242c7eb9415fe57303428229ae09bfe329504706
Opcode Fuzzy Hash: ad8ff54d64ba427a776b8adc3e96949ed19013bb53ce2407acc1309c2d164394
Instruction Fuzzy Hash: ABE08632E081478FC754EFA4E4464ADBFB1AB45304B00415AD90597760DA305D45DB81

Function 0079F870 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 6627d5303b6ab839f8839bafc7e04b6294113b4ffe3f0bc2c5d938a1df020ba3
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: CED06270D042099F8780EFADD94156DFBF4EB48200F6085BAC919E7301E7355612DBD1

Function 00798748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04cb3f2717746b0edec744cc4c101675b1ac580f0997259328a434cb153484cc
Instruction ID: 5b4b73095d935054bf6a0440a1dfc2cde824a078cf7b1976c027ef355f4809a6
Opcode Fuzzy Hash: 04cb3f2717746b0edec744cc4c101675b1ac580f0997259328a434cb153484cc
Instruction Fuzzy Hash: 88D06731C045098BCF08ABA4E85B4FDBB78FA14301F504169E907572A0EE751A5ACEC5

Function 00798810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5451e70e647a0e69b4501497004a75b243398a37e97b2610a95b1baabee5dfe
Instruction ID: f4fcc2346af8a8ea33878e935245916b91847b7a7c260d12cd2c8291c372e3cc
Opcode Fuzzy Hash: c5451e70e647a0e69b4501497004a75b243398a37e97b2610a95b1baabee5dfe
Instruction Fuzzy Hash: 85D01234D0420A8FCB44DF64E44646DBBB4AB45300F004155D90597350EA345D01DBC1

Function 0079791A Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 773ebf1be74a74b8fb6b60b845cc3d2a7e13e683f7946ba60b364f9819084654
Instruction ID: 124989f0536039d9af884e9c78b16fdb2ca7f113c85f0915b76476d3399a81d2
Opcode Fuzzy Hash: 773ebf1be74a74b8fb6b60b845cc3d2a7e13e683f7946ba60b364f9819084654
Instruction Fuzzy Hash: CDC012364083499BC6297F75B8498583B14AF413343400B95E53A0AAE7CD369485C657

Function 00797926 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c0e1af050bc5774a175e6bec73b8a5f37e3e75fa5c6415e6e2a1cf4ae4d7358
Instruction ID: 7734effeb9b35a63c46955075c33dd1d8efed0fe3da2604e3349ca941cc6c3f1
Opcode Fuzzy Hash: 9c0e1af050bc5774a175e6bec73b8a5f37e3e75fa5c6415e6e2a1cf4ae4d7358
Instruction Fuzzy Hash: F1C09B3104434D8FC355AF75E44541477197F4511935004D5E90E1A352DF76D495CF45

Function 00797928 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbedbb1caa3f7b8e2fd951b6fc353bd2a0d2c82350e3d21b15e372c5b92f301d
Instruction ID: 33c93fe3c151b55903547f70d53cc4ee2de5173916dcec9cf6276233b2dc089b
Opcode Fuzzy Hash: bbedbb1caa3f7b8e2fd951b6fc353bd2a0d2c82350e3d21b15e372c5b92f301d
Instruction Fuzzy Hash: EDB0923104430D8FC259AF75E4098147329BB4021939008A8EA0E0A3A28E7AE889CA45

Function 00797E9E Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a0760f0d272a074c61e8b5f8e7991f263572ae2584bebcc60ed337afe84c42
Instruction ID: 579553730b8f1c739005d749c7f605703d3fa4cd65b7aa281e3895a7083e2e11
Opcode Fuzzy Hash: 01a0760f0d272a074c61e8b5f8e7991f263572ae2584bebcc60ed337afe84c42
Instruction Fuzzy Hash: 1EA02233A2808203FF0CEB30020803ABF230BCA202308C0E88003C0080CE308002CB00

Non-executed Functions

Function 06E51BE0 Relevance: 20.4, Strings: 16, Instructions: 401COMMON

Download Yara Rule

Strings

rVl, xrefs: 06E51C5D
JWl, xrefs: 06E520C2
4'^q, xrefs: 06E51C92
JWl, xrefs: 06E52017
$cIk, xrefs: 06E520B4
JWl, xrefs: 06E5200B
JWl, xrefs: 06E520CE
84Tl, xrefs: 06E51F76
tP^q, xrefs: 06E51FEB
4'^q, xrefs: 06E51F95
4'^q, xrefs: 06E51F89
rVl, xrefs: 06E51C53
4'^q, xrefs: 06E51C86
tP^q, xrefs: 06E51FDF
84Tl, xrefs: 06E51F6C
JWl, xrefs: 06E51FA1

Memory Dump Source

Source File: 0000000A.00000002.1821745451.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e50000_powershell.jbxd

Similarity

API ID:
String ID: $cIk$4'^q$4'^q$4'^q$4'^q$84Tl$84Tl$tP^q$tP^q$JWl$JWl$JWl$JWl$JWl$rVl$rVl
API String ID: 0-2704879209
Opcode ID: ab9d419cb1aeadfe9428ca12addd4143da5b3e64324d3981ae7672a6543a9350
Instruction ID: 4ced9ac2a75e505daa83456e1ffd051fac81bef885b557fc21abfbdaa64b8f42
Opcode Fuzzy Hash: ab9d419cb1aeadfe9428ca12addd4143da5b3e64324d3981ae7672a6543a9350
Instruction Fuzzy Hash: F0D16831F043048FCB658B6898047EABBF6AFC5310F1A94ABD905CF255DB32C885C7A1

Function 06E52AD8 Relevance: 12.8, Strings: 10, Instructions: 263COMMON

Download Yara Rule

Strings

#Fk, xrefs: 06E52BA7
$^q, xrefs: 06E52CBA
$^q, xrefs: 06E52CE0
tP^q, xrefs: 06E52D31
4'^q, xrefs: 06E52BDB
4'^q, xrefs: 06E52BE7
tP^q, xrefs: 06E52D25
Ll, xrefs: 06E52D8F
Ll, xrefs: 06E52D9D
$^q, xrefs: 06E52CEC

Memory Dump Source

Source File: 0000000A.00000002.1821745451.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e50000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$#Fk$$^q$$^q$$^q$Ll$Ll
API String ID: 0-3724334424
Opcode ID: 1d693e251a059b04cf9bcc207174e8182bb286a6cc3eff50d552b7a757b09d4e
Instruction ID: 3e01dd3ef4a9b3f6c0d956c123bfeb471c054682813d9691b9fec00c1cc602fd
Opcode Fuzzy Hash: 1d693e251a059b04cf9bcc207174e8182bb286a6cc3eff50d552b7a757b09d4e
Instruction Fuzzy Hash: CC816932B043158FCBA59F38981166ABBE1AFC1714F16846ADE01CF366DB31CE45C7A1

Function 0079EBB8 Relevance: 8.9, Strings: 7, Instructions: 150COMMON

Download Yara Rule

Strings

$^q, xrefs: 0079ED55
$^q, xrefs: 0079ED3B
$^q, xrefs: 0079ED21
$^q, xrefs: 0079ECB0
,bq, xrefs: 0079EC0D
$^q, xrefs: 0079ED07
$^q, xrefs: 0079ED6F

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID: ,bq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-13851718
Opcode ID: fa4c8094ce6f1b73bd58e6764aa5f28996972431b85d0602417085087140853f
Instruction ID: 6773233783432cc63c485aa4dafc569b4ec19c267b6a8512ec95cd8eeaa57b12
Opcode Fuzzy Hash: fa4c8094ce6f1b73bd58e6764aa5f28996972431b85d0602417085087140853f
Instruction Fuzzy Hash: 284144703845188FCF29EB79A95462D3AD37B89B5032018BAD452CF3B5DF1ECC824762

Function 06E52108 Relevance: 8.8, Strings: 7, Instructions: 95COMMON

Download Yara Rule

Strings

JWl, xrefs: 06E5214A
JWl, xrefs: 06E52156
JWl, xrefs: 06E521BA
$^q, xrefs: 06E52166
$^q, xrefs: 06E52172
JWl, xrefs: 06E521C4
TcIk, xrefs: 06E521F2

Memory Dump Source

Source File: 0000000A.00000002.1821745451.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e50000_powershell.jbxd

Similarity

API ID:
String ID: TcIk$$^q$$^q$JWl$JWl$JWl$JWl
API String ID: 0-3209981559
Opcode ID: c1d756b6fa436913b1f8077906e8840744ae8219ec588cdab8b87ce198f13ac9
Instruction ID: d51455d4ef9fda1cc50e74509fb02072a83b00f04d79e06e98ad49b4474643a1
Opcode Fuzzy Hash: c1d756b6fa436913b1f8077906e8840744ae8219ec588cdab8b87ce198f13ac9
Instruction Fuzzy Hash: D7313931A4D3908FC77686384D119437FB69FD261071B94ABDB80DF26AD6328D8DC3A6

Function 06E52DF0 Relevance: 6.5, Strings: 5, Instructions: 264COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06E52EEE
tP^q, xrefs: 06E53068
4'^q, xrefs: 06E52EF8
tP^q, xrefs: 06E5305C
$Fk, xrefs: 06E52EBF

Memory Dump Source

Source File: 0000000A.00000002.1821745451.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e50000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$Fk
API String ID: 0-4064001578
Opcode ID: 58079d6eb7d3a1a34b95d44485c8e47191cf938ab63c98a4e682f858cfc8e6b2
Instruction ID: 163a7f53d7600d2e2180e33964d5e659babf9fbe154974fcc18eab3b9bc297d4
Opcode Fuzzy Hash: 58079d6eb7d3a1a34b95d44485c8e47191cf938ab63c98a4e682f858cfc8e6b2
Instruction Fuzzy Hash: 14815731F043048FDBA58B789C017ABBBE6AB81714F15906BDE059F291EB32C981C3E1

Function 00797A09 Relevance: 6.5, Strings: 5, Instructions: 240COMMON

Download Yara Rule

Strings

`_q, xrefs: 00797B8A
`_q, xrefs: 00797C2C
`_q, xrefs: 00797B0B
`_q, xrefs: 00797CAA
tMVl, xrefs: 00797ABC

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID: tMVl$`_q$`_q$`_q$`_q
API String ID: 0-558380399
Opcode ID: aa88cc29bcd205085fda3993d0b8147d2d664bb4a22e170f993042a945a9eae9
Instruction ID: e2faaa8b27b6f0639806806469a9fa264bb652603d354b9d3bdf93ce7d9367e7
Opcode Fuzzy Hash: aa88cc29bcd205085fda3993d0b8147d2d664bb4a22e170f993042a945a9eae9
Instruction Fuzzy Hash: 47B1A474E012199FCB54DFA9D991A9DFBF2FF88300F108629E819AB315DB34A945CF90

Function 00797A16 Relevance: 6.5, Strings: 5, Instructions: 235COMMON

Download Yara Rule

Strings

`_q, xrefs: 00797B8A
`_q, xrefs: 00797C2C
`_q, xrefs: 00797B0B
`_q, xrefs: 00797CAA
tMVl, xrefs: 00797ABC

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID: tMVl$`_q$`_q$`_q$`_q
API String ID: 0-558380399
Opcode ID: 60ad482af838bbc5f3ff07431a8b5592b798886f8c51636436a159585b7a88a4
Instruction ID: ff2f85e7edb502aab29d33a5bd203e0e34a2b04e97bbe0db3786fdb0d28fe17f
Opcode Fuzzy Hash: 60ad482af838bbc5f3ff07431a8b5592b798886f8c51636436a159585b7a88a4
Instruction Fuzzy Hash: C4B19474E012199FCB54DFA9D991A9DFBF2FF88300F108629E819AB315DB34A945CF90

Function 00797A18 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

`_q, xrefs: 00797B8A
`_q, xrefs: 00797C2C
`_q, xrefs: 00797B0B
`_q, xrefs: 00797CAA
tMVl, xrefs: 00797ABC

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID: tMVl$`_q$`_q$`_q$`_q
API String ID: 0-558380399
Opcode ID: b8690a5feb79cdd8be0361f3a866d38f1f47c732a68be5b6ec4df90f3e8d392a
Instruction ID: 8c77a02943dc7f111bd87490fb0fd659deeb51221fb88c6f00dafbae719d55a1
Opcode Fuzzy Hash: b8690a5feb79cdd8be0361f3a866d38f1f47c732a68be5b6ec4df90f3e8d392a
Instruction Fuzzy Hash: EEB19274E012199FCB54DFA9D991A9DFBF2FF88300F108629E819AB315DB34A945CF90

Function 06E53110 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06E531C0
RVl, xrefs: 06E53294
tP^q, xrefs: 06E53324
tP^q, xrefs: 06E53330
4'^q, xrefs: 06E531B6

Memory Dump Source

Source File: 0000000A.00000002.1821745451.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e50000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$RVl
API String ID: 0-1994468666
Opcode ID: 9a1f9c5896acebf431f82a90b96a8e03d34416529c45b633a0ce33d3fa407274
Instruction ID: 331196acb04c640f6edc18365e02ab564b6b30c04230096ad3977810c1fd88c0
Opcode Fuzzy Hash: 9a1f9c5896acebf431f82a90b96a8e03d34416529c45b633a0ce33d3fa407274
Instruction Fuzzy Hash: 44713735F043058FDBA48B6989057AABBF6AFC1350F19906AD915CB291FA31C845C7E1

Function 06E54638 Relevance: 6.4, Strings: 5, Instructions: 140COMMON

Download Yara Rule

Strings

TFk, xrefs: 06E546E5
4'^q, xrefs: 06E54725
XYVl, xrefs: 06E546FF
4'^q, xrefs: 06E54719
XYVl, xrefs: 06E546F3

Memory Dump Source

Source File: 0000000A.00000002.1821745451.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e50000_powershell.jbxd

Similarity

API ID:
String ID: TFk$4'^q$4'^q$XYVl$XYVl
API String ID: 0-224260463
Opcode ID: 43ffe48aa986b2a01cafd7111d0bc9f93548c6bad931b949d36d5a6d4c00922a
Instruction ID: 2ffedd404aa281b9ce703b39be19f325742b302b16d5abe3dcd2660d66992766
Opcode Fuzzy Hash: 43ffe48aa986b2a01cafd7111d0bc9f93548c6bad931b949d36d5a6d4c00922a
Instruction Fuzzy Hash: CB412C31F14304CFCB94CB69D8046AABBE6ABC6314B16946AD905CB3E6DB31CD85C7A1

Function 06E537F0 Relevance: 6.3, Strings: 5, Instructions: 71COMMON

Download Yara Rule

Strings

$^q, xrefs: 06E537FF
Ll, xrefs: 06E5386D
$^q, xrefs: 06E53836
$^q, xrefs: 06E5382A
Ll, xrefs: 06E5387B

Memory Dump Source

Source File: 0000000A.00000002.1821745451.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e50000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$Ll$Ll
API String ID: 0-2289817599
Opcode ID: c514f09e0ec64e413eb4c4888c2c1cba1cb8c81954dcf01ac1fd7fa94524edc4
Instruction ID: a63bdd02576068e0d76872fcbecd9343349785781cd0473b570bb3a0e502438e
Opcode Fuzzy Hash: c514f09e0ec64e413eb4c4888c2c1cba1cb8c81954dcf01ac1fd7fa94524edc4
Instruction Fuzzy Hash: 9A11E935B043059FEB6C491A9804B67FB96ABC07A4F25D42BAC45CB3D4EE32C445C392

Function 06E50308 Relevance: 6.3, Strings: 5, Instructions: 65COMMON

Download Yara Rule

Strings

$^q, xrefs: 06E5035E
4'^q, xrefs: 06E5037F
4'^q, xrefs: 06E502EB
$^q, xrefs: 06E50352
4'^q, xrefs: 06E50373

Memory Dump Source

Source File: 0000000A.00000002.1821745451.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e50000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$$^q$$^q
API String ID: 0-2831958266
Opcode ID: 8efe663db1fc824c0673cd4ae2fd349e26eda86d625e40963913792e0d99bc45
Instruction ID: f04fc81a1645997b47eb37614334810b7abe4624ca6b2411788655387c894f4d
Opcode Fuzzy Hash: 8efe663db1fc824c0673cd4ae2fd349e26eda86d625e40963913792e0d99bc45
Instruction Fuzzy Hash: A8112510B4A3954FC7AB12782C249966FB64FC2A5072A50AFE480CF367CE154D4A83B7

Function 0079EDE8 Relevance: 5.5, Strings: 4, Instructions: 452COMMON

Download Yara Rule

Strings

$^q, xrefs: 0079F16C
`Q^q, xrefs: 0079F2FC
$^q, xrefs: 0079F326
$^q, xrefs: 0079F110

Memory Dump Source

Source File: 0000000A.00000002.1798601900.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_790000_powershell.jbxd

Similarity

API ID:
String ID: `Q^q$$^q$$^q$$^q
API String ID: 0-2499013975
Opcode ID: f755ae3c6f2b0b030e90ac33010ddd774816f2445ffe96d6badb84668d809ced
Instruction ID: b45c4c5ffbf970b5211835482f148c9f579c851b8f157e088f2beb9a86b21892
Opcode Fuzzy Hash: f755ae3c6f2b0b030e90ac33010ddd774816f2445ffe96d6badb84668d809ced
Instruction Fuzzy Hash: 62E1E1307501148FDF18AB7DA81462E76D7AFC9B10B2444BAD806DF3B5EE79DC428792

Function 06E533D8 Relevance: 5.1, Strings: 4, Instructions: 137COMMON

Download Yara Rule

Strings

p5Fk, xrefs: 06E5344F
RVl, xrefs: 06E5342B
,SVl, xrefs: 06E5345D
,SVl, xrefs: 06E53469

Memory Dump Source

Source File: 0000000A.00000002.1821745451.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e50000_powershell.jbxd

Similarity

API ID:
String ID: ,SVl$,SVl$p5Fk$RVl
API String ID: 0-3075652356
Opcode ID: 3c8986458d82c06e433362a215b756b06c756029cdfd2792c872e6747e3c6da9
Instruction ID: 4218f5a0be9d841de0d8e881d9f18b194ea0bd86b7f474bedc3a1f248f7d66ad
Opcode Fuzzy Hash: 3c8986458d82c06e433362a215b756b06c756029cdfd2792c872e6747e3c6da9
Instruction Fuzzy Hash: CE412B31B043049FC7618B699801B9ABBF69F85350F15906AE949CB762FA32D942C7A1

Function 06E50C18 Relevance: 5.1, Strings: 4, Instructions: 130COMMON

Download Yara Rule

Strings

JWl, xrefs: 06E50C4E
4'^q, xrefs: 06E50C64
tP^q, xrefs: 06E50D74
4'^q, xrefs: 06E50C58

Memory Dump Source

Source File: 0000000A.00000002.1821745451.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e50000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$JWl
API String ID: 0-603908784
Opcode ID: 4c899f6870f4449b6c10fff0aa7e91764ac5bda869d12380d8a52a43146e6d36
Instruction ID: 646d3b3f87256f451aa628d709bbdf8851ff8d9b4bcc9d7f813a4cb19cdd58e8
Opcode Fuzzy Hash: 4c899f6870f4449b6c10fff0aa7e91764ac5bda869d12380d8a52a43146e6d36
Instruction Fuzzy Hash: DD417B30B453449FD7A58A658C11A66BFE6AFC2314B1AD0ABF5048F3A2CB32DC45C7B1

Function 06E55798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 06E55800
$^q, xrefs: 06E557AA
$^q, xrefs: 06E557C6
$^q, xrefs: 06E557F4

Memory Dump Source

Source File: 0000000A.00000002.1821745451.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e50000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 23fa245aa10fbb3a75850733d518e046add9660941ca0d1883c9662c64b93a1d
Instruction ID: a39fe66269c4acdde83240abc01f6ccb8e8bb67a6335dec68dd806e476cf9e4b
Opcode Fuzzy Hash: 23fa245aa10fbb3a75850733d518e046add9660941ca0d1883c9662c64b93a1d
Instruction Fuzzy Hash: 07216832B203059BDBB4592A8C01B27B7D6ABC0714F25943AED06CF3D5DD76C841C3A2

Function 06E52208 Relevance: 5.1, Strings: 4, Instructions: 52COMMON

Download Yara Rule

Strings

JWl, xrefs: 06E52251
lcIk, xrefs: 06E52237
JWl, xrefs: 06E52245
TcIk, xrefs: 06E521F2

Memory Dump Source

Source File: 0000000A.00000002.1821745451.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e50000_powershell.jbxd

Similarity

API ID:
String ID: TcIk$lcIk$JWl$JWl
API String ID: 0-2668298924
Opcode ID: d3f1076cb3761b3f41855dbbb483ea930f670a7361cb715dd6b6eb5d29924c73
Instruction ID: ef725fbac860be9bcdec656afbfc9ec6593b88478c2e82a67fcd82070a0eb6c7
Opcode Fuzzy Hash: d3f1076cb3761b3f41855dbbb483ea930f670a7361cb715dd6b6eb5d29924c73
Instruction Fuzzy Hash: D8014C79A59350AFC76282385C12E537F668BD3704B068593F940EF3A6D6618D84C7F2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_CH5FQLPZHWQW5TXD_6eeabbae5e165c4a861c92134e9484f56eb98e6_b956fc39_9100153d-56bc-45e0-9f1e-ac46bf4ebbca\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER71E3.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER73C8.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER73E9.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_01bay35h.on5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wddgtpb.1q3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3dxww1fj.1z2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dfpcwqfp.mgt.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eq54itpa.dze.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g2mxthd3.tl5.ps1

Windows Analysis Report
719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe