Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

Overview

General Information

Sample name:719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
renamed because original name is a hash value
Original sample name:719) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
Analysis ID:1475013
MD5:bae47cae3594a134428398129131c4f3
SHA1:a44c40cb661ad52ed559ecb28bda620438a816c6
SHA256:225f24ec8e5c27e915e65abcd7d11cc6908b48c5e60e16aaff5eaf05f162e0a5
Tags:exe
Infos:

Detection

DarkTortilla, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected XWorm
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe (PID: 7396 cmdline: "C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe" MD5: BAE47CAE3594A134428398129131C4F3)
    • InstallUtil.exe (PID: 7988 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
      • powershell.exe (PID: 7152 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 1408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7456 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1316 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 1624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6092 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 2500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["104.250.180.178"], "Port": "7061", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1964842836.00000000040EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
    00000000.00000002.1956774249.0000000003041000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000002.1956774249.0000000003041000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x2a6c4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x2a761:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x2a876:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x29bb6:$cnc4: POST / HTTP/1.1
      00000000.00000002.1964842836.00000000041B6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000002.1964842836.00000000041B6000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x1093a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x109d7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x10aec:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0xfe2c:$cnc4: POST / HTTP/1.1
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.409c9e0.4.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
          0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.5830000.6.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
            0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.41b66d2.2.unpackJoeSecurity_XWormYara detected XWormJoe Security
              0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.41b66d2.2.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xe468:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0xe505:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0xe61a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0xd95a:$cnc4: POST / HTTP/1.1
              0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.41b66d2.2.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                Click to see the 12 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 7988, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', ProcessId: 7152, ProcessName: powershell.exe
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 7988, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', ProcessId: 7152, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 7988, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', ProcessId: 7152, ProcessName: powershell.exe
                Sigma detected: Startup Folder File Write
                Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ProcessId: 7988, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 7988, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', ProcessId: 7152, ProcessName: powershell.exe

                Snort Signatures

                Timestamp:07/17/24-15:01:01.252360
                SID:2855924
                Source Port:49714
                Destination Port:7061
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Suricata Signatures

                Timestamp:2024-07-17T15:01:01.252360+0200
                SID:2855924
                Source Port:49714
                Destination Port:7061
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-07-17T14:59:19.276119+0200
                SID:2840787
                Source Port:49707
                Destination Port:443
                Protocol:TCP
                Classtype:Potentially Bad Traffic

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000000.00000002.1956774249.0000000003041000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["104.250.180.178"], "Port": "7061", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
                Multi AV Scanner detection for submitted file
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeReversingLabs: Detection: 60%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.41b66d2.2.raw.unpackString decryptor: 104.250.180.178
                Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.41b66d2.2.raw.unpackString decryptor: 7061
                Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.41b66d2.2.raw.unpackString decryptor: <123456789>
                Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.41b66d2.2.raw.unpackString decryptor: <Xwormmm>
                Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.41b66d2.2.raw.unpackString decryptor: XWorm V5.2
                Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.41b66d2.2.raw.unpackString decryptor: USB.exe
                Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.41b66d2.2.raw.unpackString decryptor: %AppData%
                Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.41b66d2.2.raw.unpackString decryptor: XClient.exe
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: XClient.exe.5.dr
                Source: Binary string: InstallUtil.pdb source: XClient.exe.5.dr

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.7:49714 -> 104.250.180.178:7061
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 104.250.180.178
                Source: global trafficTCP traffic: 192.168.2.7:49714 -> 104.250.180.178:7061
                Source: Joe Sandbox ViewIP Address: 104.250.180.178 104.250.180.178
                Source: Joe Sandbox ViewASN Name: M247GB M247GB
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: powershell.exe, 00000009.00000002.2018136615.000000000789D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mi
                Source: powershell.exe, 0000000C.00000002.2075327329.00000000084AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro&
                Source: powershell.exe, 00000009.00000002.2014456605.0000000005D94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2065183204.0000000005BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2123729430.0000000005D02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2195429580.0000000005D82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000010.00000002.2164752798.0000000004E76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000009.00000002.2007587846.0000000004E86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2046313353.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2105368355.0000000004DF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2164752798.0000000004E76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                Source: InstallUtil.exe, 00000005.00000002.2556978048.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2007587846.0000000004D31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2046313353.0000000004B61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2105368355.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2164752798.0000000004D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000009.00000002.2007587846.0000000004E86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2046313353.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2105368355.0000000004DF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2164752798.0000000004E76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                Source: powershell.exe, 00000010.00000002.2164752798.0000000004E76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 0000000C.00000002.2075327329.00000000084AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                Source: powershell.exe, 00000009.00000002.2007587846.0000000004D31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2046313353.0000000004B61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2105368355.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2164752798.0000000004D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                Source: powershell.exe, 00000010.00000002.2195429580.0000000005D82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000010.00000002.2195429580.0000000005D82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000010.00000002.2195429580.0000000005D82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000010.00000002.2164752798.0000000004E76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000009.00000002.2014456605.0000000005D94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2065183204.0000000005BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2123729430.0000000005D02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2195429580.0000000005D82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.41b66d2.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.41b66d2.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.305b45c.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.305b45c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000002.1956774249.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000002.1964842836.00000000041B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000005.00000002.2551128752.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000002.1956774249.0000000003325000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
                Source: initial sampleStatic PE information: Filename: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_05009CB0 CreateProcessAsUserW,0_2_05009CB0
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_015AAE680_2_015AAE68
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_015A6E300_2_015A6E30
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_015A51500_2_015A5150
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_015A95280_2_015A9528
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_015A74180_2_015A7418
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_015AAE600_2_015AAE60
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_015A8EF00_2_015A8EF0
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_015A51410_2_015A5141
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_015A95180_2_015A9518
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_050044500_2_05004450
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_05002CE80_2_05002CE8
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_05004FF80_2_05004FF8
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_05008BE00_2_05008BE0
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_0500A2480_2_0500A248
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_050085D00_2_050085D0
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_050085E00_2_050085E0
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_050044400_2_05004440
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_05003C710_2_05003C71
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_05003C800_2_05003C80
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_05002CD80_2_05002CD8
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_05006CE00_2_05006CE0
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_05006CF00_2_05006CF0
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_0500E7580_2_0500E758
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_05002F780_2_05002F78
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_05002F880_2_05002F88
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_05004FE90_2_05004FE9
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_050036170_2_05003617
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_050036180_2_05003618
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_05007EA00_2_05007EA0
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_05007EB00_2_05007EB0
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_050000070_2_05000007
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_050000400_2_05000040
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_050080A90_2_050080A9
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_0500F0B80_2_0500F0B8
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_0500AB300_2_0500AB30
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_0799DF2D0_2_0799DF2D
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_079900400_2_07990040
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_0799ED980_2_0799ED98
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_0799ED5D0_2_0799ED5D
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_079900130_2_07990013
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D1C3600_2_07D1C360
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D1B2580_2_07D1B258
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D196580_2_07D19658
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D1D2600_2_07D1D260
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D1B9900_2_07D1B990
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D1EFFF0_2_07D1EFFF
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D1C3500_2_07D1C350
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D1F3700_2_07D1F370
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D1F3600_2_07D1F360
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D1B2410_2_07D1B241
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D196480_2_07D19648
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D1D24B0_2_07D1D24B
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D1A6180_2_07D1A618
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D1A6280_2_07D1A628
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D1F5980_2_07D1F598
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D1B9810_2_07D1B981
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D1F5A80_2_07D1F5A8
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D1ED000_2_07D1ED00
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D1E1080_2_07D1E108
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D1ECF00_2_07D1ECF0
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D1E0F80_2_07D1E0F8
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D1F0000_2_07D1F000
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeCode function: 0_2_07D100070_2_07D10007
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_018544C75_2_018544C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_01854AC05_2_01854AC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_018514585_2_01851458
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_01851A685_2_01851A68
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04C2B4A09_2_04C2B4A0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04C2B4909_2_04C2B490
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_02F8B4A012_2_02F8B4A0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_02F8B49012_2_02F8B490
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_08953A9812_2_08953A98
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_04A8B4A014_2_04A8B4A0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_04A8B49014_2_04A8B490
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_08B03AA814_2_08B03AA8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_070AB4A016_2_070AB4A0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_070AB49016_2_070AB490
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1956774249.0000000003041000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1964842836.00000000040EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMiPro.dll, vs 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1955947989.000000000112E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1956774249.00000000033E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1972420871.0000000007C60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRP8SH.dll, vs 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1964842836.00000000041B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1964842836.0000000003F99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMiPro.dll, vs 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000000.1296273144.00000000004C0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameST16.exeL vs 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1966529784.0000000005830000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMiPro.dll, vs 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeBinary or memory string: OriginalFilenameST16.exeL vs 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
                Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.41b66d2.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.41b66d2.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.305b45c.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.305b45c.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000002.1956774249.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000002.1964842836.00000000041B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000005.00000002.2551128752.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000002.1956774249.0000000003325000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: powershell.exe, 0000000E.00000002.2105368355.0000000004DF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: .SlNl
                Source: powershell.exe, 00000009.00000002.2007587846.0000000004E86000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: .SlNH
                Source: classification engineClassification label: mal100.troj.evad.winEXE@15/21@0/1
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.logJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2500:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1408:120:WilError_03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\f8RKHn3SOlVxjC9t
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1624:120:WilError_03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeReversingLabs: Detection: 60%
                Source: unknownProcess created: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe "C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe"
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'Jump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: avicap32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msvfw32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: XClient.lnk.5.drLNK file: ..\..\..\..\..\XClient.exe
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: XClient.exe.5.dr
                Source: Binary string: InstallUtil.pdb source: XClient.exe.5.dr

                Data Obfuscation

                barindex
                Yara detected DarkTortilla Crypter
                Source: Yara matchFile source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.409c9e0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.5830000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.40eca00.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.5830000.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.409c9e0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.40eca00.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.40749c0.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1964842836.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1966529784.0000000005830000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1964842836.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1956774249.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe PID: 7396, type: MEMORYSTR
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0185E100 push ebx; ret 5_2_0185E137
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0185D9B0 push es; ret 5_2_0185D9C0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04C242D9 push ebx; ret 9_2_04C242DA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04C2634D push eax; ret 9_2_04C26361
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_02F86358 push eax; ret 12_2_02F86361
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_02F82CA5 push 04B8078Bh; retf 12_2_02F82CFE
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_04A86378 push eax; ret 14_2_04A86381
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_070A636D push eax; ret 16_2_070A6381
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeStatic PE information: section name: .text entropy: 7.176206006448009
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeFile created: \719#u665a) hbl# lmsin2407028 (by sea) po# 4500577338, by 1x40' hq.pdf.scr.exe
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeFile created: \719#u665a) hbl# lmsin2407028 (by sea) po# 4500577338, by 1x40' hq.pdf.scr.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeFile opened: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe\:Zone.Identifier read attributes | deleteJump to behavior
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Uses an obfuscated file name to hide its real file extension (double extension)
                Source: Possible double extension: pdf.scrStatic PE information: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe PID: 7396, type: MEMORYSTR
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeMemory allocated: 15A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeMemory allocated: 2F90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeMemory allocated: 4F90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeMemory allocated: 7FF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeMemory allocated: 8FF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeMemory allocated: 91B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeMemory allocated: A1B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeMemory allocated: A520000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeMemory allocated: B520000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 1810000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 31C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 51C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeWindow / User API: threadDelayed 8072Jump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeWindow / User API: threadDelayed 1755Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 7222Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 2624Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7333Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2339Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6130Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3639Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8616Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1077Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8247
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1472
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe TID: 7628Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe TID: 7628Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7844Thread sleep time: -23980767295822402s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3300Thread sleep count: 7222 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3300Thread sleep count: 2624 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3232Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4016Thread sleep count: 6130 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3088Thread sleep count: 3639 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2196Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2044Thread sleep count: 8616 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1988Thread sleep count: 1077 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2332Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5852Thread sleep count: 8247 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6792Thread sleep time: -3689348814741908s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4928Thread sleep count: 1472 > 30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeThread delayed: delay time: 30000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1964842836.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1964842836.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1966529784.0000000005830000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: VBoxTray
                Source: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, 00000000.00000002.1966529784.0000000005830000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
                Source: InstallUtil.exe, 00000005.00000002.2552241041.00000000013FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
                Bypasses PowerShell execution policy
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 414000Jump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 416000Jump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1109008Jump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'Jump to behavior
                Source: InstallUtil.exe, 00000005.00000002.2556978048.000000000320C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0
                Source: InstallUtil.exe, 00000005.00000002.2556978048.000000000320C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0Te
                Source: InstallUtil.exe, 00000005.00000002.2556978048.000000000320C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: InstallUtil.exe, 00000005.00000002.2556978048.000000000320C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                Source: InstallUtil.exe, 00000005.00000002.2556978048.000000000320C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeQueries volume information: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: InstallUtil.exe, 00000005.00000002.2563644648.0000000006D0D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2552241041.00000000013FA000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2552241041.00000000013B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.41b66d2.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.41b66d2.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.305b45c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.305b45c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1956774249.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1964842836.00000000041B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2551128752.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1956774249.0000000003325000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe PID: 7396, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7988, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.41b66d2.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.41b66d2.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.305b45c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.305b45c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1956774249.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1964842836.00000000041B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2551128752.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1956774249.0000000003325000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe PID: 7396, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7988, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure1
                Valid Accounts                		11
                Windows Management Instrumentation                		1
                Valid Accounts                		1
                Valid Accounts                		11
                Masquerading                		OS Credential Dumping121
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		2
                Registry Run Keys / Startup Folder                		1
                Access Token Manipulation                		1
                Valid Accounts                		LSASS Memory2
                Process Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt1
                DLL Side-Loading                		312
                Process Injection                		1
                Access Token Manipulation                		Security Account Manager131
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Registry Run Keys / Startup Folder                		11
                Disable or Modify Tools                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                DLL Side-Loading                		131
                Virtualization/Sandbox Evasion                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts312
                Process Injection                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Hidden Files and Directories                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Obfuscated Files or Information                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
                Software Packing                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1475013 Sample: 719#U665a) HBL# LMSIN240702... Startdate: 17/07/2024 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 11 other signatures 2->48 8 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe 3 2->8         started        process3 file4 34 719#U665a) HBL# LM... HQ.pdf.scr.exe.log, ASCII 8->34 dropped 50 Writes to foreign memory regions 8->50 52 Allocates memory in foreign processes 8->52 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->54 56 Injects a PE file into a foreign processes 8->56 12 InstallUtil.exe 6 8->12         started        signatures5 process6 dnsIp7 38 104.250.180.178, 49714, 49715, 7061 M247GB United States 12->38 36 C:\Users\user\AppData\Roaming\XClient.exe, PE32 12->36 dropped 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->58 60 Bypasses PowerShell execution policy 12->60 62 Adds a directory exclusion to Windows Defender 12->62 17 powershell.exe 23 12->17         started        20 powershell.exe 23 12->20         started        22 powershell.exe 23 12->22         started        24 powershell.exe 12->24         started        file8 signatures9 process10 signatures11 40 Loading BitLocker PowerShell Module 17->40 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe61%ReversingLabsWin32.Backdoor.Xworm
                719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\XClient.exe0%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                https://aka.ms/pscore6lB0%URL Reputationsafe
                http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                http://crl.micro&0%Avira URL Cloudsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://www.microsoft.co0%Avira URL Cloudsafe
                104.250.180.1780%Avira URL Cloudsafe
                https://github.com/Pester/Pester0%Avira URL Cloudsafe
                http://crl.mi0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                104.250.180.178true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000009.00000002.2014456605.0000000005D94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2065183204.0000000005BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2123729430.0000000005D02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2195429580.0000000005D82000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000010.00000002.2164752798.0000000004E76000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crl.micro&powershell.exe, 0000000C.00000002.2075327329.00000000084AF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000009.00000002.2007587846.0000000004E86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2046313353.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2105368355.0000000004DF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2164752798.0000000004E76000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://aka.ms/pscore6lBpowershell.exe, 00000009.00000002.2007587846.0000000004D31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2046313353.0000000004B61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2105368355.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2164752798.0000000004D21000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000010.00000002.2164752798.0000000004E76000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000009.00000002.2007587846.0000000004E86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2046313353.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2105368355.0000000004DF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2164752798.0000000004E76000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/powershell.exe, 00000010.00000002.2195429580.0000000005D82000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000009.00000002.2014456605.0000000005D94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2065183204.0000000005BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2123729430.0000000005D02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2195429580.0000000005D82000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.microsoft.copowershell.exe, 0000000C.00000002.2075327329.00000000084AF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000010.00000002.2195429580.0000000005D82000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000010.00000002.2195429580.0000000005D82000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInstallUtil.exe, 00000005.00000002.2556978048.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2007587846.0000000004D31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2046313353.0000000004B61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2105368355.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2164752798.0000000004D21000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 00000010.00000002.2164752798.0000000004E76000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://crl.mipowershell.exe, 00000009.00000002.2018136615.000000000789D000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                104.250.180.178
                		unknownUnited States
                		9009M247GBtrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1475013
                Start date and time:2024-07-17 14:58:10 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 45s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:19
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
                renamed because original name is a hash value
                Original Sample Name:719) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@15/21@0/1
                EGA Information:
                • Successful, ratio: 66.7%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 357
                • Number of non-executed functions: 75
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target powershell.exe, PID 6092 because it is empty
                • Execution Graph export aborted for target powershell.exe, PID 7152 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                08:59:13API Interceptor195x Sleep call for process: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe modified
                10:27:36API Interceptor42x Sleep call for process: powershell.exe modified
                10:28:00AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
                10:28:05API Interceptor12x Sleep call for process: InstallUtil.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                104.250.180.178719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                  LMSIN2407028 - PO# 4500577338, by 1x40' HQ .pdf.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                    rSO0105-PI-514124SO0105,702(CFS-CY)FIRSYD.scr.exeGet hashmaliciousXWormBrowse
                      DELAY NOTICE - ONE_FORTUNE - 001W (MD22425W).scr.exeGet hashmaliciousXWormBrowse
                        ISF 10+2 Form+VGM - MX-M354N_20240709_134303.scr.exeGet hashmaliciousRemcosBrowse
                          .pdf.scr.exeGet hashmaliciousRemcosBrowse
                            .pdf.scr.exeGet hashmaliciousXWormBrowse
                              ISF - SO.4985 KEL-RIO GRANPE HBL#KELRIG2406221.scr.exeGet hashmaliciousDarkTortilla, XWormBrowse
                                710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                  @#U570b#U5167DEBIT#U5e33#U55ae[#U4e2d#U6587#U672c#U5e63]-OI(K)_20240612161821.scr.exeGet hashmaliciousDarkTortilla, XWormBrowse

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    M247GB719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                    • 104.250.180.178
                                    LMSIN2407028 - PO# 4500577338, by 1x40' HQ .pdf.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                    • 104.250.180.178
                                    103.124.105.111-mips-2024-07-17T05_21_08.elfGet hashmaliciousMirai, MoobotBrowse
                                    • 193.37.59.116
                                    https://login.hamgamtakhfif.ir/#afroditi.ladovrechis@innocap.comGet hashmaliciousUnknownBrowse
                                    • 91.202.233.193
                                    strathconaregistry policy for 2024 FYI.htmlGet hashmaliciousHTMLPhisherBrowse
                                    • 91.132.139.168
                                    strathconaregistry policy for 2024 FYI.htmlGet hashmaliciousHTMLPhisherBrowse
                                    • 91.132.139.168
                                    SecuriteInfo.com.Trojan.DownLoader46.63386.25844.4041.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                    • 91.202.233.141
                                    Setup.exeGet hashmaliciousAsyncRAT, HTMLPhisher, Clipboard Hijacker, Phorpiex, PureLog Stealer, Raccoon Stealer v2, RedLineBrowse
                                    • 91.202.233.141
                                    sora.arm7.elfGet hashmaliciousMiraiBrowse
                                    • 135.84.213.214
                                    crosscheckrosefloweronhairbeauty.gIF.vbsGet hashmaliciousRemcosBrowse
                                    • 194.187.251.115

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Users\user\AppData\Roaming\XClient.exeISF - SO.4985 KEL-RIO GRANPE HBL#KELRIG2406221.scr.exeGet hashmaliciousDarkTortilla, XWormBrowse
                                      F46VBJ6Yvy.exeGet hashmaliciousAgentTeslaBrowse
                                        @#U570b#U5167DEBIT#U5e33#U55ae[#U4e2d#U6587#U672c#U5e63]-OI(K)_20240612161821.scr.exeGet hashmaliciousDarkTortilla, XWormBrowse
                                          SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                            order .exeGet hashmaliciousAgentTeslaBrowse
                                              06-07-2024 REVISED - BL#3330937P2454 SO#2003 #U63d0#U55ae#U96fb#U653e.scr.exeGet hashmaliciousDarkTortilla, XWormBrowse
                                                Mahsulot kodi va buyurtma miqdori.docx.exeGet hashmaliciousAgentTeslaBrowse
                                                  #U597d#U601d#U4f73#U7ca7#U696d 0524 KAO - SH CY 1X40HQ(#U4ee3#U7528).scr.exeGet hashmaliciousDarkTortilla, XWormBrowse
                                                    ISF (10+2) Form #U683c#U798f-3019 NASHVILLE.xls.scr.exeGet hashmaliciousDarkTortilla, XWormBrowse
                                                      SEM ABRIL 2024.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.34331486778365
                                                        Encrypted:false
                                                        SSDEEP:24:MLU84qpE4KlKDE4KhKiKhIE4Kx1qE4qXKIE4oKNzKoZAE4Kze0E4j:Mgv2HKlYHKh3oIHKx1qHitHo6hAHKzea
                                                        MD5:FB53815DEEC334028DBDE4E3660E26D0
                                                        SHA1:7F491359EC244406DFC8AA39FC9B727D677E4FDF
                                                        SHA-256:C3EC8D6C079B1940D82374A85E9DC41ED9FF683ADA338F89E375AA7AC777749D
                                                        SHA-512:5CC466901D7911BE1E1731162CC01C371444AAFA9A504F1F22516F60C888048EB78B5C5A12215EE2B127BD67A19677E370686465E85E08BC14015F8FAB049E49
                                                        Malicious:true
                                                        Reputation:moderate, very likely benign file
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:modified
                                                        Size (bytes):2232
                                                        Entropy (8bit):5.380328451435737
                                                        Encrypted:false
                                                        SSDEEP:48:jWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMuge//MvUyus:jLHxv2IfLZ2KRH6Oug8s
                                                        MD5:5F6B87B88D62400D4003733C32DD6909
                                                        SHA1:87C8D205002B791ED5B069AE1A7B711528054406
                                                        SHA-256:F865658CB1046BD9A20C5314586FF9B594C73A496AF320BA3D97624B47006BE7
                                                        SHA-512:59A23482804D2D825BAE340763213F5CB25A49DD67BC6591CB42FAA8D07FCAAB21D73FE24F9DDFEF41C50073008DB9DC2228E8C8CE7BBCB68E747F0FC2ED723D
                                                        Malicious:false
                                                        Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                        C:\Users\user\AppData\Local\Temp\Log.tmp

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):29
                                                        Entropy (8bit):3.598349098128234
                                                        Encrypted:false
                                                        SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                                                        MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                                                        SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                                                        SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                                                        SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                                                        Malicious:false
                                                        Preview:....### explorer ###..[WIN]r

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0i5spzeg.jgd.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0sbbsafe.vgv.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_20scsaaz.21q.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2dls13gc.0ht.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3pbnrdum.igt.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5jo0ogaf.yjn.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfa5xare.suf.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bjiyhl4w.g5n.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dj222kjb.035.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_haeb2xqb.51y.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwcjkyii.4mb.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m2rxzb5k.dx0.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r3xucy4f.ddl.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wt5l0afe.usn.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wx4uv2a4.5sc.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zh2gpxj0.m54.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Jul 17 13:28:00 2024, mtime=Wed Jul 17 13:28:00 2024, atime=Wed Jul 17 13:28:00 2024, length=42064, window=hide
                                                        Category:dropped
                                                        Size (bytes):768
                                                        Entropy (8bit):5.143183016566052
                                                        Encrypted:false
                                                        SSDEEP:12:8IdMmdMm1LC245MN+2ChAhi1Y//Kc0LQkW3wYjAANHkQhw303zBmV:8IM2MCgD2P9TWQfg8ADQhw303tm
                                                        MD5:23178A3592CE24DAF2CA5060DF311DE4
                                                        SHA1:B8A982AFFE243A1DA135F612F8F2D144BFE0B0A4
                                                        SHA-256:85499E8AFC7ECC6F8969F6C8BE5B75522B35200AD0DCF7A016118779CC5CD586
                                                        SHA-512:3034B3D26B231FB0CA94154B5C1B3416D7576E2DBC55123DCD7CCC8D139B7C9F5AAC183B0C295A92C6703DF20AEF423DBE6DEA972B4CAF11A1511CF995627EB6
                                                        Malicious:false
                                                        Preview:L..................F.... .......U.......U.......U...P.......................v.:..DG..Yr?.D..U..k0.&...&......Qg.*_......I......U.......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.XXs..........................3*N.A.p.p.D.a.t.a...B.V.1......Xcg..Roaming.@......EW.=.Xcg............................+.R.o.a.m.i.n.g.....b.2.P....X.s .XClient.exe.H.......X.s.X.s....j.....................f!..X.C.l.i.e.n.t...e.x.e.......]...............-.......\...........+K.......C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......878411...........hT..CrF.f4... ..5..HD...,......hT..CrF.f4... ..5..HD...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                        C:\Users\user\AppData\Roaming\XClient.exe

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):42064
                                                        Entropy (8bit):6.19564898727408
                                                        Encrypted:false
                                                        SSDEEP:384:qtpFVLK0MsihB9VKS7xdgl6KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+RPZTg:GBMs2SqdSZ6Iq8BxTfqWR8h7ukP
                                                        MD5:5D4073B2EB6D217C19F2B22F21BF8D57
                                                        SHA1:F0209900FBF08D004B886A0B3BA33EA2B0BF9DA8
                                                        SHA-256:AC1A3F21FCC88F9CEE7BF51581EAFBA24CC76C924F0821DEB2AFDF1080DDF3D3
                                                        SHA-512:9AC94880684933BA3407CDC135ABC3047543436567AF14CD9269C4ADC5A6535DB7B867D6DE0D6238A21B94E69F9890DBB5739155871A624520623A7E56872159
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Joe Sandbox View:
                                                        • Filename: ISF - SO.4985 KEL-RIO GRANPE HBL#KELRIG2406221.scr.exe, Detection: malicious, Browse
                                                        • Filename: F46VBJ6Yvy.exe, Detection: malicious, Browse
                                                        • Filename: @#U570b#U5167DEBIT#U5e33#U55ae[#U4e2d#U6587#U672c#U5e63]-OI(K)_20240612161821.scr.exe, Detection: malicious, Browse
                                                        • Filename: SPECIFICATIONS.exe, Detection: malicious, Browse
                                                        • Filename: order .exe, Detection: malicious, Browse
                                                        • Filename: 06-07-2024 REVISED - BL#3330937P2454 SO#2003 #U63d0#U55ae#U96fb#U653e.scr.exe, Detection: malicious, Browse
                                                        • Filename: Mahsulot kodi va buyurtma miqdori.docx.exe, Detection: malicious, Browse
                                                        • Filename: #U597d#U601d#U4f73#U7ca7#U696d 0524 KAO - SH CY 1X40HQ(#U4ee3#U7528).scr.exe, Detection: malicious, Browse
                                                        • Filename: ISF (10+2) Form #U683c#U798f-3019 NASHVILLE.xls.scr.exe, Detection: malicious, Browse
                                                        • Filename: SEM ABRIL 2024.exe, Detection: malicious, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,>.]..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..PB...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.153176954472504
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        File name:719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
                                                        File size:382'976 bytes
                                                        MD5:bae47cae3594a134428398129131c4f3
                                                        SHA1:a44c40cb661ad52ed559ecb28bda620438a816c6
                                                        SHA256:225f24ec8e5c27e915e65abcd7d11cc6908b48c5e60e16aaff5eaf05f162e0a5
                                                        SHA512:8a158d785750473e0e4caec85cf0b50d7dcea1d7a5dbdbf2e7fae84a66e5bbc8775ce0545083aca1000e1b9b434b12c2679d5e2729254c2a0879a68a7b0c1fe1
                                                        SSDEEP:6144:tBRtXmkYuo3IAi/AsRmafVqlSXpbrFzpb+h2RKj7smSg7I28edU:HRd1YNstVqEpbrDpKnsmIed
                                                        TLSH:CB84D02E4BE89118D1FEAB7C95B14115CB71FA476813F32E1B8050B96AB33689D42F63
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#.`.........."...P.............N.... ........@.. .......................@............`................................

                                                        File Icon

                                                        Icon Hash:00928e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x45ec4e
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x60F123E9 [Fri Jul 16 06:15:05 2021 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x5ebf40x57.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x600000x404.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x620000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000x5cc540x5ce001bd46fe616b29ed42627aa993fa0b09cFalse0.758285666218035data7.176206006448009IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rsrc0x600000x4040x600290121bcabc89eadfbfa99057a049976False0.2975260416666667data2.554357720816112IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x620000xc0x2008882a97af90f2b96662e4cebfd925527False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_VERSION0x600580x3acdata0.44468085106382976

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Network Behavior

                                                        Snort IDS Alerts

                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                        07/17/24-15:01:01.252360TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497147061192.168.2.7104.250.180.178

                                                        Suricata IDS Alerts

                                                        TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                        2024-07-17T15:01:01.252360+0200TCP2855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound497147061192.168.2.7104.250.180.178
                                                        2024-07-17T14:59:19.276119+0200TCP2840787ETPRO HUNTING Request for config.json49707443192.168.2.7184.28.90.27

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jul 17, 2024 15:00:48.999958038 CEST497147061192.168.2.7104.250.180.178
                                                        Jul 17, 2024 15:00:49.005354881 CEST706149714104.250.180.178192.168.2.7
                                                        Jul 17, 2024 15:00:49.005599976 CEST497147061192.168.2.7104.250.180.178
                                                        Jul 17, 2024 15:00:49.094786882 CEST497147061192.168.2.7104.250.180.178
                                                        Jul 17, 2024 15:00:49.099850893 CEST706149714104.250.180.178192.168.2.7
                                                        Jul 17, 2024 15:01:01.252360106 CEST497147061192.168.2.7104.250.180.178
                                                        Jul 17, 2024 15:01:01.258419037 CEST706149714104.250.180.178192.168.2.7
                                                        Jul 17, 2024 15:01:10.379327059 CEST706149714104.250.180.178192.168.2.7
                                                        Jul 17, 2024 15:01:10.379455090 CEST497147061192.168.2.7104.250.180.178
                                                        Jul 17, 2024 15:01:10.521445036 CEST497147061192.168.2.7104.250.180.178
                                                        Jul 17, 2024 15:01:10.523736954 CEST497157061192.168.2.7104.250.180.178
                                                        Jul 17, 2024 15:01:10.526438951 CEST706149714104.250.180.178192.168.2.7
                                                        Jul 17, 2024 15:01:10.528748989 CEST706149715104.250.180.178192.168.2.7
                                                        Jul 17, 2024 15:01:10.529509068 CEST497157061192.168.2.7104.250.180.178
                                                        Jul 17, 2024 15:01:10.640908957 CEST497157061192.168.2.7104.250.180.178
                                                        Jul 17, 2024 15:01:10.645948887 CEST706149715104.250.180.178192.168.2.7
                                                        Jul 17, 2024 15:01:18.547467947 CEST497157061192.168.2.7104.250.180.178
                                                        Jul 17, 2024 15:01:18.765639067 CEST497157061192.168.2.7104.250.180.178
                                                        Jul 17, 2024 15:01:18.827841997 CEST706149715104.250.180.178192.168.2.7
                                                        Jul 17, 2024 15:01:18.827853918 CEST706149715104.250.180.178192.168.2.7

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:08:59:11
                                                        Start date:17/07/2024
                                                        Path:C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe"
                                                        Imagebase:0x460000
                                                        File size:382'976 bytes
                                                        MD5 hash:BAE47CAE3594A134428398129131C4F3
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1964842836.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1956774249.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1956774249.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1964842836.00000000041B6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1964842836.00000000041B6000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1966529784.0000000005830000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1964842836.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1956774249.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1956774249.0000000003325000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1956774249.0000000003325000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:10:27:00
                                                        Start date:17/07/2024
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                        Imagebase:0xe80000
                                                        File size:42'064 bytes
                                                        MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000002.2551128752.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000002.2551128752.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                        Reputation:moderate
                                                        Has exited:false

                                                        General

                                                        Target ID:9
                                                        Start time:10:27:36
                                                        Start date:17/07/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
                                                        Imagebase:0xa00000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:10
                                                        Start time:10:27:36
                                                        Start date:17/07/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff75da10000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:10:27:40
                                                        Start date:17/07/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'
                                                        Imagebase:0xa00000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:13
                                                        Start time:10:27:40
                                                        Start date:17/07/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff75da10000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:14
                                                        Start time:10:27:45
                                                        Start date:17/07/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                                                        Imagebase:0xa00000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:15
                                                        Start time:10:27:45
                                                        Start date:17/07/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff75da10000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:16
                                                        Start time:10:27:51
                                                        Start date:17/07/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                                                        Imagebase:0xa00000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:17
                                                        Start time:10:27:51
                                                        Start date:17/07/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff75da10000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:18.8%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:15.1%
                                                          Total number of Nodes:166
                                                          Total number of Limit Nodes:22
                                                          execution_graph 29601 500b780 29602 500b7c5 Wow64GetThreadContext 29601->29602 29604 500b80d 29602->29604 29605 500ce80 29606 500cec0 ResumeThread 29605->29606 29608 500cef1 29606->29608 29617 500c970 29618 500c9b8 VirtualProtectEx 29617->29618 29620 500c9f6 29618->29620 29621 500d250 29622 500d3db 29621->29622 29624 500d276 29621->29624 29624->29622 29625 5002c18 29624->29625 29626 500d4d0 PostMessageW 29625->29626 29627 500d53c 29626->29627 29627->29624 29628 5004450 29630 5004477 29628->29630 29629 50045e6 29630->29629 29633 5004ff8 29630->29633 29649 5004fe9 29630->29649 29634 500502b 29633->29634 29635 500545c 29634->29635 29665 5007762 29634->29665 29669 50079bf 29634->29669 29673 500755f 29634->29673 29677 50074ba 29634->29677 29682 5007799 29634->29682 29686 5007598 29634->29686 29690 50075b5 29634->29690 29694 5007713 29634->29694 29698 50075f1 29634->29698 29702 5007511 29634->29702 29706 50079d0 29634->29706 29710 50074c8 29634->29710 29714 5007683 29634->29714 29635->29630 29650 500502b 29649->29650 29651 500545c 29650->29651 29652 5007762 CreateProcessAsUserW 29650->29652 29653 5007683 CreateProcessAsUserW 29650->29653 29654 50074c8 CreateProcessAsUserW 29650->29654 29655 50079d0 CreateProcessAsUserW 29650->29655 29656 5007511 CreateProcessAsUserW 29650->29656 29657 50075f1 CreateProcessAsUserW 29650->29657 29658 5007713 CreateProcessAsUserW 29650->29658 29659 50075b5 CreateProcessAsUserW 29650->29659 29660 5007598 CreateProcessAsUserW 29650->29660 29661 5007799 CreateProcessAsUserW 29650->29661 29662 50074ba CreateProcessAsUserW 29650->29662 29663 500755f CreateProcessAsUserW 29650->29663 29664 50079bf CreateProcessAsUserW 29650->29664 29651->29630 29652->29650 29653->29650 29654->29650 29655->29650 29656->29650 29657->29650 29658->29650 29659->29650 29660->29650 29661->29650 29662->29650 29663->29650 29664->29650 29667 5007787 29665->29667 29666 5007794 29666->29634 29667->29666 29718 5009cb0 29667->29718 29671 50079f3 29669->29671 29670 5007bb4 29670->29634 29671->29670 29672 5009cb0 CreateProcessAsUserW 29671->29672 29672->29671 29675 5007584 29673->29675 29674 5007593 29674->29634 29675->29674 29676 5009cb0 CreateProcessAsUserW 29675->29676 29676->29675 29678 500748b 29677->29678 29679 50074c3 29677->29679 29678->29634 29680 50074d6 29679->29680 29681 5009cb0 CreateProcessAsUserW 29679->29681 29680->29634 29681->29679 29684 50077a3 29682->29684 29683 50077ab 29683->29634 29684->29683 29685 5009cb0 CreateProcessAsUserW 29684->29685 29685->29684 29688 50075a2 29686->29688 29687 50075ad 29687->29634 29688->29687 29689 5009cb0 CreateProcessAsUserW 29688->29689 29689->29688 29691 5007571 29690->29691 29692 5007593 29690->29692 29691->29692 29693 5009cb0 CreateProcessAsUserW 29691->29693 29692->29634 29693->29691 29696 5007724 29694->29696 29695 5007745 29695->29634 29696->29695 29697 5009cb0 CreateProcessAsUserW 29696->29697 29697->29696 29700 5007602 29698->29700 29699 5007625 29699->29634 29700->29699 29701 5009cb0 CreateProcessAsUserW 29700->29701 29701->29700 29703 50074d6 29702->29703 29704 50074cd 29702->29704 29703->29634 29704->29703 29705 5009cb0 CreateProcessAsUserW 29704->29705 29705->29704 29707 50079f3 29706->29707 29708 5007bb4 29707->29708 29709 5009cb0 CreateProcessAsUserW 29707->29709 29708->29634 29709->29707 29712 50074cd 29710->29712 29711 50074d6 29711->29634 29712->29711 29713 5009cb0 CreateProcessAsUserW 29712->29713 29713->29712 29716 5007694 29714->29716 29715 50076b6 29715->29634 29716->29715 29717 5009cb0 CreateProcessAsUserW 29716->29717 29717->29716 29719 5009d2f CreateProcessAsUserW 29718->29719 29721 5009e30 29719->29721 29722 500be50 29723 500be90 VirtualAllocEx 29722->29723 29725 500becd 29723->29725 29726 7d19580 29727 7d19594 29726->29727 29733 7d195a4 29727->29733 29740 7d19d0b 29727->29740 29738 7d195d0 29733->29738 29746 5000c0a 29733->29746 29750 5000c4d 29733->29750 29756 500133c 29733->29756 29761 500021b 29733->29761 29765 5000ebb 29733->29765 29769 5000377 29733->29769 29773 5000aea 29733->29773 29777 50002e8 29733->29777 29782 50002a4 29733->29782 29741 7d19d17 29740->29741 29786 7d1a503 29741->29786 29790 7d1a4a0 29741->29790 29794 7d1a568 29741->29794 29742 7d19d80 29797 50027d0 29746->29797 29800 50027d8 29746->29800 29747 5000c1e 29751 5000c0b 29750->29751 29753 5000c51 29750->29753 29752 5000c1e 29751->29752 29754 50027d0 VirtualProtect 29751->29754 29755 50027d8 VirtualProtect 29751->29755 29754->29752 29755->29752 29757 5001345 29756->29757 29759 50027d0 VirtualProtect 29757->29759 29760 50027d8 VirtualProtect 29757->29760 29758 5001357 29759->29758 29760->29758 29763 50027d0 VirtualProtect 29761->29763 29764 50027d8 VirtualProtect 29761->29764 29762 500017f 29762->29733 29763->29762 29764->29762 29767 50027d0 VirtualProtect 29765->29767 29768 50027d8 VirtualProtect 29765->29768 29766 5000ece 29767->29766 29768->29766 29771 50027d0 VirtualProtect 29769->29771 29772 50027d8 VirtualProtect 29769->29772 29770 500038b 29771->29770 29772->29770 29775 50027d0 VirtualProtect 29773->29775 29776 50027d8 VirtualProtect 29773->29776 29774 5000afb 29775->29774 29776->29774 29778 50002a5 29777->29778 29779 50002b5 29778->29779 29780 50027d0 VirtualProtect 29778->29780 29781 50027d8 VirtualProtect 29778->29781 29780->29779 29781->29779 29784 50027d0 VirtualProtect 29782->29784 29785 50027d8 VirtualProtect 29782->29785 29783 50002b5 29784->29783 29785->29783 29787 7d1a4d6 29786->29787 29787->29786 29788 7d1a5b0 VirtualProtect 29787->29788 29789 7d1a5ea 29788->29789 29789->29742 29791 7d1a4d6 VirtualProtect 29790->29791 29793 7d1a5ea 29791->29793 29793->29742 29795 7d1a5b0 VirtualProtect 29794->29795 29796 7d1a5ea 29795->29796 29796->29742 29798 5002820 VirtualProtect 29797->29798 29799 500285a 29798->29799 29799->29747 29801 5002820 VirtualProtect 29800->29801 29802 500285a 29801->29802 29802->29747 29609 500c1c8 29610 500c210 WriteProcessMemory 29609->29610 29612 500c267 29610->29612 29803 500cbf8 29804 500cc3d Wow64SetThreadContext 29803->29804 29806 500cc85 29804->29806 29613 15aef30 29614 15aef72 29613->29614 29616 15aef79 29613->29616 29615 15aefca CallWindowProcW 29614->29615 29614->29616 29615->29616

                                                          Executed Functions

                                                          Function 07990013 Relevance: 5.7, Instructions: 5655COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 302 7990013-7990038 303 799003a-79900a3 302->303 304 79900a7-799023b 302->304 303->304 328 7990242 304->328 329 799024a-799026f 328->329 332 7990275-7990fba 329->332 333 79922c4-79925aa 329->333 743 7990fc0-799129e 332->743 744 79912a6-79922bc 332->744 408 79925b0-799355b 333->408 409 7993563-79945de 333->409 408->409 999 7994925-7994938 409->999 1000 79945e4-799491d 409->1000 743->744 744->333 1004 799493e-7994fdd 999->1004 1005 7994fe5-7995ea1 999->1005 1000->999 1004->1005 1385 7995ea8-7995ebe 1005->1385 1388 7995ebe call 79975b0 1385->1388 1389 7995ebe call 79975c0 1385->1389 1387 7995ec4-7995ecb 1388->1387 1389->1387
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d500c58353e4b59b529e6f565819e00921af0577dd8e57f81c9dd4add912ed9b
                                                          • Instruction ID: c5c594cfc95e32a8efd639694a0c35cdaea9d3bfc2ebbbbbf690d9487edb2f61
                                                          • Opcode Fuzzy Hash: d500c58353e4b59b529e6f565819e00921af0577dd8e57f81c9dd4add912ed9b
                                                          • Instruction Fuzzy Hash: 43C3E870A05218CFDB68FF79EA9966CBBB2BB89300F4045E9D449A7354DB349E84CF41
                                                          Function 07990040 Relevance: 5.6, Instructions: 5633COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1390 7990040-799026f 1419 7990275-7990fba 1390->1419 1420 79922c4-79925aa 1390->1420 1830 7990fc0-799129e 1419->1830 1831 79912a6-79922bc 1419->1831 1495 79925b0-799355b 1420->1495 1496 7993563-79945de 1420->1496 1495->1496 2086 7994925-7994938 1496->2086 2087 79945e4-799491d 1496->2087 1830->1831 1831->1420 2091 799493e-7994fdd 2086->2091 2092 7994fe5-7995ebe 2086->2092 2087->2086 2091->2092 2475 7995ebe call 79975b0 2092->2475 2476 7995ebe call 79975c0 2092->2476 2474 7995ec4-7995ecb 2475->2474 2476->2474
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3dd9f3bb5b3f18a787bb80a310ba25f30e1dfe01b770a37a3a801a9bb54b2ef7
                                                          • Instruction ID: 662497585cd981448f676dee3d3f339df6c1efc8c2789ee1357e6f5cc4530c17
                                                          • Opcode Fuzzy Hash: 3dd9f3bb5b3f18a787bb80a310ba25f30e1dfe01b770a37a3a801a9bb54b2ef7
                                                          • Instruction Fuzzy Hash: BEC3E870A05218CFDB68FF79EA9966CBBB2BB89300F4045E9D449A7354DB349E84CF41
                                                          Function 015A7418 Relevance: 5.4, Strings: 4, Instructions: 447COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2477 15a7418-15a744e 2603 15a7450 call 15a7418 2477->2603 2604 15a7450 call 15a7416 2477->2604 2478 15a7456-15a745c 2479 15a745e-15a7462 2478->2479 2480 15a74ac-15a74b0 2478->2480 2483 15a7471-15a7478 2479->2483 2484 15a7464-15a7469 2479->2484 2481 15a74b2-15a74c1 2480->2481 2482 15a74c7-15a74db 2480->2482 2487 15a74ed-15a74f7 2481->2487 2488 15a74c3-15a74c5 2481->2488 2490 15a74e3-15a74ea 2482->2490 2485 15a754e-15a758b 2483->2485 2486 15a747e-15a7485 2483->2486 2484->2483 2498 15a758d-15a7593 2485->2498 2499 15a7596-15a75b6 2485->2499 2486->2480 2489 15a7487-15a748b 2486->2489 2491 15a74f9-15a74ff 2487->2491 2492 15a7501-15a7505 2487->2492 2488->2490 2496 15a749a-15a74a1 2489->2496 2497 15a748d-15a7492 2489->2497 2494 15a750d-15a7547 2491->2494 2492->2494 2495 15a7507 2492->2495 2494->2485 2495->2494 2496->2485 2500 15a74a7-15a74aa 2496->2500 2497->2496 2498->2499 2505 15a75b8 2499->2505 2506 15a75bd-15a75c4 2499->2506 2500->2490 2508 15a794c-15a7955 2505->2508 2509 15a75c6-15a75d1 2506->2509 2510 15a795d-15a7985 2509->2510 2511 15a75d7-15a75ea 2509->2511 2516 15a75ec-15a75fa 2511->2516 2517 15a7600-15a761b 2511->2517 2516->2517 2520 15a78d4-15a78db 2516->2520 2521 15a763f-15a7642 2517->2521 2522 15a761d-15a7623 2517->2522 2520->2508 2525 15a78dd-15a78df 2520->2525 2526 15a7648-15a764b 2521->2526 2527 15a779c-15a77a2 2521->2527 2523 15a762c-15a762f 2522->2523 2524 15a7625 2522->2524 2529 15a7662-15a7668 2523->2529 2530 15a7631-15a7634 2523->2530 2524->2523 2524->2527 2528 15a788e-15a7891 2524->2528 2524->2529 2531 15a78ee-15a78f4 2525->2531 2532 15a78e1-15a78e6 2525->2532 2526->2527 2534 15a7651-15a7657 2526->2534 2527->2528 2533 15a77a8-15a77ad 2527->2533 2539 15a7958 2528->2539 2540 15a7897-15a789d 2528->2540 2541 15a766a-15a766c 2529->2541 2542 15a766e-15a7670 2529->2542 2535 15a763a 2530->2535 2536 15a76ce-15a76d4 2530->2536 2531->2510 2537 15a78f6-15a78fb 2531->2537 2532->2531 2533->2528 2534->2527 2538 15a765d 2534->2538 2535->2528 2536->2528 2545 15a76da-15a76e0 2536->2545 2543 15a78fd-15a7902 2537->2543 2544 15a7940-15a7943 2537->2544 2538->2528 2539->2510 2546 15a789f-15a78a7 2540->2546 2547 15a78c2-15a78c6 2540->2547 2548 15a767a-15a7683 2541->2548 2542->2548 2543->2539 2553 15a7904 2543->2553 2544->2539 2552 15a7945-15a794a 2544->2552 2554 15a76e2-15a76e4 2545->2554 2555 15a76e6-15a76e8 2545->2555 2546->2510 2556 15a78ad-15a78bc 2546->2556 2547->2520 2551 15a78c8-15a78ce 2547->2551 2549 15a7696-15a76be 2548->2549 2550 15a7685-15a7690 2548->2550 2576 15a77b2-15a77e8 call 15a7a43 2549->2576 2577 15a76c4-15a76c9 2549->2577 2550->2528 2550->2549 2551->2509 2551->2520 2552->2508 2552->2525 2557 15a790b-15a7910 2553->2557 2558 15a76f2-15a7709 2554->2558 2555->2558 2556->2517 2556->2547 2562 15a7932-15a7934 2557->2562 2563 15a7912-15a7914 2557->2563 2569 15a770b-15a7724 2558->2569 2570 15a7734-15a775b 2558->2570 2562->2539 2565 15a7936-15a7939 2562->2565 2566 15a7923-15a7929 2563->2566 2567 15a7916-15a791b 2563->2567 2565->2544 2566->2510 2568 15a792b-15a7930 2566->2568 2567->2566 2568->2562 2572 15a7906-15a7909 2568->2572 2569->2576 2580 15a772a-15a772f 2569->2580 2570->2539 2582 15a7761-15a7764 2570->2582 2572->2539 2572->2557 2584 15a77ea-15a77ee 2576->2584 2585 15a77f5-15a77fd 2576->2585 2577->2576 2580->2576 2582->2539 2583 15a776a-15a7793 2582->2583 2583->2576 2600 15a7795-15a779a 2583->2600 2587 15a780d-15a7811 2584->2587 2588 15a77f0-15a77f3 2584->2588 2585->2539 2586 15a7803-15a7808 2585->2586 2586->2528 2590 15a7813-15a7819 2587->2590 2591 15a7830-15a7834 2587->2591 2588->2585 2588->2587 2590->2591 2592 15a781b-15a7823 2590->2592 2593 15a783e-15a785d call 15a7a43 2591->2593 2594 15a7836-15a783c 2591->2594 2592->2539 2596 15a7829-15a782e 2592->2596 2597 15a7863-15a7867 2593->2597 2594->2593 2594->2597 2596->2528 2597->2528 2598 15a7869-15a7885 2597->2598 2598->2528 2600->2576 2603->2478 2604->2478
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1956466863.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_15a0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (oq$(oq$,q$,q
                                                          • API String ID: 0-620556200
                                                          • Opcode ID: cedfd01cdb16f5f93a8ba1eff64cba192a9507c00f9139bcbeda2c7b71e3db39
                                                          • Instruction ID: f268c4d628e591bb940f9932526d480c5e9807947f037e9605dd8efd016dbe62
                                                          • Opcode Fuzzy Hash: cedfd01cdb16f5f93a8ba1eff64cba192a9507c00f9139bcbeda2c7b71e3db39
                                                          • Instruction Fuzzy Hash: 2E026C30A40219DFDB15CFA8C984AADBFF6FF88340F95846AE955AB261D732DC41CB50
                                                          Function 05002CE8 Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2605 5002ce8-5002d02 2606 5002d04 2605->2606 2607 5002d09-5002d1d 2605->2607 2606->2607 2645 5002d22 call 50031b5 2607->2645 2646 5002d22 call 5003128 2607->2646 2608 5002d28-5002db4 2617 5002db7 2608->2617 2618 5002dbe-5002dda 2617->2618 2619 5002de3-5002de4 2618->2619 2620 5002ddc 2618->2620 2621 5002f50-5002f56 2619->2621 2622 5002de9-5002ded 2619->2622 2620->2617 2620->2621 2620->2622 2623 5002e39-5002e78 2620->2623 2624 5002e1d-5002e37 2620->2624 2625 5002e8d-5002e92 2620->2625 2626 5002e00-5002e07 2622->2626 2627 5002def-5002dfe 2622->2627 2647 5002e7a call 5004408 2623->2647 2648 5002e7a call 50043f9 2623->2648 2624->2618 2629 5002e9d-5002f1d 2625->2629 2628 5002e0e-5002e1b 2626->2628 2627->2628 2628->2618 2642 5002f30-5002f37 2629->2642 2643 5002f1f-5002f2e 2629->2643 2639 5002e80-5002e88 2639->2618 2644 5002f3e-5002f4b 2642->2644 2643->2644 2644->2618 2645->2608 2646->2608 2647->2639 2648->2639
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Q!$Q!$$q
                                                          • API String ID: 0-1482494776
                                                          • Opcode ID: d8fe276f3b2ece4e6e927083bc13d45f37400bf3108f51dd958f39d2d634e18e
                                                          • Instruction ID: 115d68208691a730d2016f4e17ba2fb7f956a51b36d7fa85c1f14f744a1913ae
                                                          • Opcode Fuzzy Hash: d8fe276f3b2ece4e6e927083bc13d45f37400bf3108f51dd958f39d2d634e18e
                                                          • Instruction Fuzzy Hash: 0471D474D10209DFDB04CFE5D5896AEBFB2BF88300F24942AE81AA7394DB305945CF91
                                                          Function 07D10007 Relevance: 3.0, Instructions: 2975COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2886 7d10007-7d1008c 2889 7d10182-7d1177f 2886->2889 2890 7d10092-7d1017a 2886->2890 3491 7d11785 call 7d14190 2889->3491 3492 7d11785 call 7d14180 2889->3492 2890->2889 3168 7d11788-7d13092 3493 7d13094 call 15a568a 3168->3493 3494 7d13094 call 15a56a0 3168->3494 3474 7d13099-7d13305 3490 7d1330b-7d13312 3474->3490 3491->3168 3492->3168 3493->3474 3494->3474
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aca516a2aceb90aa4438d5ea22679d14a0f11cb5eb66459eb7ac694fe977280c
                                                          • Instruction ID: 2c3f97c390d66fdcbe226f05d310f35a9a3021d9fbfe7434ed568ae789176125
                                                          • Opcode Fuzzy Hash: aca516a2aceb90aa4438d5ea22679d14a0f11cb5eb66459eb7ac694fe977280c
                                                          • Instruction Fuzzy Hash: 60437EB0E00218DBCB18FF7CD88976DBBB1BB88301F5185A9D449A7354DB38AD89CB55
                                                          Function 015A6E30 Relevance: 2.9, Strings: 2, Instructions: 431COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 3495 15a6e30-15a6e4a 3497 15a6e78-15a6e89 3495->3497 3498 15a6e4c-15a6e5d 3495->3498 3499 15a6efa-15a6f0e 3497->3499 3500 15a6e8b-15a6e8f 3497->3500 3498->3497 3504 15a6e5f-15a6e6b 3498->3504 3610 15a6f11 call 15a7418 3499->3610 3611 15a6f11 call 15a7416 3499->3611 3502 15a6eaa-15a6eb3 3500->3502 3503 15a6e91-15a6e9d 3500->3503 3508 15a6eb9-15a6ebc 3502->3508 3509 15a71bc 3502->3509 3506 15a722b-15a7276 3503->3506 3507 15a6ea3-15a6ea5 3503->3507 3510 15a71c1-15a7224 3504->3510 3511 15a6e71-15a6e73 3504->3511 3505 15a6f17-15a6f1d 3512 15a6f1f-15a6f21 3505->3512 3513 15a6f26-15a6f2d 3505->3513 3565 15a727d-15a72fc 3506->3565 3514 15a71b2-15a71b9 3507->3514 3508->3509 3515 15a6ec2-15a6ee1 3508->3515 3509->3510 3510->3506 3511->3514 3512->3514 3516 15a701b-15a702c 3513->3516 3517 15a6f33-15a6f40 3513->3517 3515->3509 3533 15a6ee7-15a6eed 3515->3533 3527 15a702e-15a7031 3516->3527 3528 15a7056-15a705c 3516->3528 3521 15a6f48-15a6f4a 3517->3521 3521->3516 3524 15a6f50-15a6f5c 3521->3524 3531 15a6f62-15a6fce 3524->3531 3532 15a7014-15a7016 3524->3532 3535 15a7039-15a703b 3527->3535 3529 15a705e-15a706a 3528->3529 3530 15a7077-15a707d 3528->3530 3536 15a7313-15a7376 3529->3536 3537 15a7070-15a7072 3529->3537 3538 15a71af 3530->3538 3539 15a7083-15a70a0 3530->3539 3566 15a6ffc-15a7011 3531->3566 3567 15a6fd0-15a6ffa 3531->3567 3532->3514 3541 15a6ef3-15a6ef7 3533->3541 3542 15a7401-15a7412 3533->3542 3535->3530 3543 15a703d-15a7049 3535->3543 3590 15a737d-15a73fc 3536->3590 3537->3514 3538->3514 3539->3509 3559 15a70a6-15a70a9 3539->3559 3541->3499 3547 15a704f-15a7051 3543->3547 3548 15a7301-15a730c 3543->3548 3547->3514 3548->3536 3559->3542 3563 15a70af-15a70d5 3559->3563 3563->3538 3571 15a70db-15a70e7 3563->3571 3566->3532 3567->3566 3574 15a71ab-15a71ad 3571->3574 3575 15a70ed-15a7165 3571->3575 3574->3514 3593 15a7193-15a71a8 3575->3593 3594 15a7167-15a7191 3575->3594 3593->3574 3594->3593 3610->3505 3611->3505
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1956466863.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_15a0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (oq$Hq
                                                          • API String ID: 0-2917151738
                                                          • Opcode ID: 7ef8a136860449743ebf4975b242b5d47e1fe0aa21399bdc2558f9700d74721b
                                                          • Instruction ID: 1e968318040ce122664e0e136e0cdf946ea3ecb558625dccdbf4ade114828313
                                                          • Opcode Fuzzy Hash: 7ef8a136860449743ebf4975b242b5d47e1fe0aa21399bdc2558f9700d74721b
                                                          • Instruction Fuzzy Hash: AFF18A70A002198FDB19DF69C854BAEBBF6BFC8340F648459E506DB395DB359C42CB90
                                                          Function 07D1B241 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 4001 7d1b241-7d1b250 4002 7d1b252-7d1b266 4001->4002 4003 7d1b268-7d1b27b 4001->4003 4002->4003 4004 7d1b282-7d1b2f8 4003->4004 4005 7d1b27d 4003->4005 4010 7d1b2fb 4004->4010 4005->4004 4011 7d1b302-7d1b31e 4010->4011 4012 7d1b320 4011->4012 4013 7d1b327-7d1b328 4011->4013 4012->4010 4012->4013 4014 7d1b3f9-7d1b415 4012->4014 4015 7d1b368-7d1b36c 4012->4015 4016 7d1b398-7d1b3cc 4012->4016 4017 7d1b41a-7d1b48a 4012->4017 4018 7d1b32d-7d1b366 4012->4018 4013->4017 4014->4011 4019 7d1b37f-7d1b386 4015->4019 4020 7d1b36e-7d1b37d 4015->4020 4032 7d1b3ce call 7d1b981 4016->4032 4033 7d1b3ce call 7d1b990 4016->4033 4034 7d1b48c call 7d1c350 4017->4034 4035 7d1b48c call 7d1c360 4017->4035 4036 7d1b48c call 7d1c7a9 4017->4036 4018->4011 4025 7d1b38d-7d1b393 4019->4025 4020->4025 4025->4011 4028 7d1b3d4-7d1b3f4 4028->4011 4031 7d1b492-7d1b49c 4032->4028 4033->4028 4034->4031 4035->4031 4036->4031
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Teq$Teq
                                                          • API String ID: 0-2938103587
                                                          • Opcode ID: 75f9e35dfac6c80ed6ef5422d70a1095b2e29bc88e93cee83b9d0de6183f28f3
                                                          • Instruction ID: ead2606b06e19440f857cb9a6739a19abe9fe04d70005f7e1e8525b253ff8012
                                                          • Opcode Fuzzy Hash: 75f9e35dfac6c80ed6ef5422d70a1095b2e29bc88e93cee83b9d0de6183f28f3
                                                          • Instruction Fuzzy Hash: F281E0B4E002089FDB08CFE9D995AAEFBF2FF89300F14842AD915AB364D7349905CB50
                                                          Function 0500A248 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 4037 500a248-500a26d 4038 500a274-500a2a8 call 500a538 4037->4038 4039 500a26f 4037->4039 4041 500a2ab 4038->4041 4039->4038 4042 500a2b2-500a2ce 4041->4042 4043 500a2d0 4042->4043 4044 500a2d7-500a2d8 4042->4044 4043->4041 4043->4044 4045 500a3a0-500a3b2 4043->4045 4046 500a443-500a476 call 5002f88 4043->4046 4047 500a343-500a36d 4043->4047 4048 500a308-500a33b call 5006cf0 4043->4048 4049 500a3ce-500a3d8 4043->4049 4050 500a4b5-500a4bd 4043->4050 4051 500a3b7-500a3c9 4043->4051 4052 500a4d8-500a4e1 4043->4052 4053 500a3dd-500a3e0 4043->4053 4054 500a2dd-500a2ee 4043->4054 4055 500a47e-500a482 4043->4055 4056 500a3ff-500a417 4043->4056 4044->4052 4045->4042 4046->4055 4077 500a380-500a387 4047->4077 4078 500a36f-500a37e 4047->4078 4048->4047 4049->4042 4057 500a4c4-500a4d3 4050->4057 4051->4042 4067 500a3e9-500a3fa 4053->4067 4071 500a2f4-500a306 4054->4071 4072 500a4bf-500a4c1 4054->4072 4060 500a484-500a493 4055->4060 4061 500a495-500a49c 4055->4061 4069 500a419-500a428 4056->4069 4070 500a42a-500a431 4056->4070 4057->4042 4068 500a4a3-500a4b0 4060->4068 4061->4068 4067->4042 4068->4042 4073 500a438-500a43e 4069->4073 4070->4073 4071->4042 4072->4057 4073->4042 4079 500a38e-500a39b 4077->4079 4078->4079 4079->4042
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Q+(i$Q+(i
                                                          • API String ID: 0-3998099878
                                                          • Opcode ID: 2a20dd552808efb032ce9423d75e2c5b2a017b076ccdd3641da86c926a00a717
                                                          • Instruction ID: 784a5ebbf98563771ba3bdc162c82562627806b73417735a0a8cd4141b20c543
                                                          • Opcode Fuzzy Hash: 2a20dd552808efb032ce9423d75e2c5b2a017b076ccdd3641da86c926a00a717
                                                          • Instruction Fuzzy Hash: DD81D4B4E15318CFDB44CFA9D9846EEBBB2BB89310F20942AD816BB394D7345941CF54
                                                          Function 07D1B258 Relevance: 2.7, Strings: 2, Instructions: 177COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Teq$Teq
                                                          • API String ID: 0-2938103587
                                                          • Opcode ID: baca7629ddd64fa8560295e9c3965df84a022f82761c432e1b2c9091afe52413
                                                          • Instruction ID: a8c55042af55786301612153aec4d3681e6adbb638e6be967e2d77ce1d361175
                                                          • Opcode Fuzzy Hash: baca7629ddd64fa8560295e9c3965df84a022f82761c432e1b2c9091afe52413
                                                          • Instruction Fuzzy Hash: 1C71AFB4E102199FDB08CFE9D995AAEFBB2FF89300F14842AD919AB354D7349905CB50
                                                          Function 05002CD8 Relevance: 2.7, Strings: 2, Instructions: 166COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Q!$$q
                                                          • API String ID: 0-648432091
                                                          • Opcode ID: 9a5ef71bdcb9e0cb01b94af2a73d875309e1026f8ee22c3c40004dfe7cc27561
                                                          • Instruction ID: a4f971923140be1c99936b9f98f20b99d42ca4dab937e086cb817abfa45c4a08
                                                          • Opcode Fuzzy Hash: 9a5ef71bdcb9e0cb01b94af2a73d875309e1026f8ee22c3c40004dfe7cc27561
                                                          • Instruction Fuzzy Hash: E471C474E10209DFDB08CFE5D5996ADBFB2BF88300F64852AE81AA7354DB305946CF91
                                                          Function 05009CB0 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessAsUserW.KERNEL32(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 05009E1B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID: CreateProcessUser
                                                          • String ID:
                                                          • API String ID: 2217836671-0
                                                          • Opcode ID: 46a44da983b32760a48054b6d051c13d01d9c36ecd14c1f63ed9ae6421f2b7de
                                                          • Instruction ID: dde4ae7d9d54a08e7f8944092c6e71987d5ddacca8fa97dc4388f1bdead0b49f
                                                          • Opcode Fuzzy Hash: 46a44da983b32760a48054b6d051c13d01d9c36ecd14c1f63ed9ae6421f2b7de
                                                          • Instruction Fuzzy Hash: 4251F671D002699FEB24CF99D840BDDBBF5BF48304F0484AAE919B7250DB75AA85CF50
                                                          Function 015A9518 Relevance: 1.5, Strings: 1, Instructions: 248COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1956466863.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_15a0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Teq
                                                          • API String ID: 0-1098410595
                                                          • Opcode ID: 023d143185baf7483046f8d83de183aa7e35a5a41f60c87368684bfecc425131
                                                          • Instruction ID: 639bb69acd12515582caa5e09c0e6140d8de659e349678c50b31b4882607669f
                                                          • Opcode Fuzzy Hash: 023d143185baf7483046f8d83de183aa7e35a5a41f60c87368684bfecc425131
                                                          • Instruction Fuzzy Hash: ACA1B874E41218CFDB18DFB9C494A9EBBB2FF89305F20956AD815AB365CB359842CF10
                                                          Function 015A9528 Relevance: 1.5, Strings: 1, Instructions: 245COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1956466863.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_15a0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Teq
                                                          • API String ID: 0-1098410595
                                                          • Opcode ID: a014d6a112821fa5758a8c9f8d7ec79bb33235d9375437651a30248726050195
                                                          • Instruction ID: 8f8c015d1a926753bc48a00d416e56d5804ce81add9fce41bf73f8a903edfa74
                                                          • Opcode Fuzzy Hash: a014d6a112821fa5758a8c9f8d7ec79bb33235d9375437651a30248726050195
                                                          • Instruction Fuzzy Hash: ECA1B774E41218CFDB18DFB9C494A9EBBB2FF89305F20946AD8156B3A5CB359842CF10
                                                          Function 07D19658 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: <
                                                          • API String ID: 0-4251816714
                                                          • Opcode ID: 1c3c4b9a50fdd6591b550c5779269116f29da3a7918e5e10a558d58b055d7395
                                                          • Instruction ID: db3c740f9a4312a9d425442036506f75531d1cdf9207e9d4a1b396ede99ac214
                                                          • Opcode Fuzzy Hash: 1c3c4b9a50fdd6591b550c5779269116f29da3a7918e5e10a558d58b055d7395
                                                          • Instruction Fuzzy Hash: E56163B5E00658DFDB58CFAAD9446DDFBF2AF88301F14C0AAD409AB264DB345A85CF50
                                                          Function 07D19648 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: <
                                                          • API String ID: 0-4251816714
                                                          • Opcode ID: 65c266329ff1bb799e7afa0e02a81f6eb5c15a83fcd66af9f5da0f147b958d51
                                                          • Instruction ID: 523060860dd800ef3edb96384270d5fc2282e4b78c6f7a8e66083d2e4da5d6cc
                                                          • Opcode Fuzzy Hash: 65c266329ff1bb799e7afa0e02a81f6eb5c15a83fcd66af9f5da0f147b958d51
                                                          • Instruction Fuzzy Hash: 2D5176B5E006588FDB58CFAAC9446DDFBF2AF88300F14C1AAD409AB364DB345A81CF50
                                                          Function 0799DF2D Relevance: 1.1, Instructions: 1106COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0a757b6b0cad060dfe3c02291ad01db2f7ccd7a832c2a6d4871bf1c1c763b143
                                                          • Instruction ID: 60d3b48837f6c58c19af3bb6bea2e9eeab18d022d6dc835070ac562ba29a08be
                                                          • Opcode Fuzzy Hash: 0a757b6b0cad060dfe3c02291ad01db2f7ccd7a832c2a6d4871bf1c1c763b143
                                                          • Instruction Fuzzy Hash: 8182F071A043048FD709EBBCE99962DBFF2BF89300B15896AD445D73A5DE38D809CB91
                                                          Function 05004FF8 Relevance: .3, Instructions: 280COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 800a859fc8aa89e964a6d654cb5f01f2057e24149fab7ab7864af05fc3047563
                                                          • Instruction ID: 6c9ca756a89f245f809580f8342e866a2e5928ba1c2c0f135e56025aa53735b3
                                                          • Opcode Fuzzy Hash: 800a859fc8aa89e964a6d654cb5f01f2057e24149fab7ab7864af05fc3047563
                                                          • Instruction Fuzzy Hash: C8D11774E042698FDB64CF65D844BDDFBB6BF89340F10D9EAD40AA7254EB709A818F40
                                                          Function 07D1D260 Relevance: .3, Instructions: 278COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a518de91e0e36909e5fa586becfee30c7c6b3b74534dc5b8897c56ca9e231279
                                                          • Instruction ID: 7fdfcaaa71b1ce07e85a4bd32026280135f126c7863cb062548614fff83c9706
                                                          • Opcode Fuzzy Hash: a518de91e0e36909e5fa586becfee30c7c6b3b74534dc5b8897c56ca9e231279
                                                          • Instruction Fuzzy Hash: 82C115B0E1420AEFCB04CFA5D5859AEFBB2FF89300F609559D416AB258C774E942CF94
                                                          Function 07D1D24B Relevance: .3, Instructions: 277COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e958f496674fdfc5761d73716be66d098ea796dff5136b2e9015160748e2efc0
                                                          • Instruction ID: 17d849e6e3d9a9276161ee537536c153c3b78fe188b89f8fbcd88d93c56e9241
                                                          • Opcode Fuzzy Hash: e958f496674fdfc5761d73716be66d098ea796dff5136b2e9015160748e2efc0
                                                          • Instruction Fuzzy Hash: 1EC139B4E1420AEFCB04CFA5D4859AEFBB2FF8A300B609595D415AB358C774E942CF94
                                                          Function 05007EA0 Relevance: .3, Instructions: 257COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 21045832e00db53faf8b6ba8ccb6f16850484e068973f6731f22e138edf98c87
                                                          • Instruction ID: 96a5072ff424b21cfbf1053552f4c0f2d771a54e31f1e681a8cea0c40ffaeda8
                                                          • Opcode Fuzzy Hash: 21045832e00db53faf8b6ba8ccb6f16850484e068973f6731f22e138edf98c87
                                                          • Instruction Fuzzy Hash: 3EB14774E14218CFDB48CFA5E945AAEBBF2FF89300F24952AD505B7254DB349902CF54
                                                          Function 05004FE9 Relevance: .2, Instructions: 240COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5bbcbbc674678ce0899f3a7f9659d23599e0618c82c9b293f7a23b0fdffd6ba6
                                                          • Instruction ID: 9b216ceedd8a897599622454f5023e11bad5d98393e547e5ec6d5988eb6206c8
                                                          • Opcode Fuzzy Hash: 5bbcbbc674678ce0899f3a7f9659d23599e0618c82c9b293f7a23b0fdffd6ba6
                                                          • Instruction Fuzzy Hash: 91C12774E102698FDB64CF65C9447DDBBB2BF89340F10D9EAD409A7264EB709E818F80
                                                          Function 015AAE68 Relevance: .2, Instructions: 218COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1956466863.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_15a0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e33515b1451fd7954c26bf01c7a63c2ffcb1f11a27325b8e2f2dd9b6e6767afd
                                                          • Instruction ID: b9c1db68bdae70dd56b4dc90e4964007f6af2dc29b3309171e2c47047bdf2567
                                                          • Opcode Fuzzy Hash: e33515b1451fd7954c26bf01c7a63c2ffcb1f11a27325b8e2f2dd9b6e6767afd
                                                          • Instruction Fuzzy Hash: B4A1D471E00319CFEB14DFAAC940B9EBBB2BF88300F14C1A9D518AB254EB315A85CF41
                                                          Function 015AAE60 Relevance: .2, Instructions: 212COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1956466863.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_15a0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 23ca71a8668bd4d59214407e1d66335391f170ecb1f3e333fc3e603163ac0629
                                                          • Instruction ID: f7b1d75a4fef577723c2efc968f16fd38602a313594c5944f2f04f9884974ab5
                                                          • Opcode Fuzzy Hash: 23ca71a8668bd4d59214407e1d66335391f170ecb1f3e333fc3e603163ac0629
                                                          • Instruction Fuzzy Hash: 2791B471E00719CFDB54DFAAC940B9EBBB2BF88300F14C1AAD519AB254EB315A85CF41
                                                          Function 05008BE0 Relevance: .2, Instructions: 171COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 14aa31b6e919ee0cf45847e7ad244c6f0dbc1ee94a1a0db54c6edb5ae5a1a831
                                                          • Instruction ID: b6cb0ce99c0b55ee82e6fd9e43a681c1454efadb7d974086d73c2f31cecebfbc
                                                          • Opcode Fuzzy Hash: 14aa31b6e919ee0cf45847e7ad244c6f0dbc1ee94a1a0db54c6edb5ae5a1a831
                                                          • Instruction Fuzzy Hash: CD81C2B4E11218CFEB54CFA5D989B9DBBF2FF88310F1490AAE409A7250DB345A85CF51
                                                          Function 07D1B981 Relevance: .1, Instructions: 144COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d4ce521924a8ae9061d51073823a6ce44d1e65a77afbfbd15298b53eebd80f0a
                                                          • Instruction ID: 251fd0e630ccaa924c659a62e7c10b65d11ba7b9803ad1044574fdf3e204c52f
                                                          • Opcode Fuzzy Hash: d4ce521924a8ae9061d51073823a6ce44d1e65a77afbfbd15298b53eebd80f0a
                                                          • Instruction Fuzzy Hash: 075140B0E1420A9FDB08CF9AD5416AEFFF2EF89300F14D06AD455A7254D7348A42CF94
                                                          Function 07D1B990 Relevance: .1, Instructions: 143COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9ef546b72460ef7f9b0fe084a2d4ba64c7c1f3f11d21a1a2afa58d0312e6bc40
                                                          • Instruction ID: af8efe859773f896e929f641e895adbc14ea388d73259c452c9508b3327791dd
                                                          • Opcode Fuzzy Hash: 9ef546b72460ef7f9b0fe084a2d4ba64c7c1f3f11d21a1a2afa58d0312e6bc40
                                                          • Instruction Fuzzy Hash: 50510AB4E1420A9FDB08CFAAD5416AEFFF2AF89300F24D02AD419A7254D7748A418F94
                                                          Function 05004450 Relevance: .1, Instructions: 118COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 88f577ef8bf86873200e0575cd24ae3b58ec57451526530ba34e7c5587c439f9
                                                          • Instruction ID: d467812a87be0c8755514cb83e1991313aff18044eb9179218dc10809cae7522
                                                          • Opcode Fuzzy Hash: 88f577ef8bf86873200e0575cd24ae3b58ec57451526530ba34e7c5587c439f9
                                                          • Instruction Fuzzy Hash: B5415CB0D0520ADBDF44CFA6E9415AFFBF6FB89301F10A42ADA11B7250D77446428F98
                                                          Function 05004440 Relevance: .1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d0bda7d44c984388a7057e1519478c125b8bc3766209dddff5b54176bb5509c0
                                                          • Instruction ID: 744cc72fb93c574c0c968ef1b516a8664ca0d58eeb65383ed9788a156269d0ad
                                                          • Opcode Fuzzy Hash: d0bda7d44c984388a7057e1519478c125b8bc3766209dddff5b54176bb5509c0
                                                          • Instruction Fuzzy Hash: 18414CB4D0424ADFDF44CFA5E8416AEFBF2FB89200F10A42AD611B7290D77846468F94
                                                          Function 015A5150 Relevance: .1, Instructions: 108COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1956466863.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_15a0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 52768bc5ad6785a9b7fcc714f5958e92d4c4c2958cb10462022534910dc205e7
                                                          • Instruction ID: 3281fa39b06a3967b722a4265fdb25daa24dbee6aaafa92337cb2f6efac3dab5
                                                          • Opcode Fuzzy Hash: 52768bc5ad6785a9b7fcc714f5958e92d4c4c2958cb10462022534910dc205e7
                                                          • Instruction Fuzzy Hash: 9641B0B5E002189BDB04CFAAD984AEEFBF2BF88310F14C56AE414BB254E7345941CF90
                                                          Function 015A5141 Relevance: .1, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1956466863.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_15a0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 43667e1811ebdca6e0cab80c3652f1386a4862eb2bb8da01f2cd0c403f652c13
                                                          • Instruction ID: 18303021734a7b99bb854545b6955020e434229bdcb64464c6c9f9f615868ea9
                                                          • Opcode Fuzzy Hash: 43667e1811ebdca6e0cab80c3652f1386a4862eb2bb8da01f2cd0c403f652c13
                                                          • Instruction Fuzzy Hash: FB31B6B5E002189BDB04CFAAD940AEEFBF2BF89310F14C16AE814B7254D73459468F50
                                                          Function 07D1C360 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2690b3dc1af9379c612aefd86607130d9f72628c33b2d12f5aa115e7861b93f8
                                                          • Instruction ID: f6fd3154462f202fc63a685c9626013379debbed9719c349adb99daf33dcaf6a
                                                          • Opcode Fuzzy Hash: 2690b3dc1af9379c612aefd86607130d9f72628c33b2d12f5aa115e7861b93f8
                                                          • Instruction Fuzzy Hash: 5C21D3B1E006189BEB18CFAAD9443DEFBF7AFC9310F14C02AD409A6254DB755A46CF90
                                                          Function 07D1C350 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d2be0566b5bdebf801826e5af7b774709f8978057c0587a2312a4a3c0329f61d
                                                          • Instruction ID: 625cb82967bd77a3b4b5c99c7f0192cd438108f71dec02be879d9b7b8e28b03b
                                                          • Opcode Fuzzy Hash: d2be0566b5bdebf801826e5af7b774709f8978057c0587a2312a4a3c0329f61d
                                                          • Instruction Fuzzy Hash: 3221D7B1E006188BEB18CFAAD9543DEBFF3AFC8300F14C16AD409A6258DB740946CF50
                                                          Function 07998AA8 Relevance: 2.1, Strings: 1, Instructions: 876COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @
                                                          • API String ID: 0-2766056989
                                                          • Opcode ID: a013563866d579f7f6d216f30df9d9ca7fe2e392c1c83f996931fbeeb0f21da7
                                                          • Instruction ID: cb8eaa89ef9298ef0fc26c7eb93a346365bc1aef1f361bb4a3837eb2899a72d8
                                                          • Opcode Fuzzy Hash: a013563866d579f7f6d216f30df9d9ca7fe2e392c1c83f996931fbeeb0f21da7
                                                          • Instruction Fuzzy Hash: 8562AF70E143188FDB08BB7CE59A6ACBBF1EB89310F514869E446D7354EA389849CB91
                                                          Function 07998FA5 Relevance: 1.8, Strings: 1, Instructions: 503COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @
                                                          • API String ID: 0-2766056989
                                                          • Opcode ID: c23e14d175f252d419b9b7af7e7fc6f97c4230b46e7ffbb4586e42dcac3bfe87
                                                          • Instruction ID: 4aff4d18cd6cca85a44f1e2acc65ef299da72506468521dfe00dfb7083565f4c
                                                          • Opcode Fuzzy Hash: c23e14d175f252d419b9b7af7e7fc6f97c4230b46e7ffbb4586e42dcac3bfe87
                                                          • Instruction Fuzzy Hash: 0D12D0B0E093188FDB08AF78E95969CBFF1BF89350F0108AAD446D7355EA389D45CB91
                                                          Function 07D1A503 Relevance: 1.6, APIs: 1, Instructions: 111memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualProtect.KERNEL32(?,?,?,?), ref: 07D1A5DB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 43cffc6570e20921dd1932d246cb7840354bb120c5a33dc3c43585312d3c3202
                                                          • Instruction ID: 65d14039e29c13662303773f56878f4ab6b059612a3229278f05002f5d17937b
                                                          • Opcode Fuzzy Hash: 43cffc6570e20921dd1932d246cb7840354bb120c5a33dc3c43585312d3c3202
                                                          • Instruction Fuzzy Hash: 444176B5904B4ADFDB10CF55D848A8AFFF4FF88310FA08019E866A7681C3766125CFA4
                                                          Function 015AEF30 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 015AEFF1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1956466863.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_15a0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID: CallProcWindow
                                                          • String ID:
                                                          • API String ID: 2714655100-0
                                                          • Opcode ID: 30dd151e3f7ea6d910310e2ab5f8a1787aa8dbbea4d84c0e200ea48b8e43584c
                                                          • Instruction ID: d2a1c792d136281998148548f9f32f3ecd23a81a04cf61bee94fc8aeb51d26e3
                                                          • Opcode Fuzzy Hash: 30dd151e3f7ea6d910310e2ab5f8a1787aa8dbbea4d84c0e200ea48b8e43584c
                                                          • Instruction Fuzzy Hash: 0B4129B5900319CFDB14CF99C448AAEFBF5FB88314F248859E519AB321D775A841CFA0
                                                          Function 0500C1C8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0500C258
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 42d4b5b51adeae70d4a1fed1aef97bdd3551b67eeafb95a432395ae71720b0e7
                                                          • Instruction ID: 8cf49666eb90cb7b94289c973083d838094ac7f394a09d2ebd51d82106189a83
                                                          • Opcode Fuzzy Hash: 42d4b5b51adeae70d4a1fed1aef97bdd3551b67eeafb95a432395ae71720b0e7
                                                          • Instruction Fuzzy Hash: 00212676D003099FEB10CFAAD881BDEBBF5FF48310F10842AE919A7640C7789940DBA5
                                                          Function 0500B780 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0500B7FE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: e023d70e3b7bb6c521f158c4b87a7973badf9aa9c31c0c3b2ce939f7d01973cd
                                                          • Instruction ID: e5d1c50e8511d08fbbedf70dcc4227a785df7a3cb2890659d846a47317925fb8
                                                          • Opcode Fuzzy Hash: e023d70e3b7bb6c521f158c4b87a7973badf9aa9c31c0c3b2ce939f7d01973cd
                                                          • Instruction Fuzzy Hash: CB210471D003098FEB14DFAAC485BAEBBF4AF88214F14842ED459A7680DB789945CFA5
                                                          Function 0500CBF8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0500CC76
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: d41dc17a450658b4a1aa3f31b59d8bb997e543e601992c28b9c257341eb5fd1e
                                                          • Instruction ID: 2748746aedd46e9acd55a609ffb286a606bfd37573f6744856ef8ae5177eca01
                                                          • Opcode Fuzzy Hash: d41dc17a450658b4a1aa3f31b59d8bb997e543e601992c28b9c257341eb5fd1e
                                                          • Instruction Fuzzy Hash: 35213771D043088FEB14DFAAC484BAEBBF4BB48224F14842ED419A7280CB789944CFA5
                                                          Function 0500C970 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualProtectEx.KERNEL32(?,?,?,?,?), ref: 0500C9E7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 86e3ad117424f2308529e0552bb82dfabd5377fe3d3e9f98e3237693a703a80d
                                                          • Instruction ID: a659c7efe93196b79f1d891974797992560a726ed440e21b9a7595be1819e1c1
                                                          • Opcode Fuzzy Hash: 86e3ad117424f2308529e0552bb82dfabd5377fe3d3e9f98e3237693a703a80d
                                                          • Instruction Fuzzy Hash: 51213772C002098FEB10CFAAC444BEEBBF4BF48310F14842EE519A7240C7799900CFA5
                                                          Function 050027D0 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualProtect.KERNEL32(?,?,?,?), ref: 0500284B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 85e9e7f432968039ea29af79485a663a9c3eebd9de3103496960fc3656aef08e
                                                          • Instruction ID: e4473ce54aa810a275846db0cfbd22f43f52f74f798cbb25666d66c184f8e9b3
                                                          • Opcode Fuzzy Hash: 85e9e7f432968039ea29af79485a663a9c3eebd9de3103496960fc3656aef08e
                                                          • Instruction Fuzzy Hash: 132136B6D00209CFDB10CF9AD984BDEBBF4FB48310F10842AE458A7250C3789644CFA5
                                                          Function 07D1A568 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualProtect.KERNEL32(?,?,?,?), ref: 07D1A5DB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 9bfb4d475c873cd695bf5b983e3467b84a1df4f655629e0d934607f2f6de2957
                                                          • Instruction ID: 76151896a8bbdeea3ea86e2b404706f09d37f1494b0ec4d008c288f77f9aa5c1
                                                          • Opcode Fuzzy Hash: 9bfb4d475c873cd695bf5b983e3467b84a1df4f655629e0d934607f2f6de2957
                                                          • Instruction Fuzzy Hash: 6821E7B5D002499FDB10CF9AD484BDEFBF4FB48310F10842AE558A7650D378A644CFA5
                                                          Function 050027D8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualProtect.KERNEL32(?,?,?,?), ref: 0500284B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: d05de5cf304514d27684e05f2bfeb358edbdcd049403fa4f5e7aed9a459d62f9
                                                          • Instruction ID: 9b0d75725eb63d9d105d1355e391f3de8c874d80f9e9bea0f412d96b9ae752d4
                                                          • Opcode Fuzzy Hash: d05de5cf304514d27684e05f2bfeb358edbdcd049403fa4f5e7aed9a459d62f9
                                                          • Instruction Fuzzy Hash: 6921E4B5D002499FDB10DF9AD884BDEFBF4FB48320F10842AE958A7251D378A644CFA5
                                                          Function 0500BE50 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0500BEBE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 1dfabc4a87152c72b924630828d573f345fe7cebb06326b0e1bcb67d6d48b2e5
                                                          • Instruction ID: 2bf790e6f9c85d0f168b364d0ea75835da8a2647c6e728c0791f7a56adcce1b3
                                                          • Opcode Fuzzy Hash: 1dfabc4a87152c72b924630828d573f345fe7cebb06326b0e1bcb67d6d48b2e5
                                                          • Instruction Fuzzy Hash: 16112672C002489FDB24DFAAC844BDFBBF5AF88314F14841AE519A7650C7759940CBA5
                                                          Function 0500CE80 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 5ec642614eb428c789f026a9bd10e5f18b6cb25ee1da2d77c9ae70eaaa45e082
                                                          • Instruction ID: e4ac65fb50d9dc6a964006ba031a5dafdb674ef5c4c3595f94f164c1f79de5fb
                                                          • Opcode Fuzzy Hash: 5ec642614eb428c789f026a9bd10e5f18b6cb25ee1da2d77c9ae70eaaa45e082
                                                          • Instruction Fuzzy Hash: 99113A71D003488FEB24DFAAC4447DFFBF4BB88214F14841ED419A7640CB796940CBA5
                                                          Function 05002C18 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0500D52D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: 83960c28487f0475d2b444dfd8156d2642362f84cb67b16f324e02af67a2e71a
                                                          • Instruction ID: c29393f2a804a49f11d03e50c116935b7e9bbc8fff04a0ad10461a5c7af0d85c
                                                          • Opcode Fuzzy Hash: 83960c28487f0475d2b444dfd8156d2642362f84cb67b16f324e02af67a2e71a
                                                          • Instruction Fuzzy Hash: D41106B58003489FDB10DF9AD444BDEBBF8FB48314F108419E958A7250C375A944CFA5
                                                          Function 0799AD08 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q
                                                          • API String ID: 0-1807707664
                                                          • Opcode ID: c928315deb4c6305dac31a44e0a18dcc0283d5bc0d1070e84a91bd2a77e9e68b
                                                          • Instruction ID: 1e52d5dfccf5f9c113b2547531b9d67674273dadc1e97b95613f7a0750747e87
                                                          • Opcode Fuzzy Hash: c928315deb4c6305dac31a44e0a18dcc0283d5bc0d1070e84a91bd2a77e9e68b
                                                          • Instruction Fuzzy Hash: 1791B3B0A14209CBDB08FBBCE955B6D7BF6EB88300F518869D445A7358DA3DDC18C791
                                                          Function 07998356 Relevance: .5, Instructions: 452COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 681abed25eccb7c48e5a9985dbfc59ae1aba979e414de0a9a8da3b8bf3c0b6f3
                                                          • Instruction ID: 01e16b4760740e375f3cdfcd0520f84bdef1e66594f495d8438f505c674810f5
                                                          • Opcode Fuzzy Hash: 681abed25eccb7c48e5a9985dbfc59ae1aba979e414de0a9a8da3b8bf3c0b6f3
                                                          • Instruction Fuzzy Hash: 1BE1E370A043148FC705BB7CE859A6D7FF1EF8A300F5545AAD481E73A5DA3CA809C7A2
                                                          Function 07998A97 Relevance: .4, Instructions: 366COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b9294bd47a0331ef5ddbc0d15cadf5d0fff0299dba52a9cd30c08a05b7ba2655
                                                          • Instruction ID: 4a73804a93bfa6360489976211b5a761b282320c6add851490425c356e6cc706
                                                          • Opcode Fuzzy Hash: b9294bd47a0331ef5ddbc0d15cadf5d0fff0299dba52a9cd30c08a05b7ba2655
                                                          • Instruction Fuzzy Hash: 08D18070A14208DFC708FBBCE59AA6D7BF2EB89300F514469E446D73A4DE399809CB91
                                                          Function 07997740 Relevance: .4, Instructions: 366COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 36593d88569937e962008b6bc733da3c7c1f3cdc41d5784e990955c5ce13de18
                                                          • Instruction ID: af444c359d7f3a3419620eb7738d60b2fc522fda90f0b5adc6e3cf599098d761
                                                          • Opcode Fuzzy Hash: 36593d88569937e962008b6bc733da3c7c1f3cdc41d5784e990955c5ce13de18
                                                          • Instruction Fuzzy Hash: 70C1C271B24214CBC708BBBCE59A63D7FF2EB88310F554969E885E3394DE389849C791
                                                          Function 079983C4 Relevance: .3, Instructions: 331COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2a8ebe1831fe8d54e81219a7cfd13242f42e0e1adffbae0b38c77ca453459162
                                                          • Instruction ID: eb42a40cacd2cbe35afae8c9d2348334ebcd871aad21f9fd0608fe6cd9fd55fe
                                                          • Opcode Fuzzy Hash: 2a8ebe1831fe8d54e81219a7cfd13242f42e0e1adffbae0b38c77ca453459162
                                                          • Instruction Fuzzy Hash: EEB1BF70A04314CFDB08BB7CE959A6D7BF1FF8A304F514969D446E73A4DA38980AC7A1
                                                          Function 07998407 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6eb46c1e2de9cf0a06a786f69bc72e71df3359ba3bc32448b54934b60e1d969a
                                                          • Instruction ID: 44c222f39327748a9de37abc22b823060962b89b3ba24048d611d88a4630c52b
                                                          • Opcode Fuzzy Hash: 6eb46c1e2de9cf0a06a786f69bc72e71df3359ba3bc32448b54934b60e1d969a
                                                          • Instruction Fuzzy Hash: 7AB1A070A04314CFDB08BB7CE959A6D7BF1FF8A304F514969D446E73A4DA38A809C7A1
                                                          Function 07997731 Relevance: .3, Instructions: 267COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 670cf3a851a46372f1ffd6ee351a2285fbd844a737caee076eb5e54a81eec1cc
                                                          • Instruction ID: d000826e621be4d8719d7d3648af17be3118ad715e64d82c0254e124e1de8301
                                                          • Opcode Fuzzy Hash: 670cf3a851a46372f1ffd6ee351a2285fbd844a737caee076eb5e54a81eec1cc
                                                          • Instruction Fuzzy Hash: A291A071A24314CBCB08BBBCE59A63D7BF2EB48711F454879E845E3394DE38A849C791
                                                          Function 0799A9F7 Relevance: .2, Instructions: 200COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d2e835d8328c8c1a181147ff3641a08ecdde8bc7d7462cee50ebe27c2b676d51
                                                          • Instruction ID: 41f4799764119a4edc2a7a55f2f7933274caed9be0d9612fa8c462f4d170caf7
                                                          • Opcode Fuzzy Hash: d2e835d8328c8c1a181147ff3641a08ecdde8bc7d7462cee50ebe27c2b676d51
                                                          • Instruction Fuzzy Hash: 9661AF71A04204CBC708FBBDE98A62EBBF5EB88300F518969D445E7358EE389C58C3D1
                                                          Function 0799A8DF Relevance: .1, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9d4250dac18e1419f7660bbf5b6b965411fcb92108a9b20e7d13902eebbe0b2f
                                                          • Instruction ID: 0882990ab479730f7136236737c15cb0c7789deb14484ff83bf19cb72bd5d6fa
                                                          • Opcode Fuzzy Hash: 9d4250dac18e1419f7660bbf5b6b965411fcb92108a9b20e7d13902eebbe0b2f
                                                          • Instruction Fuzzy Hash: 6F11AE71B042148BC708BBBCE896B6E7BE5EB88211F618929E44AD3344DE3DDC05C390
                                                          Function 0799A8E0 Relevance: .1, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dcebd61527eca742c62df9fc2e7a0a79d777c41d54d540c4cb46bed16ac14f5a
                                                          • Instruction ID: 55066c4ba5f71e324cc19f6123a216fa66e5debf3c3ec6a282489e5f4674605f
                                                          • Opcode Fuzzy Hash: dcebd61527eca742c62df9fc2e7a0a79d777c41d54d540c4cb46bed16ac14f5a
                                                          • Instruction Fuzzy Hash: FE11C071B042148BC708BBBCE896B2E7BE9FB88211F618929E409D3344DE3DEC04C390
                                                          Function 0127D034 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1956250139.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_127d000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d3a08d41ca0b9e45ef9451223f8de4fddb7e1e1b69273abe0e5b1b4a3223d424
                                                          • Instruction ID: 09d84dc5dbaa04cb6a6bae0f633c5aeb24b7ce8fd17b5a824d9e5c3d004a74fb
                                                          • Opcode Fuzzy Hash: d3a08d41ca0b9e45ef9451223f8de4fddb7e1e1b69273abe0e5b1b4a3223d424
                                                          • Instruction Fuzzy Hash: 24212271614208AFDB16DF64D9C0B27BBA1FF84314F20C5ADE9090B242C376D447CA62
                                                          Function 0127D1EC Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1956250139.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_127d000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cf3c16dde592ca5676f97c76273c35a73d321e2f784e1cf3c972a2c64592268a
                                                          • Instruction ID: 6c0e54aaa8ee86b8d636b14f8b3e8af5b8b238b7cc31d06707316c4457ae00a8
                                                          • Opcode Fuzzy Hash: cf3c16dde592ca5676f97c76273c35a73d321e2f784e1cf3c972a2c64592268a
                                                          • Instruction Fuzzy Hash: ED212571514308AFDB15DFA4D5C0B16BBA5FF84324F20C56DE9090B253C376D847CAA1
                                                          Function 0799A88F Relevance: .1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1a09d40165f4fe4b6e4c11ccb01bcb1d744268328602b627ca3b22059ad4e7b0
                                                          • Instruction ID: 54ffb1d1eb01d8a25d1cae19955402c160107a6a3e87afc7b8343ae59459dc58
                                                          • Opcode Fuzzy Hash: 1a09d40165f4fe4b6e4c11ccb01bcb1d744268328602b627ca3b22059ad4e7b0
                                                          • Instruction Fuzzy Hash: 3D11E771B142148BC708BBBCE89672D7BE1FB88200F81892AD049D3344DE3CD818C381
                                                          Function 0127D1E7 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1956250139.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_127d000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                          • Instruction ID: a5a01ca0b0e7f57678f257377784e3c59b94659848dd890c20e514bc41b402c4
                                                          • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                          • Instruction Fuzzy Hash: 6D11BB75504284CFDB12CF64D5C4B16BBA2FF84324F28C6A9D9094B657C33AD40ACBA1
                                                          Function 0127D02F Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1956250139.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_127d000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                          • Instruction ID: f298ffa805b8a48e45829e863a7175aefe6761487917b4d91b385f97ff4edea8
                                                          • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                          • Instruction Fuzzy Hash: DD11BB75504284CFCB12DF64D9C4B16BFA2FF84314F28C6AAD9494B652C33AD44ACB62
                                                          Function 0126D7D1 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1956219163.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_126d000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 42953a5ac87d7c615d63b5f4ffe111c8b1d3a7e5856007144edb9fb63f46141b
                                                          • Instruction ID: 71d7e556a12fcd2db3e2505a6e58b8350128d350981f64f0509800ef81a133aa
                                                          • Opcode Fuzzy Hash: 42953a5ac87d7c615d63b5f4ffe111c8b1d3a7e5856007144edb9fb63f46141b
                                                          • Instruction Fuzzy Hash: 0001847161434CAFE7204E96CD88766BBDCEF41624F188519EE8D0A2C3C2699881CAB2
                                                          Function 0126D7D0 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1956219163.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_126d000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 31631ab9e71f2da8ec780dbadf18a35e61f97ba318d7b57243e2f428947cd610
                                                          • Instruction ID: 6ff5ce8f76f99ca17acfcfa4eb8829b20c0367cbcf0b87237e07575cc9c8fc97
                                                          • Opcode Fuzzy Hash: 31631ab9e71f2da8ec780dbadf18a35e61f97ba318d7b57243e2f428947cd610
                                                          • Instruction Fuzzy Hash: A6F044715042489FE7208E5AC988762FF9CEB81624F18C55AED4C4A293C2755845CAB1
                                                          Function 079975B0 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e799a5f2be45f18d50161d2c02eb00bf5d3ffb3a12abde88fc6a53938431d6ff
                                                          • Instruction ID: a6457a3112c01ed869ed28337f65262f6a12c57e19ef50c77612ce55873ac21b
                                                          • Opcode Fuzzy Hash: e799a5f2be45f18d50161d2c02eb00bf5d3ffb3a12abde88fc6a53938431d6ff
                                                          • Instruction Fuzzy Hash: 3BE0E57113130ACBE7147BA8E80E7663B6EFB04705B540028BC0291240DFB5E809CAA2
                                                          Function 079975C0 Relevance: .0, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c9772c6ff575bae595eb540fcd2a5fa859ad546ff5bcaa59fe1d0e94c4aad349
                                                          • Instruction ID: 839ed07f583282122db046683f6098213cf0cef9da02012c1f1b1ec938300826
                                                          • Opcode Fuzzy Hash: c9772c6ff575bae595eb540fcd2a5fa859ad546ff5bcaa59fe1d0e94c4aad349
                                                          • Instruction Fuzzy Hash: 5CE0ECB023030ACFD7546F7DE81D1253B6BFB046463140028FC0691240DF72E808CFA2
                                                          Function 0799F3C0 Relevance: .0, Instructions: 12COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ab55fe74e004dd6eb18bda56e72decd0129fe75e7e12718da79b02dbe10e4580
                                                          • Instruction ID: 9c0f986ba7fdb5e5771aebf9f76376c72ae6f1c07a667253b4503607a9cf6fe5
                                                          • Opcode Fuzzy Hash: ab55fe74e004dd6eb18bda56e72decd0129fe75e7e12718da79b02dbe10e4580
                                                          • Instruction Fuzzy Hash: 96D017709012199BCB94DFA4C98078CB7B6AF85204F0095E6800CBB224DB709A458F25
                                                          Function 0799A8BF Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 08bf3989a811c838ea1d96ee7d9b8b08ea129ced0b3f33b326af9f7a0fc3fe11
                                                          • Instruction ID: 2b7deb99045ec9af3bf27d7046c8536bb6140b474fc7d837d08a033c21b5b879
                                                          • Opcode Fuzzy Hash: 08bf3989a811c838ea1d96ee7d9b8b08ea129ced0b3f33b326af9f7a0fc3fe11
                                                          • Instruction Fuzzy Hash: FEA0025560949516DF456314197909A6BB2EED115A2EE01C18AD98BE1AC4244221855B

                                                          Non-executed Functions

                                                          Function 0500F0B8 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: PHq$PHq
                                                          • API String ID: 0-1274609152
                                                          • Opcode ID: a23e95f11316af284687891a64e05021854a4296274b808e2da3e8655d0e0e6c
                                                          • Instruction ID: 98b116bd13d7e1cf7ece361c63f21427c564e1da30272a264ab9348eeeaa19b5
                                                          • Opcode Fuzzy Hash: a23e95f11316af284687891a64e05021854a4296274b808e2da3e8655d0e0e6c
                                                          • Instruction Fuzzy Hash: 9BD1C434A00605CFEB64DF69D598AADB7F1BF4C710F2590A8E406AB3A1DB31AD41CF60
                                                          Function 015A8EF0 Relevance: 2.8, Strings: 2, Instructions: 260COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1956466863.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_15a0000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Xq$$q
                                                          • API String ID: 0-855381642
                                                          • Opcode ID: 23b20edbb6e855d4be1d2b96474fe97401ade2c30996fd6cd056eb614c862112
                                                          • Instruction ID: 382f6427ebc7bd6c7e2fd3fb8883393950402c532169dcd2017a62c4199622b4
                                                          • Opcode Fuzzy Hash: 23b20edbb6e855d4be1d2b96474fe97401ade2c30996fd6cd056eb614c862112
                                                          • Instruction Fuzzy Hash: 05819274F453188BEB18DF75A85867E7BB7BFC4304B05851DE006EB288DE359C028796
                                                          Function 07D1E108 Relevance: 1.5, Strings: 1, Instructions: 202COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: L~
                                                          • API String ID: 0-3876828424
                                                          • Opcode ID: 8d3e05ab05e6e0aadb4f27b31077cb3ea785e8fe03d6750d023fd83c805a18d0
                                                          • Instruction ID: 8f3ac32575fe34fb66ca9fdb22c459eb21c22ff09942af74acebcea1e147831e
                                                          • Opcode Fuzzy Hash: 8d3e05ab05e6e0aadb4f27b31077cb3ea785e8fe03d6750d023fd83c805a18d0
                                                          • Instruction Fuzzy Hash: 309123B4E15219DFCB04CFA9D9858AEFBF1FF89211F249459D419AB320D334AA41CFA1
                                                          Function 07D1E0F8 Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: L~
                                                          • API String ID: 0-3876828424
                                                          • Opcode ID: 1ea8f93b4c96b4ffda15cad25dc57a4f1d672fdabc652c77945ecd245dc32579
                                                          • Instruction ID: 71a8b01ce27ee0cab141fcb30c5abf2cd01430f1e2a5ffa6b3a6d8052edcdf96
                                                          • Opcode Fuzzy Hash: 1ea8f93b4c96b4ffda15cad25dc57a4f1d672fdabc652c77945ecd245dc32579
                                                          • Instruction Fuzzy Hash: F39114B4E15219DFCB04CFA9D98589EFBF1FF89211F14945AD419AB324D330AA41CF91
                                                          Function 0500AB30 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4|q
                                                          • API String ID: 0-612143306
                                                          • Opcode ID: 6015ad61edd755b3bd77680349924c40cd2a6cd42e011430d3abd0b5bafb80d9
                                                          • Instruction ID: e5c21c72f7acd19c8248fb716b8ad5081238ed0ceeb607fb141b6bf78385341f
                                                          • Opcode Fuzzy Hash: 6015ad61edd755b3bd77680349924c40cd2a6cd42e011430d3abd0b5bafb80d9
                                                          • Instruction Fuzzy Hash: 81510970E042188BEB68DFAAD8507DDBBF2BF88300F14C5AAD509B7254EB345A85CF50
                                                          Function 0500E758 Relevance: .4, Instructions: 363COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d7c5ccb07bb0735ecc461b4b6f39af895e43fa2e887e9d9861233e6c2268bf07
                                                          • Instruction ID: 29bf8212cde186796a4136d27b3db8ce84874ab1efe1d894a40dcc309716dd70
                                                          • Opcode Fuzzy Hash: d7c5ccb07bb0735ecc461b4b6f39af895e43fa2e887e9d9861233e6c2268bf07
                                                          • Instruction Fuzzy Hash: CFD1CF317006108FEB59EB75D554BAEB7EAAF89600F14486DD146EB2D0DF38E902CB61
                                                          Function 05007EB0 Relevance: .2, Instructions: 250COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7b1d77f6219f1dd0ea4db20cfaa4ac8236e43ea36b17feac37874a00a900c28b
                                                          • Instruction ID: 33c3b700c9bbb209a6f2a31759411e2e07eedbca540ebc8799b3ceb3c9d8e68d
                                                          • Opcode Fuzzy Hash: 7b1d77f6219f1dd0ea4db20cfaa4ac8236e43ea36b17feac37874a00a900c28b
                                                          • Instruction Fuzzy Hash: 7EA11570E15218CFDB44CFA5E945AEEBBF6FF89300F14A52AD50AB7254DB349802CB54
                                                          Function 07D1ECF0 Relevance: .2, Instructions: 206COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bbd4e70c6fcde3c9e375165a20245cd876bc82c616f31f1a31ab1bdf404d7264
                                                          • Instruction ID: e10025072f039937cb307f29cb20c406f044e157949291806501892cf9c89c08
                                                          • Opcode Fuzzy Hash: bbd4e70c6fcde3c9e375165a20245cd876bc82c616f31f1a31ab1bdf404d7264
                                                          • Instruction Fuzzy Hash: 038126B4E1421ADFCB04CFA9E5849AEFBF2FF49201F189556D815AB311D3349982CF91
                                                          Function 07D1F5A8 Relevance: .2, Instructions: 173COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 37d5a75aded31b98e25f08200ef16a3e4f42ec4fa0afa4040be0c0b32cf03972
                                                          • Instruction ID: 6a36a0ef2752be3bbdf8182548128725a0f21f799eb0f5dd4efd5dfc0c947699
                                                          • Opcode Fuzzy Hash: 37d5a75aded31b98e25f08200ef16a3e4f42ec4fa0afa4040be0c0b32cf03972
                                                          • Instruction Fuzzy Hash: 0571E7B4E152099FCB04CFA9D5805DEFBF2FF8A210F28A46AD415B7224D7349A428F64
                                                          Function 07D1F598 Relevance: .2, Instructions: 172COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d65f62f9135a231797f58e45698e3146824634c650476f938a349559d898a918
                                                          • Instruction ID: 4e345a0c8434af905cd0ff5d61ee63e8252509516e7ae0938612af3603a6119d
                                                          • Opcode Fuzzy Hash: d65f62f9135a231797f58e45698e3146824634c650476f938a349559d898a918
                                                          • Instruction Fuzzy Hash: BB71F7B4E156099FCB04CFA9D6805DEFBF2EF89210F28A46AD415F7224D3349A428F64
                                                          Function 07D1ED00 Relevance: .2, Instructions: 160COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a6b7fead0b99c75164fc87e8468041d94bd216b5b782e4a23ba4c3166d6d1d45
                                                          • Instruction ID: 867a91eb274c8beda69def572083ad602d37805f3d0e8757edb411088dff3cfc
                                                          • Opcode Fuzzy Hash: a6b7fead0b99c75164fc87e8468041d94bd216b5b782e4a23ba4c3166d6d1d45
                                                          • Instruction Fuzzy Hash: 457104B4E1021ADFCB04CF99E5849AEFBB2FF89311F189559D815AB314C3309982CF94
                                                          Function 07D1F000 Relevance: .2, Instructions: 153COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6cc913bc79065f942aa75409845c9fe6eb01944ebe12fb0c3eaed269c4e20b11
                                                          • Instruction ID: aec5ff9e8b3be3893379fbf029af6b6ebb01f988fa7fccec98ede5953be6d613
                                                          • Opcode Fuzzy Hash: 6cc913bc79065f942aa75409845c9fe6eb01944ebe12fb0c3eaed269c4e20b11
                                                          • Instruction Fuzzy Hash: 426117B0D15209EFDB04CFA9D8816AEFBB1BF89300F14D15AD455B7244D3749A82CFA4
                                                          Function 07D1EFFF Relevance: .1, Instructions: 143COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5317776e9c7ee445025a1d879b28227e50c3c45fe0695264538bf495246c7392
                                                          • Instruction ID: c964b0a408c42ceb4c710317fe82ee96c98acc267c39b251b92517f359d87a93
                                                          • Opcode Fuzzy Hash: 5317776e9c7ee445025a1d879b28227e50c3c45fe0695264538bf495246c7392
                                                          • Instruction Fuzzy Hash: A55118B5E1520AEBDB04CFA5D8816AEFBF2BF89300F14D066D455B7244D3349A81CFA0
                                                          Function 0799ED5D Relevance: .1, Instructions: 126COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 76bf2d8fb30d22e686cce82b7e08fdf93e3f70834e61d948d312aae22966ea3f
                                                          • Instruction ID: 03f47753f940fbee03da197161eb0aac1b326b25f1c6abd3904d1d11ca026665
                                                          • Opcode Fuzzy Hash: 76bf2d8fb30d22e686cce82b7e08fdf93e3f70834e61d948d312aae22966ea3f
                                                          • Instruction Fuzzy Hash: 9E514DB1E057598FEB09CFAAC94469EFBF3AF89200F14C0AAC048AB265D7344946CF51
                                                          Function 05000007 Relevance: .1, Instructions: 115COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8742e2a835754497a3c9ac0ab9fc454c41b7a1be32be8978213b6b8fc5bd74d2
                                                          • Instruction ID: bab6e19565f10ee05e4fe0d8008dd1b66b6651cdee569b4b56c76fe1b2c24bb3
                                                          • Opcode Fuzzy Hash: 8742e2a835754497a3c9ac0ab9fc454c41b7a1be32be8978213b6b8fc5bd74d2
                                                          • Instruction Fuzzy Hash: DA518BB1E057588FEB19CF679D45389FBF3AFC9200F18C1BA854CA6265DB3409868F51
                                                          Function 07D1F370 Relevance: .1, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 503e12738e84b8f4494b33615d8d7f78586e2cabc6424972d4d3e696ee797e0a
                                                          • Instruction ID: 2d3ffc79c0d535d0714fcfd29e056311ce05da3b594a3be27253077526a7792a
                                                          • Opcode Fuzzy Hash: 503e12738e84b8f4494b33615d8d7f78586e2cabc6424972d4d3e696ee797e0a
                                                          • Instruction Fuzzy Hash: 2741E8B1E1520A9FDB44CFAAD5815AEFBF2FB89300F24E46AC415A7214D3359642CF94
                                                          Function 07D1F360 Relevance: .1, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: de32ea0ea70c4b7711ee4f1e9117fc1a886d4fdf954e30b8bc749a126cc9ca31
                                                          • Instruction ID: 665055510c704d96e61a88b408840bafb34ffef9e365b1b6487cf56e5f260234
                                                          • Opcode Fuzzy Hash: de32ea0ea70c4b7711ee4f1e9117fc1a886d4fdf954e30b8bc749a126cc9ca31
                                                          • Instruction Fuzzy Hash: A44136B1E1520A9FDB08CFAAC5805AEFBF2FB89310F24D06AC515A7254D3349A42CF94
                                                          Function 0799ED98 Relevance: .1, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1971266533.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7990000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4619a850ca9fbfd3505f4b881410959ca67bb47659d6c4407191ea378b31d0be
                                                          • Instruction ID: 5fa6f73d1723fed58b2d89e42e056d2bdc50260580ecde8867f4c7537056128c
                                                          • Opcode Fuzzy Hash: 4619a850ca9fbfd3505f4b881410959ca67bb47659d6c4407191ea378b31d0be
                                                          • Instruction Fuzzy Hash: E94109B1E016198FEB58CFAAC94469EFBF7BF89304F14C0BAC408AB254D7304A458F51
                                                          Function 05000040 Relevance: .1, Instructions: 106COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4d69dbdbc0566ca90a3d65ff4131b024fcb4f62c613341191d01a85f43bc2235
                                                          • Instruction ID: 57743859ec02ecf3d8943633584d32f0b81ab7f3daabf2212cc5ca5e582e202e
                                                          • Opcode Fuzzy Hash: 4d69dbdbc0566ca90a3d65ff4131b024fcb4f62c613341191d01a85f43bc2235
                                                          • Instruction Fuzzy Hash: 7D414C71E016188BEB68CF6B9D4579EFBF3BFC8300F14C1BA950CA6254EB300A858E51
                                                          Function 050080A9 Relevance: .1, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: da8356e1ba32fd762901396b939d10ac5487674e48199abb7208e0bb957ac993
                                                          • Instruction ID: e76708e967227b5f9003e041e31680283d37f9bea655ea6d9add2171ab21f658
                                                          • Opcode Fuzzy Hash: da8356e1ba32fd762901396b939d10ac5487674e48199abb7208e0bb957ac993
                                                          • Instruction Fuzzy Hash: A5411574E04219DFDB44CFA9E985ADEBBB2BF89301F14A92AD106B7294D73499018F18
                                                          Function 07D1A628 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fc2fd34c403371fb0e4e7f54b24f0e12fcbdc99f99bae62ba6978bf06fbf2c73
                                                          • Instruction ID: 1c0e679abe80cbbb07be454c95ec2c89e3a91b2b43c890a164c927c1353e3c4c
                                                          • Opcode Fuzzy Hash: fc2fd34c403371fb0e4e7f54b24f0e12fcbdc99f99bae62ba6978bf06fbf2c73
                                                          • Instruction Fuzzy Hash: B321A7B1E016189FEB18CFABD94479EFBF7AFC9200F14C0BAD518A6254EB345A418F51
                                                          Function 07D1A618 Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1972948148.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7d10000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dc2a5f77b30be5f9023535b002876d9e65cbc4a98c70b07b6d768c3f1866dc54
                                                          • Instruction ID: c08cc470ab308738c96393dbcf818e09393038292ee2238906636d269a42eb4c
                                                          • Opcode Fuzzy Hash: dc2a5f77b30be5f9023535b002876d9e65cbc4a98c70b07b6d768c3f1866dc54
                                                          • Instruction Fuzzy Hash: 0E21CAB1E016189FEB18CFABD94579EFBF3AFC9200F14C0AAD518A6254DB344A468F51
                                                          Function 05003618 Relevance: .1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f35e35f1892e46f37b0d0113a27dd387a88e6667738378c7101f25fbdc89b69b
                                                          • Instruction ID: 463c5b509bf1166483a19f50633f5e73fa54ecec722d1f1059cdfd2c55d219a7
                                                          • Opcode Fuzzy Hash: f35e35f1892e46f37b0d0113a27dd387a88e6667738378c7101f25fbdc89b69b
                                                          • Instruction Fuzzy Hash: 1F212771E116199BEB08CFAAD9406EEFBF7AFC9210F14C12AD518A7254DB344A418B51
                                                          Function 050085E0 Relevance: .1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1db23f664c2855121ca6c61b21ff0c1139b7436a8c403b34b8e638f201f718e0
                                                          • Instruction ID: 621be25015d409754f227ea7c3a41d429ace514e3ff6caa1e9b9f362a14760ae
                                                          • Opcode Fuzzy Hash: 1db23f664c2855121ca6c61b21ff0c1139b7436a8c403b34b8e638f201f718e0
                                                          • Instruction Fuzzy Hash: F2112971E116198BEB48CFABD9456AEFBF7BFC8210F14C03AD518A7254DB305A42CB51
                                                          Function 05003C80 Relevance: .1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6d011f5edee46a7cd92a1f4ca2d996aa363ea48d459fb3afd9f88fb2cf67ddd5
                                                          • Instruction ID: 028d2470d702d7dd914418190cd0c18d9e71cba0ac7e926fc9508285ddb4eb3e
                                                          • Opcode Fuzzy Hash: 6d011f5edee46a7cd92a1f4ca2d996aa363ea48d459fb3afd9f88fb2cf67ddd5
                                                          • Instruction Fuzzy Hash: E0112971E106189BEB48CFAAE9416EEFBF7EFC8210F14C06AD508A7254DB305A528F51
                                                          Function 05006CF0 Relevance: .1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aada798b05e79f4fa8c78cd0e8a35e7dcf318f44a303340864ae5471131947e6
                                                          • Instruction ID: ecb88a927f8a805bd82f92b6aa3b27b265cc26362ff59be7f94915771c5a3770
                                                          • Opcode Fuzzy Hash: aada798b05e79f4fa8c78cd0e8a35e7dcf318f44a303340864ae5471131947e6
                                                          • Instruction Fuzzy Hash: 78111A71E106198BDB48CFAAD9406AEFBF7EFC8210F14D03AD508A7254DB345A428F91
                                                          Function 05002F88 Relevance: .1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: db129ed82f58171539da113322f2544d99ac7b1502fcf80365fb7931d87a5712
                                                          • Instruction ID: c61e20e45f837a6b5cf17be65fec92c351ce22df64d9d0388e71e62fd24269c0
                                                          • Opcode Fuzzy Hash: db129ed82f58171539da113322f2544d99ac7b1502fcf80365fb7931d87a5712
                                                          • Instruction Fuzzy Hash: 17112971E116199BEB18CFAAE9456EEFBF7EBC8200F14C03AE408B7254DB305A458B50
                                                          Function 05006CE0 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 64c7c5040f324e37c6c93ccc72bd7264131c3f1b283a5536101f64a03df1d4ce
                                                          • Instruction ID: 34a6ac6ebd91227a248d0d759f8e2ef74c3f566bdea29875e6ff972f1ee867e3
                                                          • Opcode Fuzzy Hash: 64c7c5040f324e37c6c93ccc72bd7264131c3f1b283a5536101f64a03df1d4ce
                                                          • Instruction Fuzzy Hash: 0C214A71E106188FEB49CFAAD9456AEFBF3BFC8200F14D07AD408A7254DB348A428B51
                                                          Function 05003C71 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6b4580f2581d196fb64277ac90be4a59d3a92b12ddd8428bdc6ecdee07c6a2fa
                                                          • Instruction ID: 485016ffa8053ea201dbe809ed0992d96c0b39d3dd3c5b16cd155c295dd251f3
                                                          • Opcode Fuzzy Hash: 6b4580f2581d196fb64277ac90be4a59d3a92b12ddd8428bdc6ecdee07c6a2fa
                                                          • Instruction Fuzzy Hash: F7113D71E116188FEB49CFAAD9456AEFBF3AFC9200F14C46AD408B7254DB304945CB51
                                                          Function 05002F78 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 70cd5599cd3a2999fe9030cb5870077f48cbe38b7f01194d951f56e2e2d62e57
                                                          • Instruction ID: 5c118acc2170dfe314be6ed8b14bbb46703809d88d98f448c0a292ee76135aeb
                                                          • Opcode Fuzzy Hash: 70cd5599cd3a2999fe9030cb5870077f48cbe38b7f01194d951f56e2e2d62e57
                                                          • Instruction Fuzzy Hash: DB216D71E112189BDB09CFAAD9456EEFBF3AFC9200F14C07AD408B7354DB304A458B51
                                                          Function 050085D0 Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 91b5bc49b0f5bb071c26c9d556ae70be6e4e79cbc10e246b4ebd2e5965660f2c
                                                          • Instruction ID: d9c017f7c69c568495740c8484a7986211941735f88ee0e8a8a6aba855ac1817
                                                          • Opcode Fuzzy Hash: 91b5bc49b0f5bb071c26c9d556ae70be6e4e79cbc10e246b4ebd2e5965660f2c
                                                          • Instruction Fuzzy Hash: 1E114CB5E116099FEB48CFAAD94569EFAF7BFC8200F14C07AD548B7254DB304942CB51
                                                          Function 05003617 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1965779742.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5000000_719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9d40787232d979d4e249b6178fd3129409fe2661f4369b84a258724d92f05014
                                                          • Instruction ID: 6858c3035857e0cc17bc48ad7cc82b234887b7e4b3fd92a95bc213c90703a186
                                                          • Opcode Fuzzy Hash: 9d40787232d979d4e249b6178fd3129409fe2661f4369b84a258724d92f05014
                                                          • Instruction Fuzzy Hash: F61107B1E116199BEB48CFAAD9456AEFAF3AFC8300F14C52AD418B7354DB344A418F51

                                                          Execution Graph

                                                          Execution Coverage:6.9%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:15
                                                          Total number of Limit Nodes:1
                                                          execution_graph 16622 185b3e0 16623 185b426 16622->16623 16627 185b5b1 16623->16627 16632 185b5c0 16623->16632 16624 185b513 16628 185b589 16627->16628 16629 185b5be 16627->16629 16628->16624 16635 185afbc 16629->16635 16633 185afbc DuplicateHandle 16632->16633 16634 185b5ee 16633->16634 16634->16624 16636 185b628 DuplicateHandle 16635->16636 16638 185b5ee 16636->16638 16638->16624 16639 18562a8 16640 18562ec SetWindowsHookExW 16639->16640 16642 1856332 16640->16642

                                                          Executed Functions

                                                          Function 0185AFA7 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1236 185afa7-185b651 1239 185b654-185b6bc DuplicateHandle 1236->1239 1240 185b6c5-185b6e2 1239->1240 1241 185b6be-185b6c4 1239->1241 1241->1240
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0185B5EE,?,?,?,?,?), ref: 0185B6AF
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2556082107.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1850000_InstallUtil.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 13a764981cec31acace8a9036d74a4706eb64033b70c4121eefc10380a921e53
                                                          • Instruction ID: 31094a20ca9b3fcebc6afedbc00d24e37615d8b334b1f693fe8c3caf5d6cfa38
                                                          • Opcode Fuzzy Hash: 13a764981cec31acace8a9036d74a4706eb64033b70c4121eefc10380a921e53
                                                          • Instruction Fuzzy Hash: 103125B6801348AFDB10CFAAD884AEEBBF4EF48314F14801AE954A7210D3359A45CFA4
                                                          Function 0185B620 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1244 185b620-185b625 1245 185b654-185b6bc DuplicateHandle 1244->1245 1246 185b627-185b651 1244->1246 1247 185b6c5-185b6e2 1245->1247 1248 185b6be-185b6c4 1245->1248 1246->1245 1248->1247
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0185B5EE,?,?,?,?,?), ref: 0185B6AF
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2556082107.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1850000_InstallUtil.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 439156ce28aaf5db703413b93e9b0e4b6de2750e2c7fbe61d1167a02f1df605b
                                                          • Instruction ID: d40b1b581a3c893cbd0f07a8a614ac6b3a07c72266aab271096314ca63792312
                                                          • Opcode Fuzzy Hash: 439156ce28aaf5db703413b93e9b0e4b6de2750e2c7fbe61d1167a02f1df605b
                                                          • Instruction Fuzzy Hash: E821F2B5801248AFDB10CFAAD884ADEBBF9EB48314F10801AE914A3350D375A954CFA5
                                                          Function 0185AFBC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1252 185afbc-185b6bc DuplicateHandle 1255 185b6c5-185b6e2 1252->1255 1256 185b6be-185b6c4 1252->1256 1256->1255
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0185B5EE,?,?,?,?,?), ref: 0185B6AF
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2556082107.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1850000_InstallUtil.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 7f414f936c66148ba4edf352a805eb441c34b62fb33279ceacfa328f68a3e9d1
                                                          • Instruction ID: 841b294da689f791d368717e7cbc023f3ab1956dba89910b520a84a9e03873e4
                                                          • Opcode Fuzzy Hash: 7f414f936c66148ba4edf352a805eb441c34b62fb33279ceacfa328f68a3e9d1
                                                          • Instruction Fuzzy Hash: A621D2B5901208AFDB10CFAAD984AEEFBF5EB48314F14801AE918A7350D375A954CFA5
                                                          Function 018562A0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1259 18562a0-18562f2 1262 18562f4 1259->1262 1263 18562fe-1856330 SetWindowsHookExW 1259->1263 1266 18562fc 1262->1266 1264 1856332-1856338 1263->1264 1265 1856339-185635e 1263->1265 1264->1265 1266->1263
                                                          APIs
                                                          • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01856323
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2556082107.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1850000_InstallUtil.jbxd
                                                          Similarity
                                                          • API ID: HookWindows
                                                          • String ID:
                                                          • API String ID: 2559412058-0
                                                          • Opcode ID: b384d422c3c89d76542adc178cf6533de04acf6020c7695f63a3989e2647ed72
                                                          • Instruction ID: 49a2e655353024a1ca02fc64944d3de79508f844c443b231384dc9210c524eb2
                                                          • Opcode Fuzzy Hash: b384d422c3c89d76542adc178cf6533de04acf6020c7695f63a3989e2647ed72
                                                          • Instruction Fuzzy Hash: 1C213775D002099FDB14CFAAC844BDEFBF5FB48310F10841AE815A7250D775AA44CFA5
                                                          Function 018562A8 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1270 18562a8-18562f2 1272 18562f4 1270->1272 1273 18562fe-1856330 SetWindowsHookExW 1270->1273 1276 18562fc 1272->1276 1274 1856332-1856338 1273->1274 1275 1856339-185635e 1273->1275 1274->1275 1276->1273
                                                          APIs
                                                          • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01856323
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2556082107.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1850000_InstallUtil.jbxd
                                                          Similarity
                                                          • API ID: HookWindows
                                                          • String ID:
                                                          • API String ID: 2559412058-0
                                                          • Opcode ID: a4ed63bc4732f44d57622c1f6269e672d058cc1d0337b125c77a3c277364b259
                                                          • Instruction ID: cb1fbb82eec9be9fd99ba26bb291c3688daf86ab6b77cf1e1a92918e1f137189
                                                          • Opcode Fuzzy Hash: a4ed63bc4732f44d57622c1f6269e672d058cc1d0337b125c77a3c277364b259
                                                          • Instruction Fuzzy Hash: 78211575D002099FDB14DFAAD844BDEFBF5FB88310F10842AE815A7250D775A944CFA5
                                                          Function 0149D514 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2554980033.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_149d000_InstallUtil.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 75e86eeaa1108600dbb74204c0e6c36b3a4569c6ced35320f389f4ad643a3cfa
                                                          • Instruction ID: 4cc09f502c61c22c5ddd33377d485386780228082544a25d3a4e9dad274e2aab
                                                          • Opcode Fuzzy Hash: 75e86eeaa1108600dbb74204c0e6c36b3a4569c6ced35320f389f4ad643a3cfa
                                                          • Instruction Fuzzy Hash: B0210371904240EFDF15DF54D9C0B27BFA5FB88328F24856AE9090B366C336D456CBA2
                                                          Function 0149D428 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2554980033.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_149d000_InstallUtil.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7299e44d55b52c0db47aed13d689d94a0f57b1c5480a28fdbf82bbb35e611cb1
                                                          • Instruction ID: e909374a24f0d6d6fc2f1643b2fdd04c011e5064e3ecc6474770bfd2a1aca5b9
                                                          • Opcode Fuzzy Hash: 7299e44d55b52c0db47aed13d689d94a0f57b1c5480a28fdbf82bbb35e611cb1
                                                          • Instruction Fuzzy Hash: F1210371904240EFDF15DF54D9C0B66BFA5FB84324F20C57AE9090B266C33AE456CAA2
                                                          Function 014AD0FC Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2555215355.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_14ad000_InstallUtil.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9e96d2c9ac5382fa5791b24caf4447f1f73bff2faf6e3dfd7e5c4c9b53220add
                                                          • Instruction ID: 7024d17993d1d67236a76b45d5c28d233c5fa7e82067190976f45ecdd7ac9820
                                                          • Opcode Fuzzy Hash: 9e96d2c9ac5382fa5791b24caf4447f1f73bff2faf6e3dfd7e5c4c9b53220add
                                                          • Instruction Fuzzy Hash: 402125B1904200AFDB05DF54D9C0B26BBA1FB98314F60C56EE8094B766C336E446CA61
                                                          Function 014AD01C Relevance: .1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2555215355.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_14ad000_InstallUtil.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d8d384f45f29be529df6c3fc9d2b4805879815509ebe90edc1956819e6afcd1d
                                                          • Instruction ID: 6c639367c9a65d3dcb88b9e848c65d9a01c1b99e4039712d27fd9edd71b4bba8
                                                          • Opcode Fuzzy Hash: d8d384f45f29be529df6c3fc9d2b4805879815509ebe90edc1956819e6afcd1d
                                                          • Instruction Fuzzy Hash: 712149B1948300DFDB24DF64C5C0B16BBA1FB94358F60C56ED9094B762C336C447C661
                                                          Function 014AD006 Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2555215355.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_14ad000_InstallUtil.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d9cd3e260c6c0d7e714ef1b1706db9ee9feca72bc9c19888ebc36977c88ed090
                                                          • Instruction ID: 342b03dc001855e82f62a99fb066898e811d982449726efa070ff2d24811a374
                                                          • Opcode Fuzzy Hash: d9cd3e260c6c0d7e714ef1b1706db9ee9feca72bc9c19888ebc36977c88ed090
                                                          • Instruction Fuzzy Hash: E721927554D3808FCB13CF24C580715BF71AB46218F29C5DAD8498FA63C33A984ACB62
                                                          Function 0149D50F Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2554980033.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_149d000_InstallUtil.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                          • Instruction ID: ded5b4e03baef27aafdc22dd1bae9d46f2c43d2a444c8ffc06d5953d2e84855e
                                                          • Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                          • Instruction Fuzzy Hash: B411AF76904280DFCF16CF54D5C4B16BF72FB84328F2485AAD9094B766C33AD456CBA1
                                                          Function 0149D423 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2554980033.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_149d000_InstallUtil.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                          • Instruction ID: cc3916908668508e4283d7707e66bc438e1a5048da598cb53973d102dc38ade9
                                                          • Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                          • Instruction Fuzzy Hash: 7511DF72804280DFCF16CF54D5C4B56BF61FB84324F24C6AAD8090B667C336E456CBA1
                                                          Function 014AD0F7 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2555215355.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_14ad000_InstallUtil.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                          • Instruction ID: 64b62bb4571931718c19f24d6c204f5825629dab1d1238eb057f291658bb9b2c
                                                          • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                          • Instruction Fuzzy Hash: CC11BE75904240CFDB16CF54D9C4B16BFB1FB44314F24C6AAD8494BB66C33AE44ACB51

                                                          Executed Functions

                                                          Function 04C2B490 Relevance: 4.0, Strings: 3, Instructions: 260COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: kUun^${Uun^$[un^
                                                          • API String ID: 0-2658419205
                                                          • Opcode ID: c8922a6536fdeaceaeb1e64a1e3395b3b19d6d9b8efdc39629c05e95183c16b7
                                                          • Instruction ID: e5452c4adb3a5e5b2efd076237dd75dd0a474b4ac373afd0fa5a0275c30c8aec
                                                          • Opcode Fuzzy Hash: c8922a6536fdeaceaeb1e64a1e3395b3b19d6d9b8efdc39629c05e95183c16b7
                                                          • Instruction Fuzzy Hash: 57914FB4B00724ABDB19DFB589106AE7BF3EF84700B408919D516BB344DF75AE058BC5
                                                          Function 04C2B4A0 Relevance: 4.0, Strings: 3, Instructions: 252COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: kUun^${Uun^$[un^
                                                          • API String ID: 0-2658419205
                                                          • Opcode ID: f3d2c678330db8632dfa5edf3855a982494b85d86ceff0ee236f1bf5ad8f4b6c
                                                          • Instruction ID: dc73ff5c218eb9188bc87ff5fd2dbae03cd8ca032bad7393159b1402d053c49c
                                                          • Opcode Fuzzy Hash: f3d2c678330db8632dfa5edf3855a982494b85d86ceff0ee236f1bf5ad8f4b6c
                                                          • Instruction Fuzzy Hash: 15913FB4B00724ABDB19DFB98510AAE7BF3EF84700B408919D516BB344DF75AE058BC5
                                                          Function 07AA2308 Relevance: 13.1, Strings: 10, Instructions: 636COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2019440879.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7aa0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$JRl$JRl$JRl$JRl$JRl$JRl$rQl$rQl
                                                          • API String ID: 0-3103325787
                                                          • Opcode ID: af9de60fdbbce22559a7d9958c2a6579708651fa79e1648a1fca3ef74fa7992d
                                                          • Instruction ID: 2a9b33594ae3dc367b88e7c1b4ca2e73a2d8f08e1ead233e1f0076a1d600179a
                                                          • Opcode Fuzzy Hash: af9de60fdbbce22559a7d9958c2a6579708651fa79e1648a1fca3ef74fa7992d
                                                          • Instruction Fuzzy Hash: 592218B1B00306EFDB259B6988447AAB7F2FFCA211F04807AD5258F2D1DB35D951CBA1
                                                          Function 07AA3CE8 Relevance: 5.6, Strings: 4, Instructions: 591COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2019440879.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7aa0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$4'q$4'q
                                                          • API String ID: 0-4210068417
                                                          • Opcode ID: 7ff03e364b7a3ddbef3fea2eda82e082dc944f0d5feabc25523422980a43774c
                                                          • Instruction ID: 2fcd3cb50a684bd40cea22ef116275fbf4bce754a0d75ef67fe8b27cad2c49f4
                                                          • Opcode Fuzzy Hash: 7ff03e364b7a3ddbef3fea2eda82e082dc944f0d5feabc25523422980a43774c
                                                          • Instruction Fuzzy Hash: 311269B1B04346EFDB258B6898017AABBF29FC6214F14807BE511CF652DB75CD42C7A2
                                                          Function 04C25DD0 Relevance: 2.6, Strings: 2, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `Rl$$q
                                                          • API String ID: 0-3125705853
                                                          • Opcode ID: b184a3cc7d88cde930d7774c9772726ccb230a5f521f56aec469aba9ecc3e2b6
                                                          • Instruction ID: dd2079382da2555c5c5c7d7726d6bd25080297904990bce2951310277b596023
                                                          • Opcode Fuzzy Hash: b184a3cc7d88cde930d7774c9772726ccb230a5f521f56aec469aba9ecc3e2b6
                                                          • Instruction Fuzzy Hash: 1931E3347043006FC715E774E850AAA7BA6FFC6210F0849AED019CF256CF75EC0A87A1
                                                          Function 04C26FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (q
                                                          • API String ID: 0-2414175341
                                                          • Opcode ID: 3a531da75c6b3f1838da240d66d4840ddc1fe841b0d7127af8f653d33a55604c
                                                          • Instruction ID: d8aee2581f053efd6bbf65e2fb9e4d907bfac7593b7ad54ce177b362ffd2f036
                                                          • Opcode Fuzzy Hash: 3a531da75c6b3f1838da240d66d4840ddc1fe841b0d7127af8f653d33a55604c
                                                          • Instruction Fuzzy Hash: 2F417A34B042148FDB18DFA4D598AAEBBF2AF8D314F1440A9E406AB390DB75ED01CB61
                                                          Function 04C2AFA8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (&q
                                                          • API String ID: 0-583763264
                                                          • Opcode ID: 2621b73bd2c8429e81877c6051b0244380b94ccf28ea01c3136a34db81dc4de7
                                                          • Instruction ID: e64218b0c3efe6fbf89446fcea0c60cbd426397be5f15fcddbca63799603d2ad
                                                          • Opcode Fuzzy Hash: 2621b73bd2c8429e81877c6051b0244380b94ccf28ea01c3136a34db81dc4de7
                                                          • Instruction Fuzzy Hash: BE210675E043188FDB15DFAAE400B9EBBF6EF88320F14842AD418E7340CB75A9058BE5
                                                          Function 04C2DC90 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .un^
                                                          • API String ID: 0-1813250343
                                                          • Opcode ID: d11304a73553af1bd393b69baf2c7733e1a42edc71d25b91fc955443bc945675
                                                          • Instruction ID: 59ef9d175d49ee2596ed9269bf1a025552458f1f87f2db13f863f07e8a05ccc7
                                                          • Opcode Fuzzy Hash: d11304a73553af1bd393b69baf2c7733e1a42edc71d25b91fc955443bc945675
                                                          • Instruction Fuzzy Hash: 80F0E936708B346BC713925D7D018FEBB6ACED65B23054467E01AC7600DEA5A90643F3
                                                          Function 04C2DCA0 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .un^
                                                          • API String ID: 0-1813250343
                                                          • Opcode ID: 61466a3db4d3f71cb466f2276bc96c99a283383c966b35108a703d1e191e9754
                                                          • Instruction ID: a8fe1391c82709173e66f7ffcc6cf4b113d1541d0deb6341784d507f2032c628
                                                          • Opcode Fuzzy Hash: 61466a3db4d3f71cb466f2276bc96c99a283383c966b35108a703d1e191e9754
                                                          • Instruction Fuzzy Hash: 60E0CD35700B14178716A75DA80085F77EFDFC9975314442DD01AC7300DFA4ED0147E6
                                                          Function 04C24638 Relevance: .3, Instructions: 276COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c0c7cc00de11d212c080261bfcbba3d872e9dcdaddc353dae9465ec5a3d48a7e
                                                          • Instruction ID: 11401e0b2ef91bd0060018e8ad5852675f5c42b94b800f569baecc22f252f292
                                                          • Opcode Fuzzy Hash: c0c7cc00de11d212c080261bfcbba3d872e9dcdaddc353dae9465ec5a3d48a7e
                                                          • Instruction Fuzzy Hash: 53B13834E01228EFDB18DFA8D584A9DBBF2AF88314F258159E814AB355C771EE41CF94
                                                          Function 04C229F0 Relevance: .2, Instructions: 209COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 14d93983a26a735f72b48305baff650fb405aef1b267f40ae91518e84a300f55
                                                          • Instruction ID: 39997495c91017ce72e0d24c858038ffaeea34f39cb69a4cc44afdebcdd56697
                                                          • Opcode Fuzzy Hash: 14d93983a26a735f72b48305baff650fb405aef1b267f40ae91518e84a300f55
                                                          • Instruction Fuzzy Hash: 9591AC74A00605DFCB15CF58C598AAEFBB2FF48310B2585A9D815AB364C736FC91CBA4
                                                          Function 04C27740 Relevance: .2, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 26cc78054f68c76662d55978c86b455687ce7b7acd041a20bd1a2c310a5a93f5
                                                          • Instruction ID: 2c859cd52b3191fc638a273ac68aeb70f8d39f1fa4df26d118ca435854206a4e
                                                          • Opcode Fuzzy Hash: 26cc78054f68c76662d55978c86b455687ce7b7acd041a20bd1a2c310a5a93f5
                                                          • Instruction Fuzzy Hash: 2A51E0347052119FD715DB79E984A6A77E7EFC8224B18457AE009DF392EB71EC02CBA0
                                                          Function 04C26F1A Relevance: .2, Instructions: 157COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 239f34589ded23eb5f46439f6703670af5cfc07b045debb9ae168032433d2934
                                                          • Instruction ID: 8cef7b818ddddc64ae281196c6544da988a433139cdc0c24fff169f7424c7841
                                                          • Opcode Fuzzy Hash: 239f34589ded23eb5f46439f6703670af5cfc07b045debb9ae168032433d2934
                                                          • Instruction Fuzzy Hash: 6A5191347092908FCB16CB74D9946A97FB2EF8A314F1940EAD445EF292CB65EC06CB61
                                                          Function 04C2BAD0 Relevance: .2, Instructions: 155COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bd1b487741f631699b326853dfd03055876c03451a9cdaa1cde8e6da7ba2dbeb
                                                          • Instruction ID: 4090ab07daf531499e21cb2792a3220b1ff57f052ce19a7f0de9b79171a4d09d
                                                          • Opcode Fuzzy Hash: bd1b487741f631699b326853dfd03055876c03451a9cdaa1cde8e6da7ba2dbeb
                                                          • Instruction Fuzzy Hash: 386126B5E002589FDB14DFA9D584B9DBBF2FF88310F14812AE818AB354EB74AD41CB50
                                                          Function 04C2BAC0 Relevance: .2, Instructions: 150COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b1d30adfec3286eef5ec942aa7df35a411ddc9526204d834d1e1a2d50bab1411
                                                          • Instruction ID: b1ae6a67ba8923a275a11ce7f9e78d13e6ba019d3903760f77830afe1c15a7a4
                                                          • Opcode Fuzzy Hash: b1d30adfec3286eef5ec942aa7df35a411ddc9526204d834d1e1a2d50bab1411
                                                          • Instruction Fuzzy Hash: B05118B5E002589FDB14DFA9D584B9DBBF2FF88314F14802AE819AB354EB74AD41CB50
                                                          Function 07AA3CCC Relevance: .1, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2019440879.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7aa0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 79732f5691027bf5a7b120ad0ac0192d2a38899d188b832ef0d78ea9ce39dbca
                                                          • Instruction ID: 87971259e58d64fcac93752297779f91cddb42ef969517034207b710e7409734
                                                          • Opcode Fuzzy Hash: 79732f5691027bf5a7b120ad0ac0192d2a38899d188b832ef0d78ea9ce39dbca
                                                          • Instruction Fuzzy Hash: 754138F1A05302EFDF318F68C90066ABBF29FC6354B1984AAD9108F256D735DD45CBA1
                                                          Function 04C22B00 Relevance: .1, Instructions: 108COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 28cfe9dcfbbf02435947c887f003d65863adef0a84bd6f17eb19130e948384ec
                                                          • Instruction ID: 5a8818e7ca8e6adb15b50cca94b344f10dab05c9d9f450178e71cf66a2c56251
                                                          • Opcode Fuzzy Hash: 28cfe9dcfbbf02435947c887f003d65863adef0a84bd6f17eb19130e948384ec
                                                          • Instruction Fuzzy Hash: 64418AB4A00605CFDB05CF48C598EAAFBB2FF48310B118199D816AB360C732FC91CBA4
                                                          Function 04C2C398 Relevance: .1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 543e513f16f6ea49d5e7fecd46e304d42604e7f38ada06605271fd813718852d
                                                          • Instruction ID: 911e55a5d80ac9695429ec994913a58aaf0a91b18266a175a8e6c85847fb1a09
                                                          • Opcode Fuzzy Hash: 543e513f16f6ea49d5e7fecd46e304d42604e7f38ada06605271fd813718852d
                                                          • Instruction Fuzzy Hash: 72319E393007109FD715EB78E844FAEB7D2EF85225F008629D509CB350DFB1A806CBA1
                                                          Function 04C24843 Relevance: .1, Instructions: 100COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f482a8f57f9b4fb6cb007a6b83f26540faf2f1abf09cb03cf2a3a16e68f1398b
                                                          • Instruction ID: 05776cce5769bfae01e0949dce33cf28316876a13001d229592d07811cb01ba2
                                                          • Opcode Fuzzy Hash: f482a8f57f9b4fb6cb007a6b83f26540faf2f1abf09cb03cf2a3a16e68f1398b
                                                          • Instruction Fuzzy Hash: 9E41E634E01219EFDB19CBA8D584A9DFBF2AF88304F28C159E414AB365C771AD42CF94
                                                          Function 04C25D00 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5e6b62e90776d25f126b08539c61a24df8ddf80815381fef333b4068c2529cf1
                                                          • Instruction ID: 15e95a411d0ec670eed8f44a31b32b4d4816d887d6d3569a56416213dffa29bd
                                                          • Opcode Fuzzy Hash: 5e6b62e90776d25f126b08539c61a24df8ddf80815381fef333b4068c2529cf1
                                                          • Instruction Fuzzy Hash: 6031C474A053559FCB01CF68C984AAABFB1FF49310F18819AD445DB392C775EC46CBA1
                                                          Function 04C2AE70 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a601e052ed35a9fff1429399ed879d1e675c2158d990d43d93b8dd9968af27fa
                                                          • Instruction ID: 939509136786ab1e14fd07e1414a633bfbcfe9188a2d42dc7ca6482feeedd33c
                                                          • Opcode Fuzzy Hash: a601e052ed35a9fff1429399ed879d1e675c2158d990d43d93b8dd9968af27fa
                                                          • Instruction Fuzzy Hash: A8317E74E006099FDB05DFA9D595BAEBBF7EF88314F108029E405EB350EB799C428B91
                                                          Function 04C2DFA8 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 35f6b398e39701c09ea705e1c140ef503a79aaa1d333e0baa3fdaef4e1fc9788
                                                          • Instruction ID: 15d33dde0d13167f7023efc7038932b4d2001cb766d443a7f7be178773925566
                                                          • Opcode Fuzzy Hash: 35f6b398e39701c09ea705e1c140ef503a79aaa1d333e0baa3fdaef4e1fc9788
                                                          • Instruction Fuzzy Hash: 9D319F39704210CFC7168F74E948BAABBF6FB89315F14446AE40AD7741CB75A842CB50
                                                          Function 04C2E051 Relevance: .1, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8ed899446519efb9f89b0dad75c1d5e64f7f9a3e968577301e41a04372662499
                                                          • Instruction ID: c8118723880f873e87021b09f03620908e522fd10f6afb0af2663c47990b1266
                                                          • Opcode Fuzzy Hash: 8ed899446519efb9f89b0dad75c1d5e64f7f9a3e968577301e41a04372662499
                                                          • Instruction Fuzzy Hash: 5E317E75A002048FCB18DF68D454AAEBBF2BF8C314F058469D406FB350DB71AC81CB91
                                                          Function 04C2AD38 Relevance: .1, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 09326e746485045cc7611d31e99be2f464635f62fd262a335c9dd1743eb29eee
                                                          • Instruction ID: 502951035d37253d177cafc3b93479f4410cf4a8b0749c1616c5a174e9d59260
                                                          • Opcode Fuzzy Hash: 09326e746485045cc7611d31e99be2f464635f62fd262a335c9dd1743eb29eee
                                                          • Instruction Fuzzy Hash: DC316DB8E002099FDB05EBA4D855AFE7BB2EF89700F1484A9D514AB394DB799D01CB60
                                                          Function 04C2AD48 Relevance: .1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 53e3032383c13602679557bb229b0223fc37c5bbb9575b613ac76aa56a8e0973
                                                          • Instruction ID: dce20e04e9e0316800b745f663c04188acdc990d9472ac797c26e647c0065118
                                                          • Opcode Fuzzy Hash: 53e3032383c13602679557bb229b0223fc37c5bbb9575b613ac76aa56a8e0973
                                                          • Instruction Fuzzy Hash: 14314CB8E002099FEB04EFA4D854ABE77B2EF88700F108869D511AB394DB75DD01CBA0
                                                          Function 04C293F8 Relevance: .1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 30864425072f365b5b62ea91b959ff92884dd8bfcc2ee7f4a89afa2b8fb51826
                                                          • Instruction ID: 3b2298f2f26f1b1d380a8dfb69c8bd20158816d7340454807822a31d602fd9ad
                                                          • Opcode Fuzzy Hash: 30864425072f365b5b62ea91b959ff92884dd8bfcc2ee7f4a89afa2b8fb51826
                                                          • Instruction Fuzzy Hash: 91318DB5E017448EDB60CF6AD1883DAFBF2EF88324F28C41AD85997215D77464818B65
                                                          Function 031EF3D8 Relevance: .1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2006095201.00000000031ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 031ED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_31ed000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b5ba9b5f455bff7dce0ad6311e0160907ba17715233cc961810f30a49b49d2da
                                                          • Instruction ID: 61a9e0966a9b366ab56b73c77ed6b17dcea47df198c50d97f7ada8c9b4a70f69
                                                          • Opcode Fuzzy Hash: b5ba9b5f455bff7dce0ad6311e0160907ba17715233cc961810f30a49b49d2da
                                                          • Instruction Fuzzy Hash: 6021BF76508600EFDB19DF50D9C0B16BBA5EB88314F25C5A9ED090B256C337D497CBA2
                                                          Function 031EF02C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2006095201.00000000031ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 031ED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_31ed000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4101fa040e23d0d23e829284cb2314456e20bb211876b6712d60cb1d1337cf71
                                                          • Instruction ID: 3b5c6701e468bec9b5fb0d25c85e29088b26b86e52ec8908c9f35bf281d36f6a
                                                          • Opcode Fuzzy Hash: 4101fa040e23d0d23e829284cb2314456e20bb211876b6712d60cb1d1337cf71
                                                          • Instruction Fuzzy Hash: 4F21F575604644DFDB14DF20D9C4B16BBA6EB88315F25C5ADED0A4B282C337D447CA61
                                                          Function 04C25CF2 Relevance: .1, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 863d0f49a8b6131cf54b771082a23aea5f43d0c213417d016adb04d27ab01d05
                                                          • Instruction ID: c94315d14e7092c546338f211cb75cb2bb5485070ba87dc488112200a2fa7d9d
                                                          • Opcode Fuzzy Hash: 863d0f49a8b6131cf54b771082a23aea5f43d0c213417d016adb04d27ab01d05
                                                          • Instruction Fuzzy Hash: E7214D74A002199FCB00DF98D9849AEFBB1FF89310B158195D819EB352C731FD42CBA0
                                                          Function 04C2767C Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9c46d867ca4993cff41494312e1bf906239fd33848c7fa17c1093049d1eba15f
                                                          • Instruction ID: 52138975014afe6db79791395ce827372cdf4806d07be94b024c992d313172d9
                                                          • Opcode Fuzzy Hash: 9c46d867ca4993cff41494312e1bf906239fd33848c7fa17c1093049d1eba15f
                                                          • Instruction Fuzzy Hash: 3E113079B002188FCB14DBA8E944ADD73F6EBCC725B0440A9E509DB714DB35ED01CB90
                                                          Function 04C22C5C Relevance: .1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f827f55e34f59b00b57dccdd8317a5973e11aef7bdf49b561f2f86f655d9a262
                                                          • Instruction ID: 3273b573e9e4c775ec79a96fc5ab443c47f3d5c1ad95273b0b670b9d1210c7d7
                                                          • Opcode Fuzzy Hash: f827f55e34f59b00b57dccdd8317a5973e11aef7bdf49b561f2f86f655d9a262
                                                          • Instruction Fuzzy Hash: A611B4749093909FEB13CF68C8606D8BFB1EF47314B0640C7D0919F2A2C226AC56C765
                                                          Function 031EF3D3 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2006095201.00000000031ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 031ED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_31ed000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3db14e1fbd481c373aa523bb9b771c634d45f7ce68899f9c04ab426dc2dff8be
                                                          • Instruction ID: 8c424360db41846de1dce79c54ac7da655b2b47b192461b594841870ac8f0d34
                                                          • Opcode Fuzzy Hash: 3db14e1fbd481c373aa523bb9b771c634d45f7ce68899f9c04ab426dc2dff8be
                                                          • Instruction Fuzzy Hash: A3216A76508640DFCB16CF10D9C4B16BB72FB88314F28C5A9ED494A656C33BD46ACB91
                                                          Function 04C279C2 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 09463b1db35ca5df2ee7d88ce78b8602bb24e205a5fe91a78e2db51631d6570c
                                                          • Instruction ID: f536f73c6ea85224569a6f531dd88080f4b34dbf4642d6a76d06b4a18b2140c6
                                                          • Opcode Fuzzy Hash: 09463b1db35ca5df2ee7d88ce78b8602bb24e205a5fe91a78e2db51631d6570c
                                                          • Instruction Fuzzy Hash: 3301F7327053349FD715DB79AC44A6F7BEAEB89222700456EE109C7292DE71ED0187A1
                                                          Function 04C2BCF0 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 19a4b88cf7987cf55480535974254911d6ec3fc015eb1db45127b719398e72fc
                                                          • Instruction ID: b4c728239b9d1e42830a0b81710be8d87a701ed7ecaaec35059a93ce61d5a251
                                                          • Opcode Fuzzy Hash: 19a4b88cf7987cf55480535974254911d6ec3fc015eb1db45127b719398e72fc
                                                          • Instruction Fuzzy Hash: 050100356087448FD718CF75E894AA97BF1EF46210F1488AEE08AC76A2DB30FC45C740
                                                          Function 031EF027 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2006095201.00000000031ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 031ED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_31ed000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0ddb3734c724926600bbb3f8bc75d71c7802c012624ff9d398f3a9d8363b068c
                                                          • Instruction ID: b74154a3cd0095578e095398a0fbe6f3088bcab9a9eb739bf4de12a4fd5b6207
                                                          • Opcode Fuzzy Hash: 0ddb3734c724926600bbb3f8bc75d71c7802c012624ff9d398f3a9d8363b068c
                                                          • Instruction Fuzzy Hash: 3B118B7A504684DFCB15CF24D5C4B15BFA2FB88328F28C6AADC494B656C33BD44ACB61
                                                          Function 04C2BF20 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dab09daff62b215fec0a8f1b95e2a3163ae42291fa6eacc83755dd0b2df53490
                                                          • Instruction ID: 8fe7e90621460dd70426cdcdd9844d06457f000a094d35d0144f8c597cc34600
                                                          • Opcode Fuzzy Hash: dab09daff62b215fec0a8f1b95e2a3163ae42291fa6eacc83755dd0b2df53490
                                                          • Instruction Fuzzy Hash: CDF0C83630D3645FD7018AB96C549B7BFEDDB8666070540BBF944C7352DA71CD0487A0
                                                          Function 04C2DE50 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 37d00ec94c68b715a4f95f01dc7dba64ded7d1f83fa581e0492ab14979bf1bcc
                                                          • Instruction ID: 0ec9f86386064d4e8844c44975cb99a5ac208374916825f1f44446435f9c26c9
                                                          • Opcode Fuzzy Hash: 37d00ec94c68b715a4f95f01dc7dba64ded7d1f83fa581e0492ab14979bf1bcc
                                                          • Instruction Fuzzy Hash: C91105342047548FC768DF35D09085ABBF6EF8931532089ADD48A8B7A1DB36F846CB50
                                                          Function 04C2DF28 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ccb0b4f26b308aff7bbc742b12d7433ee52a027223355520b69d15fb3228b3be
                                                          • Instruction ID: 094757cd30f3968491bf2db17b2fe3a9d0efa3136d0bef40e68dbd4168c4014a
                                                          • Opcode Fuzzy Hash: ccb0b4f26b308aff7bbc742b12d7433ee52a027223355520b69d15fb3228b3be
                                                          • Instruction Fuzzy Hash: 9101B53A704214DFCB159FB4E808AAEBBF6FB89315F04446DE50AD3341DB359911CB90
                                                          Function 04C2491C Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 39013ee99e999f6d8eb8717c7914b8b32907647262e1b7a50f1a5899e5bfec28
                                                          • Instruction ID: ff3efe1462da33cf93f3b6056c43099cabfb42286fd5d2fa75ad98ca546964a9
                                                          • Opcode Fuzzy Hash: 39013ee99e999f6d8eb8717c7914b8b32907647262e1b7a50f1a5899e5bfec28
                                                          • Instruction Fuzzy Hash: ED11E934E01218EFDB15DBA8D584A9DBBF2AF48314F24C155E404AB365C771AD42CF90
                                                          Function 04C27958 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8578ebcc2b79812ab7d7108534bd96811f5f45d66d9c55b82ac04e03ca713ca7
                                                          • Instruction ID: 2777cb64b5e9362799e659b3120c9dcc799f9c9010eff91dfbd64ef5fa4d335b
                                                          • Opcode Fuzzy Hash: 8578ebcc2b79812ab7d7108534bd96811f5f45d66d9c55b82ac04e03ca713ca7
                                                          • Instruction Fuzzy Hash: 3DF04635305320AFC7129766AC409AF7BEAEBC9531700052FE149C72E2CFB4AC4287B1
                                                          Function 031ED01D Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2006095201.00000000031ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 031ED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_31ed000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fe7a3eb1777589087f31a9bd2dce45133a0bcf2077ede880d99fe73cfc6088a1
                                                          • Instruction ID: 41b7dd1638b610b6be2c2191e7aaa94511bad8b6550225617e9e41d56c07a302
                                                          • Opcode Fuzzy Hash: fe7a3eb1777589087f31a9bd2dce45133a0bcf2077ede880d99fe73cfc6088a1
                                                          • Instruction Fuzzy Hash: AA01F771404700AFE7208A21D984B67FBDCDF45225F1C805ADD480F242C37A9481CAB1
                                                          Function 031ED006 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2006095201.00000000031ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 031ED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_31ed000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e75f39cbb6ff2fd6940f33f66ac14ab20b9db313be6492c173974010ad63686e
                                                          • Instruction ID: ce2ac894b66e22555c090df5444b1d0a1a2b8df58d77c21b42ebb5669d9d223a
                                                          • Opcode Fuzzy Hash: e75f39cbb6ff2fd6940f33f66ac14ab20b9db313be6492c173974010ad63686e
                                                          • Instruction Fuzzy Hash: FB012D7100E3C09FD7128B259994B52BFB89F47224F1D81CBD9888F2A3C2695848CB72
                                                          Function 04C290E0 Relevance: .0, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a732ceab63dfaa02bab120400b7632f867e61ace52600676774af0387d848a21
                                                          • Instruction ID: 3ffa2dfc12d7297d841a08395b820b1c18ca347cc243396f4802e0a0c4b0d3c9
                                                          • Opcode Fuzzy Hash: a732ceab63dfaa02bab120400b7632f867e61ace52600676774af0387d848a21
                                                          • Instruction Fuzzy Hash: 34F0283A6087149BD3066B38A0053EB7BA1EFC1314F0081ABC4558B385CE3A6906C7F1
                                                          Function 04C2DEC9 Relevance: .0, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b9bf24733a0bf4df5d4eacd790694459a44f9cfa2672df8977991231ebfa29b9
                                                          • Instruction ID: 1e156bd9ab783a69173c259e306f005120e35eeaaa4ada1bbd8ef069a4f24ef8
                                                          • Opcode Fuzzy Hash: b9bf24733a0bf4df5d4eacd790694459a44f9cfa2672df8977991231ebfa29b9
                                                          • Instruction Fuzzy Hash: DEF082353043518FC7118B2DE4548A6BBF6EFCA62931A41DBF445DFB22CA61EC01CB90
                                                          Function 031ED8D3 Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2006095201.00000000031ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 031ED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_31ed000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cdb3a4d5f23b0a27a4fa3a634d2d7af4428a460fa32174b023aebe41725baaf3
                                                          • Instruction ID: 278222172fc4a1d987d60b69d1094630e490ba25cd22f906a929a6b2c4e927d9
                                                          • Opcode Fuzzy Hash: cdb3a4d5f23b0a27a4fa3a634d2d7af4428a460fa32174b023aebe41725baaf3
                                                          • Instruction Fuzzy Hash: 69F0FF76600600AF9724CF0AD985C23FBADEFD4770319C55AE94A4B622C772EC41CEA0
                                                          Function 04C27968 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 490093d1c13f84b339e8b1824e4d9cec0aec073a15272ccb9f17a690fc201a54
                                                          • Instruction ID: 43e7a6ad448086a5d4fb94e282eda186c935176af1b85d7929dc9418a593969d
                                                          • Opcode Fuzzy Hash: 490093d1c13f84b339e8b1824e4d9cec0aec073a15272ccb9f17a690fc201a54
                                                          • Instruction Fuzzy Hash: 53F0A7357007249FD724DB59D844A6F77EAEB8C675B10052DE109C7340DF71AD018BB0
                                                          Function 031ED8C4 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2006095201.00000000031ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 031ED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_31ed000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 73642d9480834c3f0d2db909eec22908c4da5bec334d7aa95eb1695059d6f4ab
                                                          • Instruction ID: 7ebbe42c27000a3698bf955105bc33a5330c8297b310b18b2a04f9aab044e7a3
                                                          • Opcode Fuzzy Hash: 73642d9480834c3f0d2db909eec22908c4da5bec334d7aa95eb1695059d6f4ab
                                                          • Instruction Fuzzy Hash: 1DF0EC75504A40AFD725CF05C985D22BBA9EB896207198489E85A4B312C771EC42CF60
                                                          Function 04C29549 Relevance: .0, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 09aba7046d31872cb30c7b2285ddec5ca1dcede7c9d63d0691ae1ef410f83d49
                                                          • Instruction ID: c6a9e8a2fcf3f7b502ad4920c3391a7c28eb74036cddc704783c124388ca52b3
                                                          • Opcode Fuzzy Hash: 09aba7046d31872cb30c7b2285ddec5ca1dcede7c9d63d0691ae1ef410f83d49
                                                          • Instruction Fuzzy Hash: 10E0D8A37092321B5E9071B91A001FA6A8FCEC6471B014333C515E76C1DDA5EC0653F2
                                                          Function 04C29160 Relevance: .0, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ffc27d8b4d130476b647ab2e295164edbd3937bd7071e9f06f06ea6d9b870f4c
                                                          • Instruction ID: fbfa69cbece7237f9b899295ba7082bae658058fffd3d27a145aa2a18e844c1b
                                                          • Opcode Fuzzy Hash: ffc27d8b4d130476b647ab2e295164edbd3937bd7071e9f06f06ea6d9b870f4c
                                                          • Instruction Fuzzy Hash: 90F0E2795093008FD362CB78E4A83DABFF0FB04310F00485BD08AD7281CB396A81CB50
                                                          Function 04C27697 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2e13f364a934120188c27faf9ef0f5d0095a25dbcbf5fffb3000c9bfbaca6e47
                                                          • Instruction ID: 1cbd6dd0561d3923aa851f20f776037a59960fdfdcf9f56d857490a8fff62fa5
                                                          • Opcode Fuzzy Hash: 2e13f364a934120188c27faf9ef0f5d0095a25dbcbf5fffb3000c9bfbaca6e47
                                                          • Instruction Fuzzy Hash: A9F0A0797002148FCB10DB6CA940A9A77E3EBCC75470542A8E409CF714DB70ED028B90
                                                          Function 04C2AF98 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: abe04df60aa69259d4024d912d3cd60d82bb6310834275557b293ade99daa07f
                                                          • Instruction ID: 1f619c368311b71d8d0b226d0c8abd45581e01b43a901929512ae2b86f2a983f
                                                          • Opcode Fuzzy Hash: abe04df60aa69259d4024d912d3cd60d82bb6310834275557b293ade99daa07f
                                                          • Instruction Fuzzy Hash: 06E0DF2230C3A61B8B17C02E38110E6BF6787C757030A84BBE084CB682DC879A0243E5
                                                          Function 04C2DED8 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dcd34981d9a79e1acee6e84f86763c45ea43c8c18528c881b5f4e0656beaf86c
                                                          • Instruction ID: cef027474fd5f582d2652f1dbb9550191d4ffa1ffb33b729b1bec84600591c96
                                                          • Opcode Fuzzy Hash: dcd34981d9a79e1acee6e84f86763c45ea43c8c18528c881b5f4e0656beaf86c
                                                          • Instruction Fuzzy Hash: D8E0ED357002118F87109B1DD454C66B7FAEFCE61932500A9F545DB725DA61EC018B94
                                                          Function 04C2896A Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7d2c8c0619c3250d55cd2f5703a1e51a0aa32dc597919dc1acf7ab17218d8898
                                                          • Instruction ID: 3302e11f7ee17edfe702d127c46c1a1215652c968229d3455c08d47eef718886
                                                          • Opcode Fuzzy Hash: 7d2c8c0619c3250d55cd2f5703a1e51a0aa32dc597919dc1acf7ab17218d8898
                                                          • Instruction Fuzzy Hash: 75F0A03E30D7909BC70B6774A4182AD7BA2BBC9225B05419BE6158B282CF291D0583D5
                                                          Function 04C28739 Relevance: .0, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2cdddaf17919509d540445b392dd7b6be3a7743e1082c523a5693d2b2d25b90a
                                                          • Instruction ID: 007c64ea067c6f3ceee0ae1c811fc546669388e8502577989907b0b5fe3ccc37
                                                          • Opcode Fuzzy Hash: 2cdddaf17919509d540445b392dd7b6be3a7743e1082c523a5693d2b2d25b90a
                                                          • Instruction Fuzzy Hash: 72E04F3990C2098BCB0ABBB8F90B8FEBF70FA10311B01416AE94292581DA255A46CAC1
                                                          Function 04C29170 Relevance: .0, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ba357a071809cad3f2ec195cc3bf60100ffc25c0a29e7537ac15831a946d4831
                                                          • Instruction ID: cd71a1ae191163b5b5c2acc7962c54d7f10226e90261e6728f433501238512be
                                                          • Opcode Fuzzy Hash: ba357a071809cad3f2ec195cc3bf60100ffc25c0a29e7537ac15831a946d4831
                                                          • Instruction Fuzzy Hash: 41F06D74A043048BD760DF79E89C79A7BE5FB44310F004829E11ED7240DB39A880CB90
                                                          Function 04C2DCEE Relevance: .0, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f6329f1df57058b86c6883c8f57874a55cf8e2d590c3cd8596e7ca6c14b3545e
                                                          • Instruction ID: 72100fda512dbb6b3a5255cc1f49d7d060fb42738374bdc487f1ba45826baf50
                                                          • Opcode Fuzzy Hash: f6329f1df57058b86c6883c8f57874a55cf8e2d590c3cd8596e7ca6c14b3545e
                                                          • Instruction Fuzzy Hash: 9FE02632B00024A78B4885AAE8014FCFBA6DBCC221F04803FD90AA7340EE72680686E1
                                                          Function 04C2F860 Relevance: .0, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c7c50974056fd6c97eef1821b9e264d1fc19f5d0e5b6a96e0d30a0c14eb50e1a
                                                          • Instruction ID: c1a1566dea7817d772c08eab6bd03bd06a015a4aa5dc85a48ad54e11657cb659
                                                          • Opcode Fuzzy Hash: c7c50974056fd6c97eef1821b9e264d1fc19f5d0e5b6a96e0d30a0c14eb50e1a
                                                          • Instruction Fuzzy Hash: D2F0A030E0424D9B8B50DFBC89406AAFFF19B06224F2482ADD858DA342F6739502EBC0
                                                          Function 04C28978 Relevance: .0, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c3463f6a759305a97633aa284bf94bbe4819c069c9b4cbc06a3309e4f75a47fb
                                                          • Instruction ID: 47635857f4417f6134e37717ec7eb55353a52de9aa3e961a98414b0aba2060b1
                                                          • Opcode Fuzzy Hash: c3463f6a759305a97633aa284bf94bbe4819c069c9b4cbc06a3309e4f75a47fb
                                                          • Instruction Fuzzy Hash: BCE04F3970861497CB0A6B79A81C6AE7A66BBC8725F04012AE61A87340CF79690593D9
                                                          Function 04C29558 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 86543532f49755f3e46380b91c8704f53f404c6c267a721052014af13918349f
                                                          • Instruction ID: 159d04215bf48819026a0291b40f885242550ad2fea522b36cfa060869717f4a
                                                          • Opcode Fuzzy Hash: 86543532f49755f3e46380b91c8704f53f404c6c267a721052014af13918349f
                                                          • Instruction Fuzzy Hash: E0D0A7627011360F5E5470FE1A006BBA9CFCEC54A5B4543369A05F3385EEE8EC0A53F1
                                                          Function 04C28800 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f48f652010cbb9c0329166851e3c61f6aaf13aa7223c382be96e7c32a8674cea
                                                          • Instruction ID: 80879186b3afb20961ad3baee9c54165e977285b122586784dd316942b11ab32
                                                          • Opcode Fuzzy Hash: f48f652010cbb9c0329166851e3c61f6aaf13aa7223c382be96e7c32a8674cea
                                                          • Instruction Fuzzy Hash: 2DE0263591C1878BC715E728E4828E8FFB1BA022253004295ECC1572C1D7122807C780
                                                          Function 04C27932 Relevance: .0, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 525645bb1db824c190c5029f0d936a8ca542bd14f806605b608413a4754328bd
                                                          • Instruction ID: 8cd864c0384290582b3353af716472512119fed2dcef0bed83978e5551a6924c
                                                          • Opcode Fuzzy Hash: 525645bb1db824c190c5029f0d936a8ca542bd14f806605b608413a4754328bd
                                                          • Instruction Fuzzy Hash: 2DD02E3024E3E54FC3072B7468A90843F26CBC222230904EBE40DCF0E3CE94A808CBA0
                                                          Function 04C2F870 Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                          • Instruction ID: 6960e7398840b318fa5fce8577789395b83daf886edd13ce3062c269d3b716fd
                                                          • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                          • Instruction Fuzzy Hash: DBD067B0E0421D9F8780EFADC94156EFBF4EB49200F6485AE9919E7301F7729A12DBD1
                                                          Function 04C28748 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 514661584736069d64956a5fe236be8a8c8028c5f425a9c905a74e63833d53a0
                                                          • Instruction ID: f257d03ac55dcca1e77912bdc322ff578bd7f43513eaa6bc391d4511c5014ac2
                                                          • Opcode Fuzzy Hash: 514661584736069d64956a5fe236be8a8c8028c5f425a9c905a74e63833d53a0
                                                          • Instruction Fuzzy Hash: 73D067399081098BCB0DABA5F85B8BDBB74FA14301F404169E90752191EA352A5ACAD5
                                                          Function 04C27EA0 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ee0e86d2ace6cb007552841a78bde60daf8addd9341f33f0160f106e93e32d99
                                                          • Instruction ID: 3d5cff480e58c0f9f2c038127e60307d4c73c584f761bf1fb72831e66cdf9151
                                                          • Opcode Fuzzy Hash: ee0e86d2ace6cb007552841a78bde60daf8addd9341f33f0160f106e93e32d99
                                                          • Instruction Fuzzy Hash: 1BC04C2A7492E14FEE4352321C651992F72C5C362670E46D3E981CB4F7CA18CD8B86E2
                                                          Function 04C27940 Relevance: .0, Instructions: 8COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cd582fa0463325494b67b6f014e85ba0df8596ff9e4ecfca3d02274c225bfb45
                                                          • Instruction ID: b3dc8777ab0f87a3e756cf5d829f27e9b0915dd01fbe65460fc8718df9b96f18
                                                          • Opcode Fuzzy Hash: cd582fa0463325494b67b6f014e85ba0df8596ff9e4ecfca3d02274c225bfb45
                                                          • Instruction Fuzzy Hash: F7B09230044708CFC2486FB9A408A197729AB4022639144A9E91E0A29A8E36E884CE44

                                                          Non-executed Functions

                                                          Function 07AA1D80 Relevance: 15.3, Strings: 12, Instructions: 288COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2019440879.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7aa0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $cDk$4'q$4'q$84Ol$84Ol$tPq$tPq$JRl$JRl$JRl$JRl$JRl
                                                          • API String ID: 0-2631329062
                                                          • Opcode ID: 00d5c41f24171471e6b213952fb1ca346ef406de88df4d00de74932b3a997a93
                                                          • Instruction ID: cc1fb27759ff641c7e41ba11adaf8297aee9d12a8b12437882e2f4dc43502cf9
                                                          • Opcode Fuzzy Hash: 00d5c41f24171471e6b213952fb1ca346ef406de88df4d00de74932b3a997a93
                                                          • Instruction Fuzzy Hash: 4791F871B0434AAFD7258B69D8047AAFBF2AFC5210F18C07BD9658B295DB31CC42C7A1
                                                          Function 07AA3928 Relevance: 12.8, Strings: 10, Instructions: 328COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2019440879.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7aa0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$tPq$tPq$$q$$q$$q$$q$Gl$Gl
                                                          • API String ID: 0-338067305
                                                          • Opcode ID: 8462a3c63864256e63c7053dc8c7a6827478ebed86f4d393f7d7452c9b9ee8d2
                                                          • Instruction ID: d192a501d770d8ea81b356e686081d3b0683dcc0db21652b892d8ede18da9faf
                                                          • Opcode Fuzzy Hash: 8462a3c63864256e63c7053dc8c7a6827478ebed86f4d393f7d7452c9b9ee8d2
                                                          • Instruction Fuzzy Hash: 7EA15BB1704356AFDF249B699805B6ABBF6AFC6610F18807BE455CF291CB32CC42C761
                                                          Function 07AA0FB8 Relevance: 12.7, Strings: 10, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2019440879.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7aa0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fq$84Ol$`Qq$`Qq$tPq$$q$$q$$q$$q$$q
                                                          • API String ID: 0-2991555477
                                                          • Opcode ID: 5ecaf2efd28230017ce39d46eac62d66f67f9345cb6616fc3aa3e6d9512fdfa1
                                                          • Instruction ID: a22ee8847c27f2253e119d17ed728b33e3e40b3a928d611c3aa957dd7a0e27a9
                                                          • Opcode Fuzzy Hash: 5ecaf2efd28230017ce39d46eac62d66f67f9345cb6616fc3aa3e6d9512fdfa1
                                                          • Instruction Fuzzy Hash: 2A619BB0A0420EFFDF24CF44D544BAAB7F2BB85351F18806AE8259B290C735DD84CBA1
                                                          Function 07AA3678 Relevance: 8.9, Strings: 7, Instructions: 191COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2019440879.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7aa0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$$q$$q$$q$Gl$Gl
                                                          • API String ID: 0-2055229760
                                                          • Opcode ID: f1c589370920761af61da081735fec36434f69c63fd05e8bcebe62d872af28e1
                                                          • Instruction ID: 8de4525d831f535c4628f7eaaa02ef36e6c63529e2be853525cd271abfc1cafc
                                                          • Opcode Fuzzy Hash: f1c589370920761af61da081735fec36434f69c63fd05e8bcebe62d872af28e1
                                                          • Instruction Fuzzy Hash: 72516BB5704346AFDF249B6998007A6BBB1AFC6621F18807BD465CB251DB35C842CBA1
                                                          Function 07AA2190 Relevance: 7.6, Strings: 6, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2019440879.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7aa0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: TcDk$lcDk$JRl$JRl$JRl$JRl
                                                          • API String ID: 0-4195200314
                                                          • Opcode ID: edfcac25dde60545521645ce0cc6c6b7524eb3eca1509e959c6d26d504f0b90e
                                                          • Instruction ID: d1496052b91079db98a14a7490f636e3c0f95e9e2989ba39df73e2833245c8a2
                                                          • Opcode Fuzzy Hash: edfcac25dde60545521645ce0cc6c6b7524eb3eca1509e959c6d26d504f0b90e
                                                          • Instruction Fuzzy Hash: 171104B1B18392AFD3158B149C10B66BBB6BBD7710B0484ABC5608FAD2CB35CC55C3A2
                                                          Function 04C27A21 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tMQl$`q$`q$`q$`q
                                                          • API String ID: 0-1815968527
                                                          • Opcode ID: b56cbba0a9756709eb7eddece657ba585f9a36a0ced33635774e84563e69159a
                                                          • Instruction ID: cf44efa1fd76065a949a244d1fcb445e6d287e4731057efa90b36fe3044b1abe
                                                          • Opcode Fuzzy Hash: b56cbba0a9756709eb7eddece657ba585f9a36a0ced33635774e84563e69159a
                                                          • Instruction Fuzzy Hash: E2B1B578E013199FDB54DFA9D980A9EFBF2FF48310F108629D419AB345DB70A9058FA0
                                                          Function 04C27A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2007327116.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4c20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tMQl$`q$`q$`q$`q
                                                          • API String ID: 0-1815968527
                                                          • Opcode ID: 52eaa757a1cfca37ee2ff623dad32cea76de8868416c536c14946910ec56673d
                                                          • Instruction ID: 586a2fc49a57f915b7e21b0ea4486c49ce7ddfad0f5dbf8c2816e882cfcb0e31
                                                          • Opcode Fuzzy Hash: 52eaa757a1cfca37ee2ff623dad32cea76de8868416c536c14946910ec56673d
                                                          • Instruction Fuzzy Hash: 66B19478E013199FDB54DFA9D980A9EFBF2BF48314F108629D419AB344DB70A905CF91
                                                          Function 07AA1EF1 Relevance: 6.3, Strings: 5, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2019440879.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7aa0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$84Ol$tPq$JRl$JRl
                                                          • API String ID: 0-2090232548
                                                          • Opcode ID: 5663de95d5db37d30dd3c8930ab3d6c82425026dea26bd963e04d69369d6a1d1
                                                          • Instruction ID: 4372da7db150698b6f7202e9617ea81155d5d6eef558dddb3c923605e10cd9d9
                                                          • Opcode Fuzzy Hash: 5663de95d5db37d30dd3c8930ab3d6c82425026dea26bd963e04d69369d6a1d1
                                                          • Instruction Fuzzy Hash: 1A218BB2B0424BFBDB248F44D841B6AB7B2AFC5351F1880BBDA655F291C332C841C7A1
                                                          Function 07AA1BE0 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2019440879.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7aa0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$rQl$rQl
                                                          • API String ID: 0-3088381737
                                                          • Opcode ID: 8d3714068ca7d70513c4f22b10979ecfe7c3f81287e0d4a2924b8de8edc8a673
                                                          • Instruction ID: 8442d853cbc15b2a8932a67b9ce7ff7567c8bdbd07147958ef41e5704f8ea030
                                                          • Opcode Fuzzy Hash: 8d3714068ca7d70513c4f22b10979ecfe7c3f81287e0d4a2924b8de8edc8a673
                                                          • Instruction Fuzzy Hash: A13107B1B0530AFFCB25DF69D4046A9BBF2AFC6211F14807AD476CB255DB358842CBA1
                                                          Function 07AA5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2019440879.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7aa0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $q$$q$$q$$q
                                                          • API String ID: 0-4102054182
                                                          • Opcode ID: f440e19c7ee9ea259c853f025a6359b67e3bdcb2dd780660c8fbeca0daa3aba8
                                                          • Instruction ID: 46571b155e38441686d55d96e430882cfe00c953de4a53ec69052c3090f6615d
                                                          • Opcode Fuzzy Hash: f440e19c7ee9ea259c853f025a6359b67e3bdcb2dd780660c8fbeca0daa3aba8
                                                          • Instruction Fuzzy Hash: A7216EB2B14306B7EB345A2A5800B27B7E69FC5616F24443AE515DB381DF35C411CB25
                                                          Function 07AA0308 Relevance: 5.1, Strings: 4, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2019440879.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7aa0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$$q$$q
                                                          • API String ID: 0-3199993180
                                                          • Opcode ID: 0ac91a7bd16169aba3c29c96df427a5d2aac16f57d336127db1d048964d8e4a3
                                                          • Instruction ID: 3d0b7367f3254949204690a032516cad25549c53b4b595e747da4bcf0a815396
                                                          • Opcode Fuzzy Hash: 0ac91a7bd16169aba3c29c96df427a5d2aac16f57d336127db1d048964d8e4a3
                                                          • Instruction Fuzzy Hash: E701B160A0D3D65FC72B537828242ABAFB29EC751472E40EBD491CF297DA144C09C3B3
                                                          Function 07AA2128 Relevance: 5.0, Strings: 4, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2019440879.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7aa0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $q$$q$JRl$JRl
                                                          • API String ID: 0-2494032063
                                                          • Opcode ID: b3e0f7a6e69abcd8842b35872d87fd7bc1e05ed9b67b09485d29d40c03f8f52d
                                                          • Instruction ID: 0d5836c05e95504f80631e0e89aa8b57694ad3615cf6d13925d8678844291ed4
                                                          • Opcode Fuzzy Hash: b3e0f7a6e69abcd8842b35872d87fd7bc1e05ed9b67b09485d29d40c03f8f52d
                                                          • Instruction Fuzzy Hash: 7CF027B2B0020367D234420D5C0075BD3E7FBC5E10B198137DA216F298CB34CC128792

                                                          Execution Graph

                                                          Execution Coverage:5.7%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:3
                                                          Total number of Limit Nodes:0
                                                          execution_graph 22897 8956428 22898 895646b SetThreadToken 22897->22898 22899 8956499 22898->22899

                                                          Executed Functions

                                                          Function 02F8B490 Relevance: 4.0, Strings: 3, Instructions: 258COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 388 2f8b490-2f8b4b9 389 2f8b4bb 388->389 390 2f8b4be-2f8b7f9 call 2f8aab4 388->390 389->390 451 2f8b7fe-2f8b805 390->451
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: kU?p^${U?p^$[?p^
                                                          • API String ID: 0-1626820082
                                                          • Opcode ID: 2014166a54a7d2eed01615d88834d263e47831baf0020773cdca85471614691f
                                                          • Instruction ID: e1345c63d7a128c6ac84d82964640c31a54d7a49753143abd6d7286eb8fc05fb
                                                          • Opcode Fuzzy Hash: 2014166a54a7d2eed01615d88834d263e47831baf0020773cdca85471614691f
                                                          • Instruction Fuzzy Hash: DB914174F007149BDB19EFB888106AFBBE3EF84700B448919D616AB384DF749E058BD5
                                                          Function 02F8B4A0 Relevance: 4.0, Strings: 3, Instructions: 252COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 452 2f8b4a0-2f8b4b9 453 2f8b4bb 452->453 454 2f8b4be-2f8b7f9 call 2f8aab4 452->454 453->454 515 2f8b7fe-2f8b805 454->515
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: kU?p^${U?p^$[?p^
                                                          • API String ID: 0-1626820082
                                                          • Opcode ID: a7bb01172fea63b2f978219eba1863fad735464aecf33a9e7f82ff382c358a24
                                                          • Instruction ID: 93b23798a7faba3bdc930bdc94517d23335371c6932d6ce6db56f6494ef7f6d9
                                                          • Opcode Fuzzy Hash: a7bb01172fea63b2f978219eba1863fad735464aecf33a9e7f82ff382c358a24
                                                          • Instruction Fuzzy Hash: 77914275F007145BDB19EFB988106AFBAE3EFC4B00B408929D616AB384DF749E058BD5
                                                          Function 077E2308 Relevance: 13.2, Strings: 10, Instructions: 670COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2072300525.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_77e0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$JRl$JRl$JRl$JRl$JRl$JRl$rQl$rQl
                                                          • API String ID: 0-3103325787
                                                          • Opcode ID: 78725745fddd3209e13258354ebc5441dfd6e1b3b97fa94180fa3ac71f8c74c0
                                                          • Instruction ID: 2a6635f490bee3e278266fe99494828461d54c7b2f305f77af61eba3ee6f3025
                                                          • Opcode Fuzzy Hash: 78725745fddd3209e13258354ebc5441dfd6e1b3b97fa94180fa3ac71f8c74c0
                                                          • Instruction Fuzzy Hash: EE2247B1B007069FDB209B6998417AAB7EDFF8A251F1484BAD505CF253DB35CC41CBA2
                                                          Function 077E3CE8 Relevance: 5.6, Strings: 4, Instructions: 607COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 209 77e3ce8-77e3d0d 210 77e3d13-77e3d18 209->210 211 77e3f00-77e3f16 209->211 212 77e3d1a-77e3d20 210->212 213 77e3d30-77e3d34 210->213 219 77e3f1f-77e3f4a 211->219 220 77e3f18-77e3f1d 211->220 215 77e3d24-77e3d2e 212->215 216 77e3d22 212->216 217 77e3d3a-77e3d3c 213->217 218 77e3eb0-77e3eba 213->218 215->213 216->213 223 77e3d3e-77e3d4a 217->223 224 77e3d4c 217->224 221 77e3ebc-77e3ec5 218->221 222 77e3ec8-77e3ece 218->222 226 77e40ce-77e40de 219->226 227 77e3f50-77e3f55 219->227 220->219 225 77e3f70-77e3f71 220->225 228 77e3ed4-77e3ee0 222->228 229 77e3ed0-77e3ed2 222->229 231 77e3d4e-77e3d50 223->231 224->231 235 77e3f72-77e3f79 225->235 236 77e4080-77e408a 225->236 246 77e40e7-77e4112 226->246 247 77e40e0-77e40e5 226->247 232 77e3f6d 227->232 233 77e3f57-77e3f5d 227->233 234 77e3ee2-77e3efd 228->234 229->234 231->218 237 77e3d56-77e3d75 231->237 232->225 238 77e3f5f 233->238 239 77e3f61-77e3f6b 233->239 242 77e3f7b-77e3f87 235->242 243 77e3f89 235->243 244 77e408c-77e4094 236->244 245 77e4097-77e409d 236->245 264 77e3d77-77e3d83 237->264 265 77e3d85 237->265 238->232 239->232 249 77e3f8b-77e3f8d 242->249 243->249 251 77e409f-77e40a1 245->251 252 77e40a3-77e40af 245->252 256 77e4228-77e425d 246->256 257 77e4118-77e411d 246->257 247->246 249->236 253 77e3f93-77e3fb2 249->253 254 77e40b1-77e40cb 251->254 252->254 288 77e3fb4-77e3fc0 253->288 289 77e3fc2 253->289 285 77e425f-77e4281 256->285 286 77e428b-77e4295 256->286 260 77e411f-77e4125 257->260 261 77e4135-77e4139 257->261 268 77e4129-77e4133 260->268 269 77e4127 260->269 270 77e413f-77e4141 261->270 271 77e41da-77e41e4 261->271 272 77e3d87-77e3d89 264->272 265->272 268->261 269->261 275 77e4143-77e414f 270->275 276 77e4151 270->276 273 77e41e6-77e41ee 271->273 274 77e41f1-77e41f7 271->274 272->218 279 77e3d8f-77e3d96 272->279 281 77e41fd-77e4209 274->281 282 77e41f9-77e41fb 274->282 283 77e4153-77e4155 275->283 276->283 279->211 287 77e3d9c-77e3da1 279->287 290 77e420b-77e4225 281->290 282->290 283->271 291 77e415b-77e415d 283->291 325 77e42d5-77e42fe 285->325 326 77e4283-77e4288 285->326 296 77e429f-77e42a5 286->296 297 77e4297-77e429c 286->297 292 77e3db9-77e3dc8 287->292 293 77e3da3-77e3da9 287->293 294 77e3fc4-77e3fc6 288->294 289->294 298 77e415f-77e4165 291->298 299 77e4177-77e417e 291->299 292->218 321 77e3dce-77e3dec 292->321 301 77e3dad-77e3db7 293->301 302 77e3dab 293->302 294->236 303 77e3fcc-77e4003 294->303 305 77e42ab-77e42b7 296->305 306 77e42a7-77e42a9 296->306 307 77e4169-77e4175 298->307 308 77e4167 298->308 309 77e4196-77e41d7 299->309 310 77e4180-77e4186 299->310 301->292 302->292 335 77e401d-77e4024 303->335 336 77e4005-77e400b 303->336 315 77e42b9-77e42d2 305->315 306->315 307->299 308->299 311 77e418a-77e4194 310->311 312 77e4188 310->312 311->309 312->309 321->218 333 77e3df2-77e3e17 321->333 341 77e432d-77e4335 325->341 342 77e4300-77e4326 325->342 333->218 356 77e3e1d-77e3e24 333->356 339 77e403c-77e407d 335->339 340 77e4026-77e402c 335->340 337 77e400f-77e401b 336->337 338 77e400d 336->338 337->335 338->335 344 77e402e 340->344 345 77e4030-77e403a 340->345 350 77e438b-77e438f 341->350 351 77e4337-77e433e 341->351 342->341 344->339 345->339 359 77e4395-77e439f 350->359 354 77e4347-77e435c 351->354 355 77e4340-77e4346 351->355 358 77e435e-77e437b 354->358 354->359 355->354 360 77e3e6a-77e3e9d 356->360 361 77e3e26-77e3e41 356->361 370 77e437d-77e4389 358->370 371 77e43e5-77e43ea 358->371 362 77e43a8-77e43ae 359->362 363 77e43a1-77e43a5 359->363 382 77e3ea4-77e3ead 360->382 372 77e3e5b-77e3e5f 361->372 373 77e3e43-77e3e49 361->373 367 77e43b4-77e43c0 362->367 368 77e43b0-77e43b2 362->368 369 77e43c2-77e43e2 367->369 368->369 370->350 371->370 378 77e3e66-77e3e68 372->378 376 77e3e4d-77e3e59 373->376 377 77e3e4b 373->377 376->372 377->372 378->382
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2072300525.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_77e0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$4'q$4'q
                                                          • API String ID: 0-4210068417
                                                          • Opcode ID: 9a217db4da490f885ae318f0ce8da601a96d74d0dc05074ab650edb50830b9b3
                                                          • Instruction ID: 56c715396c6b950958658711a74283117270efb48a0301603e8f979bea0ed5d0
                                                          • Opcode Fuzzy Hash: 9a217db4da490f885ae318f0ce8da601a96d74d0dc05074ab650edb50830b9b3
                                                          • Instruction Fuzzy Hash: 291280B1B043568FDB218B7898017AABBF69FCA394F1484BAE505CF251DB35CC42C7A1
                                                          Function 08956421 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 516 8956421-8956463 517 895646b-8956497 SetThreadToken 516->517 518 89564a0-89564bd 517->518 519 8956499-895649f 517->519 519->518
                                                          APIs
                                                          • SetThreadToken.KERNELBASE(EFC00840), ref: 0895648A
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2076751529.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_8950000_powershell.jbxd
                                                          Similarity
                                                          • API ID: ThreadToken
                                                          • String ID:
                                                          • API String ID: 3254676861-0
                                                          • Opcode ID: 9dc14d3d650aec5bb527e560cef1fbca8782e28317baa5175fe4ce0e2428d0e8
                                                          • Instruction ID: 51a042fa069bf574626423b4e63f5d6bb0f0829948e7bf67c12df5bffb720628
                                                          • Opcode Fuzzy Hash: 9dc14d3d650aec5bb527e560cef1fbca8782e28317baa5175fe4ce0e2428d0e8
                                                          • Instruction Fuzzy Hash: 341113B5D003488FDB20DFAAD884BDEFBF5AB88224F24841AD419A7750C775A944CFA5
                                                          Function 08956428 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 522 8956428-8956497 SetThreadToken 524 89564a0-89564bd 522->524 525 8956499-895649f 522->525 525->524
                                                          APIs
                                                          • SetThreadToken.KERNELBASE(EFC00840), ref: 0895648A
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2076751529.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_8950000_powershell.jbxd
                                                          Similarity
                                                          • API ID: ThreadToken
                                                          • String ID:
                                                          • API String ID: 3254676861-0
                                                          • Opcode ID: b4a7be57db63d1494f9486cace45ffb12d561fb2b46700673c6244d9a71beb50
                                                          • Instruction ID: 26688bb84382b2fe5aab6a00347ebb93a162f489081fa6b573538e40109beac1
                                                          • Opcode Fuzzy Hash: b4a7be57db63d1494f9486cace45ffb12d561fb2b46700673c6244d9a71beb50
                                                          • Instruction Fuzzy Hash: F21103B5D003088FDB20DF9AD884BDEFBF9EB48224F24841AD419A7350C779A944CFA5
                                                          Function 02F86FC8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 528 2f86fc8-2f86fe7 529 2f870ed-2f8712b 528->529 530 2f86fed-2f86ff0 528->530 557 2f86ff2 call 2f8767f 530->557 558 2f86ff2 call 2f87664 530->558 531 2f86ff8-2f8700a 533 2f8700c 531->533 534 2f87016-2f8702b 531->534 533->534 539 2f87031-2f87041 534->539 540 2f870b6-2f870cf 534->540 542 2f8704d-2f8705b call 2f8bf20 539->542 543 2f87043 539->543 546 2f870da 540->546 547 2f870d1 540->547 549 2f87061-2f87065 542->549 543->542 546->529 547->546 550 2f870a5-2f870b0 549->550 551 2f87067-2f87077 549->551 550->539 550->540 552 2f87079-2f87091 551->552 553 2f87093-2f8709d 551->553 552->550 553->550 557->531 558->531
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (q
                                                          • API String ID: 0-2414175341
                                                          • Opcode ID: fb5b1613493f81323696f8824a90ad10ea0ec71a1d1e5c6a311092177e7cac54
                                                          • Instruction ID: 85ff2161ffd4932751816fbc946d711a5934139af03cff6b5726ac00f8bbfe2e
                                                          • Opcode Fuzzy Hash: fb5b1613493f81323696f8824a90ad10ea0ec71a1d1e5c6a311092177e7cac54
                                                          • Instruction Fuzzy Hash: 3E414835B042088FDB14EF64C458BAAFBF2AF8E655F248499E506EB391DB35DC01CB61
                                                          Function 02F8E619 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 559 2f8e619-2f8e630 560 2f8e632-2f8e689 559->560 561 2f8e693-2f8e6b6 559->561 560->561 568 2f8e73a-2f8e753 561->568 569 2f8e6bc-2f8e6d3 561->569 572 2f8e75e 568->572 573 2f8e755 568->573 574 2f8e6db-2f8e738 569->574 575 2f8e75f 572->575 573->572 574->568 574->569 575->575
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: JRl
                                                          • API String ID: 0-2598050757
                                                          • Opcode ID: 6fed62c388da5e7ec2120ad07371ad66a65d03fcee2ee052b42596ee6e960ec7
                                                          • Instruction ID: 8710d21d94b2c028c32372221f011fbaaaa8f9d09d684722b798b0e63f4b5c78
                                                          • Opcode Fuzzy Hash: 6fed62c388da5e7ec2120ad07371ad66a65d03fcee2ee052b42596ee6e960ec7
                                                          • Instruction Fuzzy Hash: 42315E34E002499FCB15DF78D594ADEBBF2EF89244F148569D416EB391DB30AC05CBA1
                                                          Function 02F8E640 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 583 2f8e640-2f8e6b6 590 2f8e73a-2f8e753 583->590 591 2f8e6bc-2f8e6d3 583->591 594 2f8e75e 590->594 595 2f8e755 590->595 596 2f8e6db-2f8e738 591->596 597 2f8e75f 594->597 595->594 596->590 596->591 597->597
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: JRl
                                                          • API String ID: 0-2598050757
                                                          • Opcode ID: 6e7914690aa3ff01f94d765006eabc278286046f65034d5adfbd7fbc197f3d1d
                                                          • Instruction ID: e5db9892f1c2533bcb1db391cebb262bdf3eee15881774ebda97a5f4d8801337
                                                          • Opcode Fuzzy Hash: 6e7914690aa3ff01f94d765006eabc278286046f65034d5adfbd7fbc197f3d1d
                                                          • Instruction Fuzzy Hash: 3A315834E002099FCB14DF79D994A9EFBF2FF88644F108529E516AB391DB30AD05CBA0
                                                          Function 02F8AFA8 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 605 2f8afa8-2f8afb1 call 2f8a79c 607 2f8afb6-2f8afba 605->607 608 2f8afca-2f8b065 607->608 609 2f8afbc-2f8afc9 607->609 615 2f8b06e-2f8b08b 608->615 616 2f8b067-2f8b06d 608->616 616->615
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (&q
                                                          • API String ID: 0-583763264
                                                          • Opcode ID: b4c9761095577de0f5f5671742410e5c4a04c234c4d9614972b44b528d0efb8f
                                                          • Instruction ID: 4a38706e4774b897cdf7ef749f811020f129ade65f5ea380b927174b429b857c
                                                          • Opcode Fuzzy Hash: b4c9761095577de0f5f5671742410e5c4a04c234c4d9614972b44b528d0efb8f
                                                          • Instruction Fuzzy Hash: 0F21D175E043188FCB14DBAAE800B9EBBF5EB88324F14846ED518E7340CB349805CBA5
                                                          Function 02F8DC90 Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 619 2f8dc90-2f8dcb5 621 2f8dcbe 619->621 622 2f8dcb7 619->622 623 2f8dcc6-2f8dcd0 621->623 622->621 625 2f8dcd2 call 2f8dcf0 623->625 626 2f8dcd2 call 2f8dce1 623->626 624 2f8dcd8-2f8dcdb 625->624 626->624
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .?p^
                                                          • API String ID: 0-3310892782
                                                          • Opcode ID: ca38b9fb2aefddf966ebd4f32e8aaf64bccb8ab2295ba6b010db902dc08cc259
                                                          • Instruction ID: 7c73466ad30d3311d0723cb60499c3e6997fb81c52ceb6b09b7ba4a059a4f1b2
                                                          • Opcode Fuzzy Hash: ca38b9fb2aefddf966ebd4f32e8aaf64bccb8ab2295ba6b010db902dc08cc259
                                                          • Instruction Fuzzy Hash: 53F0A03160A7906BC313A37D981089F7FAACDC75B0308409ED196CB252CA548806C7F7
                                                          Function 02F8DCA0 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 627 2f8dca0-2f8dcb5 629 2f8dcbe-2f8dcd0 627->629 630 2f8dcb7 627->630 633 2f8dcd2 call 2f8dcf0 629->633 634 2f8dcd2 call 2f8dce1 629->634 630->629 632 2f8dcd8-2f8dcdb 633->632 634->632
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .?p^
                                                          • API String ID: 0-3310892782
                                                          • Opcode ID: 626d2fcb33b24fa11cbda5a0679d62097bc1b43342fd3ce590fe81c393649020
                                                          • Instruction ID: e4e00d5a8c2b60b6095dbf092d1b8470b0dd39a24ed1b2f3273118bf27e409b9
                                                          • Opcode Fuzzy Hash: 626d2fcb33b24fa11cbda5a0679d62097bc1b43342fd3ce590fe81c393649020
                                                          • Instruction Fuzzy Hash: 20E0C231B00614178722772EA80089FB7EFDEC9AF5304802EE219C7340DF64DC0287E6
                                                          Function 02F829F0 Relevance: .2, Instructions: 211COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 737 2f829f0-2f82a1e 738 2f82a24-2f82a3a 737->738 739 2f82af5-2f82b37 737->739 740 2f82a3c 738->740 741 2f82a3f-2f82a52 738->741 745 2f82b3d-2f82b56 739->745 746 2f82c51-2f82c61 739->746 740->741 741->739 747 2f82a58-2f82a65 741->747 750 2f82b58 745->750 751 2f82b5b-2f82b69 745->751 748 2f82a6a-2f82a7c 747->748 749 2f82a67 747->749 748->739 755 2f82a7e-2f82a88 748->755 749->748 750->751 751->746 756 2f82b6f-2f82b79 751->756 757 2f82a8a-2f82a8c 755->757 758 2f82a96-2f82aa6 755->758 759 2f82b7b-2f82b7d 756->759 760 2f82b87-2f82b94 756->760 757->758 758->739 761 2f82aa8-2f82ab2 758->761 759->760 760->746 762 2f82b9a-2f82baa 760->762 763 2f82ac0-2f82af4 761->763 764 2f82ab4-2f82ab6 761->764 765 2f82bac 762->765 766 2f82baf-2f82bbd 762->766 764->763 765->766 766->746 769 2f82bc3-2f82bd3 766->769 771 2f82bd8-2f82be5 769->771 772 2f82bd5 769->772 771->746 774 2f82be7-2f82bf7 771->774 772->771 775 2f82bf9 774->775 776 2f82bfc-2f82c08 774->776 775->776 776->746 778 2f82c0a-2f82c24 776->778 779 2f82c29 778->779 780 2f82c26 778->780 781 2f82c2e-2f82c38 779->781 780->779 782 2f82c3d-2f82c50 781->782
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5e9d5916bda4bb852210897d11ea61f59460585a4513a48b8f5fb6bedaa13ae2
                                                          • Instruction ID: 7db33cc8fe6f85a482153b2926e03e4f1b8513ba7c5b4cd047f3a1f6819790d3
                                                          • Opcode Fuzzy Hash: 5e9d5916bda4bb852210897d11ea61f59460585a4513a48b8f5fb6bedaa13ae2
                                                          • Instruction Fuzzy Hash: 0A91AD70A00245CFCB15CF58C494AAEFBB1FF48324B258659DA15AB3A5C736FC91CBA4
                                                          Function 02F8BAD0 Relevance: .2, Instructions: 155COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0f5e8c1dbe4756eac812cfff7d819f121b92cdfabc531762d31000da4a7f8849
                                                          • Instruction ID: cb5ede2cd9e94b2d645945eeffdfa3dfde214470f4a7f6ab8cd40aa8c5799f04
                                                          • Opcode Fuzzy Hash: 0f5e8c1dbe4756eac812cfff7d819f121b92cdfabc531762d31000da4a7f8849
                                                          • Instruction Fuzzy Hash: EB611971E002489FCB14DFA9D584ADDFBF2FF89354F14816AE509AB361EB349841CBA0
                                                          Function 02F87728 Relevance: .2, Instructions: 152COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 30a75a79a9de252e41fe16f136a855b828cd1dd2f71ca7b0a3ad7cf455bcbf1a
                                                          • Instruction ID: 11814d480339005127064fea92112556f17acb1c3db15c1944c7583e97055e52
                                                          • Opcode Fuzzy Hash: 30a75a79a9de252e41fe16f136a855b828cd1dd2f71ca7b0a3ad7cf455bcbf1a
                                                          • Instruction Fuzzy Hash: 9251AD397002059FD714EB68D844B6AF7EAFFC8294B258569D609CB391EB35DC01CB60
                                                          Function 02F8BAC0 Relevance: .2, Instructions: 151COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 516f448af01851e9d271ad272be697960529b863f78e2e08fadb930de6200dfa
                                                          • Instruction ID: 7c320af380ffb557bb18afe3ffe90b208056d2d623419273514b407282a3acc3
                                                          • Opcode Fuzzy Hash: 516f448af01851e9d271ad272be697960529b863f78e2e08fadb930de6200dfa
                                                          • Instruction Fuzzy Hash: C1510975E002489FCB14DFA9D584A9DFBF1EF89354F14806AE909EB365EB349841CBA0
                                                          Function 02F8E421 Relevance: .1, Instructions: 145COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d290ba2cf094653f7342c1c0dc48877e0380091e6c4c2e35e08dbf35de217520
                                                          • Instruction ID: 55567d67cc42f84dab0e6b21988893d51983bc946e68d2ad9008f1c078e2770d
                                                          • Opcode Fuzzy Hash: d290ba2cf094653f7342c1c0dc48877e0380091e6c4c2e35e08dbf35de217520
                                                          • Instruction Fuzzy Hash: 46515234B003058FDB24EFACD584A6ABBF6EFC82547158569E549DF362DB38DC028B91
                                                          Function 02F8E430 Relevance: .1, Instructions: 130COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a271387b91fb8722a9ef56d72df14ac57884a32d43a192b745b28bedca13a88f
                                                          • Instruction ID: a4d312d4b9087af6611edc03f4feeb408cbf10a1711b5a0dae32e15de047204b
                                                          • Opcode Fuzzy Hash: a271387b91fb8722a9ef56d72df14ac57884a32d43a192b745b28bedca13a88f
                                                          • Instruction Fuzzy Hash: 78415D78B002058FDB24EF6CD584A6AB7F6EFC82547158568E549DF351EB38EC028F91
                                                          Function 077E3CE6 Relevance: .1, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2072300525.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_77e0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 803ffe2c733500acce64b2684d49a889c2e787866d9e068456f7b7efaa6a9a31
                                                          • Instruction ID: b9b5f9ef584f197fb9f8568957768fdf7a1675602a3ddfc4afa0bca901c66539
                                                          • Opcode Fuzzy Hash: 803ffe2c733500acce64b2684d49a889c2e787866d9e068456f7b7efaa6a9a31
                                                          • Instruction Fuzzy Hash: DC31E4F0A04202DBDB30CE24C941A7AB7BA9F893D8F1884A5D9009F656D735ED41CBA1
                                                          Function 02F82B00 Relevance: .1, Instructions: 109COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 02c3fc307ab6d68ad33248e36d0e034b8aeb756e1ab49509430bc4e1e0c84c8f
                                                          • Instruction ID: 736705e5e6af06dd0c67c732a559077860718df9c79041e8ee77b5296810c3f5
                                                          • Opcode Fuzzy Hash: 02c3fc307ab6d68ad33248e36d0e034b8aeb756e1ab49509430bc4e1e0c84c8f
                                                          • Instruction Fuzzy Hash: 4F416A74A00205CFCB15CF58C598AAEF7B1FF48364B118259DA15AB364C736FC91CBA4
                                                          Function 02F86FA0 Relevance: .1, Instructions: 109COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 141c0fa6778a89e5ed75776b8e5f181f16355a2fb5210f4146a071d5d43ea458
                                                          • Instruction ID: da8484fef3543c35ad67ec91d18aaf17e381eacc45d5cdb67bd248fab17234c3
                                                          • Opcode Fuzzy Hash: 141c0fa6778a89e5ed75776b8e5f181f16355a2fb5210f4146a071d5d43ea458
                                                          • Instruction Fuzzy Hash: 2E414C35A042048FDB05EF64C568BA9FBF5EF8A744F255099E545AB3A1DB31DC01CB60
                                                          Function 077E3CC4 Relevance: .1, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2072300525.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_77e0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c3bac6831d459615cacd87a656a1a7fd107d1e72b389dfeb1948d9143ee28333
                                                          • Instruction ID: 2dc516d91b7553ab28643e26f0f0105c0247bf442069c3ad318f09b80267fe25
                                                          • Opcode Fuzzy Hash: c3bac6831d459615cacd87a656a1a7fd107d1e72b389dfeb1948d9143ee28333
                                                          • Instruction Fuzzy Hash: C93149F0A04202DBDB318E24C901AB677BB9F993D8B1844E6D9018F656CB35DD45C761
                                                          Function 02F8C398 Relevance: .1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b79cd60c56644747e455a83d2354533e8a53cc02a9dc647ceaa4108f29bb741d
                                                          • Instruction ID: 863a3afbb6f0b8cb0ee3399a2d1df1cf4493afa2a4859a298ac12ca7e43415b5
                                                          • Opcode Fuzzy Hash: b79cd60c56644747e455a83d2354533e8a53cc02a9dc647ceaa4108f29bb741d
                                                          • Instruction Fuzzy Hash: 00317C353002019FD715EB78D854B9AB796EFC4765F008169D609CB352DB70A806CBE1
                                                          Function 02F8AE70 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 141a87c7ce81b94993e905dac25d52dec130a33b71a94091df5df69a50afc911
                                                          • Instruction ID: 36e59b85dcbd0c85d770f16de443317e2645f601bf7d7a7d6ced5c3de02f0be0
                                                          • Opcode Fuzzy Hash: 141a87c7ce81b94993e905dac25d52dec130a33b71a94091df5df69a50afc911
                                                          • Instruction Fuzzy Hash: 27318D75E002098FDB04EFB9D4947AEBBF6EF88340F14806AE505EB351EB748C418BA0
                                                          Function 02F8AE80 Relevance: .1, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c1fb208ed2236af2995f8d2fed77fa1b1e0ed37ee13fb68de5cdaca7bf6abeeb
                                                          • Instruction ID: cb5eab41d2e1016e1cd102059f3f14a00649bb911a3690374dad36934aa8d283
                                                          • Opcode Fuzzy Hash: c1fb208ed2236af2995f8d2fed77fa1b1e0ed37ee13fb68de5cdaca7bf6abeeb
                                                          • Instruction Fuzzy Hash: 82316F75E002099FDB14EF69D5947AEBBF6EFC8350F14802AE515EB350EB748C018BA5
                                                          Function 02F8AD38 Relevance: .1, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 991bdcc88edc7e1d4390840c733fe382817795bd77608edac54e224985a70945
                                                          • Instruction ID: af7cc399c8ec75928e85302655bb8441e538bc68722c7f295c6cc068c918a820
                                                          • Opcode Fuzzy Hash: 991bdcc88edc7e1d4390840c733fe382817795bd77608edac54e224985a70945
                                                          • Instruction Fuzzy Hash: BA3163B4E042449FDB01DB64D894AEEBBB3EF85300F5584A9D611AF396CA399D01CF61
                                                          Function 02F8E051 Relevance: .1, Instructions: 81COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ae706c4abaa5c5cb5ab7b629621a890c5998abeaafab2c8ed701746a36e8f0f6
                                                          • Instruction ID: ef2641f312ec687bfc3f7b87e49cc262f3037657d17bdea6293c1d4982d9ce1f
                                                          • Opcode Fuzzy Hash: ae706c4abaa5c5cb5ab7b629621a890c5998abeaafab2c8ed701746a36e8f0f6
                                                          • Instruction Fuzzy Hash: D4315A70A002048FDB14EFA8D458AAEBBF2BF89754F04446ED502EB3A1DF309C41CB91
                                                          Function 02F8E060 Relevance: .1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b58036746899908a3458608db883e9dc70f8e97da0b65f0f4bc8d6d475e39a6a
                                                          • Instruction ID: 6cf0908f61f43ea8fbb0cab8c1e021633c21e4e78ea85907c5c9e19c606f8e94
                                                          • Opcode Fuzzy Hash: b58036746899908a3458608db883e9dc70f8e97da0b65f0f4bc8d6d475e39a6a
                                                          • Instruction Fuzzy Hash: BF312735A002048FDB14DF69D458AAEBBF2BF88754F04846DE506EB391DF31AC41CB90
                                                          Function 02F8AD48 Relevance: .1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0c465775bc3e389eaf05a8766fa56c8b64228ad0da2f55c27d4476f30fcf009b
                                                          • Instruction ID: d5cd40e82406ed1259c561ac9a8fd58e310487002cd794ca292324d71df8d79a
                                                          • Opcode Fuzzy Hash: 0c465775bc3e389eaf05a8766fa56c8b64228ad0da2f55c27d4476f30fcf009b
                                                          • Instruction Fuzzy Hash: 94311EB4E002099FDB04EFA4D994AAEB7B7EF85300F5084A9D611AB3D5DB399D418F90
                                                          Function 02F0F3D8 Relevance: .1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044051432.0000000002F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F0D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f0d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ff07048cd46b90d2553081577499b9a66d8b6e2173bc0e359a7a7bb638310f0f
                                                          • Instruction ID: 70e3be31327a8dbd6f67f2ef3d637408f31e6fe3b81d343f060c07dd0e7786d2
                                                          • Opcode Fuzzy Hash: ff07048cd46b90d2553081577499b9a66d8b6e2173bc0e359a7a7bb638310f0f
                                                          • Instruction Fuzzy Hash: F5210776A04300EFDF25CF10DAC0B16BB61FB88314F24C699EE090B696C736C456DB61
                                                          Function 02F893F8 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c16abbb45076291e833a018f2efff983fd46b3a0fe6bdd1cd63954fa1cb2d6d4
                                                          • Instruction ID: 50ac3c8990eb54bd8323a77ca269dc9f30b02cf5fa00dec64801d9c93c12c11d
                                                          • Opcode Fuzzy Hash: c16abbb45076291e833a018f2efff983fd46b3a0fe6bdd1cd63954fa1cb2d6d4
                                                          • Instruction Fuzzy Hash: A1317874D053448EDB60DF6AD18879AFBE2EB88324F28C45ED5599B305C7B45441CB61
                                                          Function 02F0F02C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044051432.0000000002F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F0D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f0d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d254fb7e4d32f460e06383f7737b690c371bb3f686e92f30b78884d7d21d78af
                                                          • Instruction ID: 091f547398f62c6e026f8ce7c59b7a73637ba614aceb2213ba2f9dccc5a1ee49
                                                          • Opcode Fuzzy Hash: d254fb7e4d32f460e06383f7737b690c371bb3f686e92f30b78884d7d21d78af
                                                          • Instruction Fuzzy Hash: 54210776A04340DFDB24DF20D9C0F16BBA5FB94714F24C66DDA0A4BA82CB36D446DA61
                                                          Function 02F89408 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0f38f5ab9ac17bfc8127dc4ea557179fe1dc8d7ffc67c85d289de68282981abf
                                                          • Instruction ID: 0c3ac3df6e284f4d5a79edbd7c898865a5f4ddfea6bf07649d096af0b32cea01
                                                          • Opcode Fuzzy Hash: 0f38f5ab9ac17bfc8127dc4ea557179fe1dc8d7ffc67c85d289de68282981abf
                                                          • Instruction Fuzzy Hash: AA2186B4E013048EDB60DF6AC58839AFBF6EB88314F28C42ED95D9B345C7B46480CB61
                                                          Function 02F87664 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 767c92ef4510a9f9ee4ebe109d16b03cd51a6a77755d0a5073b4349a70aca4b9
                                                          • Instruction ID: 37cef1e59da22e0660afedba2ce93e4a7a3b9fcb5ee0553aa671964ba13a750a
                                                          • Opcode Fuzzy Hash: 767c92ef4510a9f9ee4ebe109d16b03cd51a6a77755d0a5073b4349a70aca4b9
                                                          • Instruction Fuzzy Hash: 7E112139B001148FDB14DBA8D880ADDB7F6EBCC655B1540A8D609DB354DB35DC028B90
                                                          Function 02F0F3D3 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044051432.0000000002F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F0D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f0d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3db14e1fbd481c373aa523bb9b771c634d45f7ce68899f9c04ab426dc2dff8be
                                                          • Instruction ID: fc2bb723d25751c81e933073ae63dc42031425a39497911480ab541e7a565eb7
                                                          • Opcode Fuzzy Hash: 3db14e1fbd481c373aa523bb9b771c634d45f7ce68899f9c04ab426dc2dff8be
                                                          • Instruction Fuzzy Hash: 3A218E76904240DFCF16CF10D6C4B15BF72FB88314F24C6A9DD494A656C33AD456DB91
                                                          Function 02F0F027 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044051432.0000000002F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F0D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f0d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0ddb3734c724926600bbb3f8bc75d71c7802c012624ff9d398f3a9d8363b068c
                                                          • Instruction ID: 50794c8d2845d1ffd03665a5c8ac8a4790ab6655a343214a7a9cb4fbe593f126
                                                          • Opcode Fuzzy Hash: 0ddb3734c724926600bbb3f8bc75d71c7802c012624ff9d398f3a9d8363b068c
                                                          • Instruction Fuzzy Hash: 6311D075904280CFCB21CF10D5C4B15BFA1FB44328F28C6A9D9094BA96C33AD44ADF51
                                                          Function 02F8BCF0 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 64bb3cc36fe82d8db3145b1b74d414dc076217dabac24dbc7ce630e58b3e90ed
                                                          • Instruction ID: 5448ec94bf5ddb1825bdf3490443ea1e3facaa38600814162a3856ed6389c3e0
                                                          • Opcode Fuzzy Hash: 64bb3cc36fe82d8db3145b1b74d414dc076217dabac24dbc7ce630e58b3e90ed
                                                          • Instruction Fuzzy Hash: B50126316087449FD714DB75D494B5ABFF0EF45254F1884EED18AC76A2D720E845C701
                                                          Function 02F879AA Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f6f19aadc3d0e553fd9addfcf8566b1503bce008ae1167c363315c9090ef3205
                                                          • Instruction ID: 1aa4470e99c65246fc5395c14929886c06a708eef4933524f64abe83f1638d6a
                                                          • Opcode Fuzzy Hash: f6f19aadc3d0e553fd9addfcf8566b1503bce008ae1167c363315c9090ef3205
                                                          • Instruction Fuzzy Hash: 6901F731700204AFCB18EA6ADC94B2EF7E9EF89265B10497DE209D7351DF31AC01C761
                                                          Function 02F8DEA0 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fb8283c47d8c2b471b00b4cc3cf7f2fea82b2ac778ed37c971ca177039d73a7f
                                                          • Instruction ID: f70151399d47c35f479f36862d6ee5ed5f0337c5f726700d76e060d511f15d33
                                                          • Opcode Fuzzy Hash: fb8283c47d8c2b471b00b4cc3cf7f2fea82b2ac778ed37c971ca177039d73a7f
                                                          • Instruction Fuzzy Hash: E3014C36B012149FCB119BB4E908AAEBBF9FBC9315F14406DE91AD3742DB329911CBD1
                                                          Function 02F8DFD8 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4cd68432ca6901958daca8965b7eaaed266b6197e5f33e6f524bccf10d425464
                                                          • Instruction ID: 6764f54d93e732d6d02a79fb34d7019e94bbec10676a5326f5fb29db3045dc8d
                                                          • Opcode Fuzzy Hash: 4cd68432ca6901958daca8965b7eaaed266b6197e5f33e6f524bccf10d425464
                                                          • Instruction Fuzzy Hash: 64110534204754CFC728DF75D09086ABBF6EF8961532089ADD48A8B7A1DB36F846CB50
                                                          Function 02F0D01D Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044051432.0000000002F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F0D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f0d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c409999e6f9daf838e3aef110cf0b410c97b4b63fa59ae0dff76f2dcacfd0a17
                                                          • Instruction ID: 700981fc0fb429ce7eaa3e94faabdef869b474e9f09bc43f3a736a2f0d117854
                                                          • Opcode Fuzzy Hash: c409999e6f9daf838e3aef110cf0b410c97b4b63fa59ae0dff76f2dcacfd0a17
                                                          • Instruction Fuzzy Hash: FE01F771908300AAE7204A61CDC4F67BBD8DF41AA4F08C01ADE4C0F2C6C3789441DAB6
                                                          Function 02F0D005 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044051432.0000000002F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F0D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f0d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b8133691e83206477d4cd5564abc61fc8b8dbcaff7e644dec953ae32887e62dd
                                                          • Instruction ID: a8c07b080540d1782c55c25e969e672c9c41286254b773ba36e381e02d596ade
                                                          • Opcode Fuzzy Hash: b8133691e83206477d4cd5564abc61fc8b8dbcaff7e644dec953ae32887e62dd
                                                          • Instruction Fuzzy Hash: 3C014C6140E3C09FD7228B258894B52BFB8EF43624F1D81DBD9888F2E7C2695849D772
                                                          Function 02F8BF20 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b44bb4d4d1ddb6d4eb12a0a4d00e4d6975a0813735ee1ebf3023632c60fd9209
                                                          • Instruction ID: aa25d2c67bc935e3cf71e6eb92c0a5eee58d4e0c28af569543403d22592f1d32
                                                          • Opcode Fuzzy Hash: b44bb4d4d1ddb6d4eb12a0a4d00e4d6975a0813735ee1ebf3023632c60fd9209
                                                          • Instruction Fuzzy Hash: A8F0F4357093D06FD3018ABA9C449B77FE9DB8612070941BBF484C7262CA60CC00C760
                                                          Function 02F87940 Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: abf5e50e16c7d4b1eef1df68be4328e2bf10fbbe30ed1780943a1b194ff22a26
                                                          • Instruction ID: b8eb42245d25306e2b2ded5051854960b03362a71a2862a3eaf7913d2dbefb43
                                                          • Opcode Fuzzy Hash: abf5e50e16c7d4b1eef1df68be4328e2bf10fbbe30ed1780943a1b194ff22a26
                                                          • Instruction Fuzzy Hash: 91F0F031601700AFC718AA56DC84B6EB7E9EF88661F000A2EE20A97391CF30AC018B70
                                                          Function 02F0D9A7 Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044051432.0000000002F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F0D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f0d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 96d8f624305b06145c3a2fa64c4d9756c528862058dcddcf98d366b38248fd8f
                                                          • Instruction ID: 83eb8f24361809d0c3290acd8fe4274c20753d51c06126356452d1e3229afbbb
                                                          • Opcode Fuzzy Hash: 96d8f624305b06145c3a2fa64c4d9756c528862058dcddcf98d366b38248fd8f
                                                          • Instruction Fuzzy Hash: 61F04976600600AF83208F0AD984C23FBADEBC4670719C05AF84A8B752C631EC41CEB0
                                                          Function 02F890E0 Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 967279ab784c6dabb84edfa45a219a5f6f5a6450de0f7008c378034b4debba04
                                                          • Instruction ID: 326576267de514b29f94bee67e6fd38fc4e0a35edcacbaef30e7ded501527a05
                                                          • Opcode Fuzzy Hash: 967279ab784c6dabb84edfa45a219a5f6f5a6450de0f7008c378034b4debba04
                                                          • Instruction Fuzzy Hash: 59F0F635A082509FD701AB78D4557ABBFA2DFC2354F14819FC6468B3C6DE391806CFA1
                                                          Function 02F8DE40 Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0fd3c6a4df52d1088f7980738faece60b629eb320c6030c6ab1d52fef07fddbf
                                                          • Instruction ID: c02167b871420a2f6546937923c29a357b8309496aa794716728924654051dc8
                                                          • Opcode Fuzzy Hash: 0fd3c6a4df52d1088f7980738faece60b629eb320c6030c6ab1d52fef07fddbf
                                                          • Instruction Fuzzy Hash: 38F05E397042404FC3119B2CD494966BBF5AFCA65531911DAE585DB772DB71CC02CF50
                                                          Function 02F0D998 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044051432.0000000002F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F0D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f0d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 45f31cbf0444afee9c4c719dc6f31e75232994cda2ce5779fdb69d38d00db4fc
                                                          • Instruction ID: bdea49a6ed9518123d435a4a20c18b2dc1e3104625c835264c3fa689092fc420
                                                          • Opcode Fuzzy Hash: 45f31cbf0444afee9c4c719dc6f31e75232994cda2ce5779fdb69d38d00db4fc
                                                          • Instruction Fuzzy Hash: FDF0497A500640AFD320CF06CD84D23BBBAEB85664B198489F84A8B352C631FC02CF60
                                                          Function 02F89160 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 28bb850daada2b2f7ad866c902c1e46773573545110ea7a735027acf78bc14d3
                                                          • Instruction ID: f3478c3ad8615b3664c41f8b6d9ec583fde7c88fdfa91e68f91fba681f8ede91
                                                          • Opcode Fuzzy Hash: 28bb850daada2b2f7ad866c902c1e46773573545110ea7a735027acf78bc14d3
                                                          • Instruction Fuzzy Hash: A8F054709093505FD7619B78D89C79B7FE5EF42310F1404AED59ACB282CB355845CBA1
                                                          Function 02F87950 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c8faffa88b65099efb9c8152c7a06f0b2a3a63a033909c49878b06bac6f5de03
                                                          • Instruction ID: 3dcab7e90eb934ae20d81cd97d7a09ce9c9f0eb2ea1df173eb1887aa96ba9a3e
                                                          • Opcode Fuzzy Hash: c8faffa88b65099efb9c8152c7a06f0b2a3a63a033909c49878b06bac6f5de03
                                                          • Instruction Fuzzy Hash: F2F0A7317006149FD710A756D884A6FB7EAEF88671B40452DE209D3341DF30AC018761
                                                          Function 02F890F0 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5bd71fced7bdcf2e8be666122d525d918bc59baeeec8ba17eeed346a8c1d8e1f
                                                          • Instruction ID: 6c3c12319a1c3d4ecf5a93b2940cbf13bdcb39cd9b87331688df90f6507597a6
                                                          • Opcode Fuzzy Hash: 5bd71fced7bdcf2e8be666122d525d918bc59baeeec8ba17eeed346a8c1d8e1f
                                                          • Instruction Fuzzy Hash: 81F02735A042149BE704AB69D44479BBB96DBC0794F10816AC6094B3C4DF396801CBE1
                                                          Function 02F8767F Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d4430f6267fd3730a53204906c91a53f4c44a6a64730db11aef983c564fa3907
                                                          • Instruction ID: 1131744692d49bcd44793a2940d83b4e6d209d9cd5d7d1cb76d407a9876ec2ac
                                                          • Opcode Fuzzy Hash: d4430f6267fd3730a53204906c91a53f4c44a6a64730db11aef983c564fa3907
                                                          • Instruction Fuzzy Hash: AFF0A039B001058FDB10ABAD984079AF7A2EBCC699B264298E60DCB354DF34CC028F90
                                                          Function 02F89549 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6224cd22c805b5558c68487462c8c3a12198cdcbfda4502cd214883c76c3a47f
                                                          • Instruction ID: 453b12daa94c2e8bf6cd99fd6bac240bb803ee5369df066311f75cd1d96c30e9
                                                          • Opcode Fuzzy Hash: 6224cd22c805b5558c68487462c8c3a12198cdcbfda4502cd214883c76c3a47f
                                                          • Instruction Fuzzy Hash: ABE0D822B571550B8B5272B81C002BBE6CB9EC65F9B45037FC766DF382DE80CC0687A1
                                                          Function 02F8DE50 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2c3d7b11e299426a21961866586ad81ea27273e59cc647b700a8532233fb6a3d
                                                          • Instruction ID: 2ba750fc4d99031ac22166302795047e7679a530f43432b34ef05d95f74b642c
                                                          • Opcode Fuzzy Hash: 2c3d7b11e299426a21961866586ad81ea27273e59cc647b700a8532233fb6a3d
                                                          • Instruction Fuzzy Hash: 50E0ED367001148F83109B1DD494D66B7FAEFDE66531510A9E945DB361DB71DC018B90
                                                          Function 02F8896A Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 125893c780db2f3f8fe58cdddc0c56914680675916e618fb884c781169706466
                                                          • Instruction ID: 5638027c4f8f2dcfafde3d49ee52a544a31e7fa0958d504f4cae0369f9c37e76
                                                          • Opcode Fuzzy Hash: 125893c780db2f3f8fe58cdddc0c56914680675916e618fb884c781169706466
                                                          • Instruction Fuzzy Hash: 17F0A0353092909BCB0A677895181AE7F66ABC1325F0402AFE216CB683CF680805C7EA
                                                          Function 02F8DCE1 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bb4d4ab05bfbc736551f29a613d8b638764d32ffc1fab3cba11041e3182f6ce5
                                                          • Instruction ID: 083e8ac5699f440b8e2e063042de6db299c48d21cd35165b775604602694da0d
                                                          • Opcode Fuzzy Hash: bb4d4ab05bfbc736551f29a613d8b638764d32ffc1fab3cba11041e3182f6ce5
                                                          • Instruction Fuzzy Hash: EFE0E532704140A78B09D6A8D4404F9FB61EFCA220F0480BFD946A7240CA215816C6B0
                                                          Function 02F8AF98 Relevance: .0, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b3f9761bac6495cfbac1ce8a41c7061420a973c0a57c534cdebf128365a53fd2
                                                          • Instruction ID: c1b218c58c578e6b8ea2179a430bec162da043e699d0554240a1d4a38df4eab5
                                                          • Opcode Fuzzy Hash: b3f9761bac6495cfbac1ce8a41c7061420a973c0a57c534cdebf128365a53fd2
                                                          • Instruction Fuzzy Hash: A6E0DF2670D2D11A8B27A27DA8604AAAF73CAC326031D85FBE185CF253C8918C078321
                                                          Function 02F89170 Relevance: .0, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 47e786d4959211946e9c3e3fcca4e54eb6b2b6131a6ea690dc1c24ca711f1f6b
                                                          • Instruction ID: b1b208c2eeb8fe3a7383138447ee7653a934b8efed7d50f2b7c439c3cb20a61b
                                                          • Opcode Fuzzy Hash: 47e786d4959211946e9c3e3fcca4e54eb6b2b6131a6ea690dc1c24ca711f1f6b
                                                          • Instruction Fuzzy Hash: E5F06D709003048BD7609B78D89C7ABBBE9EB44350F00482DE20EC7381DF35A880CBD0
                                                          Function 02F88978 Relevance: .0, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e00cb2950c339c67b0270bb4309dc25fe2d5e6e05e3918ca2c38bdc4d85e2ca8
                                                          • Instruction ID: e46846fc1dcc11e57467985252a2627d032b7e0077aa8b3f92238045e4ffaed6
                                                          • Opcode Fuzzy Hash: e00cb2950c339c67b0270bb4309dc25fe2d5e6e05e3918ca2c38bdc4d85e2ca8
                                                          • Instruction Fuzzy Hash: DCE0263530461097CB083B78A90C2AF7A5BEBC4724F00042EE71A83383CF38180187DD
                                                          Function 02F89558 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8a827fc65c6667066481b9ee13353da365daf895884cf1bf5b6222e8bc015f6e
                                                          • Instruction ID: fc87e543dd7151262a1d498ffe88270deb6ca01e01efbcf1190ec3dc6b6279e8
                                                          • Opcode Fuzzy Hash: 8a827fc65c6667066481b9ee13353da365daf895884cf1bf5b6222e8bc015f6e
                                                          • Instruction Fuzzy Hash: 2AD05E22B521291B4D5471AA1C006BBF1CFDAC65E5785103A9B15E7345EF80CC0147F1
                                                          Function 02F8DCF0 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                          • Instruction ID: 3e4342098c43cb850f1dcae6e94b78879172a1cdaaa058b80ccf67e69f322f0b
                                                          • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                          • Instruction Fuzzy Hash: 40E08633B00014978B08D5A9D4504E9F7A5DFCC260F04847EDA0AA7380DA325916C6E1
                                                          Function 02F88739 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a930fcc1f16b20c62a6dcd8bb5d63993672a93d3d4c7bb315a7cda650876d497
                                                          • Instruction ID: 508490ea4c18bdd17a856ebf50f8db6be44dbd2e413b991edeb39dd56f806f14
                                                          • Opcode Fuzzy Hash: a930fcc1f16b20c62a6dcd8bb5d63993672a93d3d4c7bb315a7cda650876d497
                                                          • Instruction Fuzzy Hash: CFE0DF30D08049EBCF49BBB4E4498EFBF70EA01310F00019DD9A382493DA70050ACFC0
                                                          Function 02F88800 Relevance: .0, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 040e67d72fd4fe0305bc2556fafd6aea87c15c18152083ed38b7c545aea36fed
                                                          • Instruction ID: fa6186881db30fd3fe5a8d542c47cb7e8ea176e1354f303673fa33fb967c9662
                                                          • Opcode Fuzzy Hash: 040e67d72fd4fe0305bc2556fafd6aea87c15c18152083ed38b7c545aea36fed
                                                          • Instruction Fuzzy Hash: 26E09A3490824A9B8B54EBB8D1054ABBFB0EB46244F0002AEE94A87643D6300802CFC1
                                                          Function 02F8F860 Relevance: .0, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 33b29bc6cc71b1e1d00bab139cc5a13d421073ce3c39aa5d7e5ab9fdf952f717
                                                          • Instruction ID: 48ec186e4144dfa518620882ae99a2a07963eb3ce0120b8a9a1f497ec1d939a6
                                                          • Opcode Fuzzy Hash: 33b29bc6cc71b1e1d00bab139cc5a13d421073ce3c39aa5d7e5ab9fdf952f717
                                                          • Instruction Fuzzy Hash: 32E04FB0E452469E8B80EF7C84815ADFFF0EB49240B6086AEC549D7211E7328612CF81
                                                          Function 02F8F870 Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                          • Instruction ID: b5bf2a5ddc3acb8cd8d7ace537434721ea746a4e60f25fa9033eb3e383549d07
                                                          • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                          • Instruction Fuzzy Hash: BAD067B1D042099F8780EFADC94156EFBF4EB48200F6085AA8919E7301E7329A12CBD1
                                                          Function 02F88748 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 71014ad8788157e6ee212a42edb6908ce4de71e8acf233676360ebf1c96da3eb
                                                          • Instruction ID: 5658e4e50b3824c6be18db000511488784b00ebc0d8ff1978debbb2e035cbaca
                                                          • Opcode Fuzzy Hash: 71014ad8788157e6ee212a42edb6908ce4de71e8acf233676360ebf1c96da3eb
                                                          • Instruction Fuzzy Hash: C7D0173180410DDBCB48BBA4E91A8BEBB38FA40301F40016DDA1792592EB301A4ACAC0
                                                          Function 02F88810 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 95041ff72c2938381f198791c27ec837b55a8d2a5c66e79d9b5f2a220479c935
                                                          • Instruction ID: 09be78db978a4f5f5f3139ec74eef5ab06d0752df72c3ff538233f68ade33d91
                                                          • Opcode Fuzzy Hash: 95041ff72c2938381f198791c27ec837b55a8d2a5c66e79d9b5f2a220479c935
                                                          • Instruction Fuzzy Hash: B0D01234A0420ADF8744EF64E54646EBFB4E744300F004159D90593781EA345801CBC1
                                                          Function 02F8791A Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c7827bf93de6c0a5f08b460a14ef6795b817e910c2cd6f0cbb8289302f0bea3
                                                          • Instruction ID: 5f9a616d23c581efaaf01c300751642116512c6cd7f2d8f7d97412b2da3afd6d
                                                          • Opcode Fuzzy Hash: 3c7827bf93de6c0a5f08b460a14ef6795b817e910c2cd6f0cbb8289302f0bea3
                                                          • Instruction Fuzzy Hash: 6DD0C9300007048FC31DAB79D959A257B68AF01201F4214A9E91A0B2A7CB35A841CA20
                                                          Function 02F87E90 Relevance: .0, Instructions: 10COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cdb144031ffc0eeeb8f5e7c0b8f7cd77cd8ce7f5c018c002f876f089a643544a
                                                          • Instruction ID: 5eda62ad6b98841527d097369dd1328814da83a81c109c63bcb8159f56eb8ae2
                                                          • Opcode Fuzzy Hash: cdb144031ffc0eeeb8f5e7c0b8f7cd77cd8ce7f5c018c002f876f089a643544a
                                                          • Instruction Fuzzy Hash: F2C09B336402009FEF0DDA35CD69725BF65D743711F0256AD9103CB1E4CE385400CD20
                                                          Function 02F87928 Relevance: .0, Instructions: 8COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b0fb37b4013faed45c4a54adca54d3953a4bd83df4e9806be36e1c9766283651
                                                          • Instruction ID: 142277cae2179f019f7d9d7a17cd222994e574891ae5d7fe299deb7de1c41ba0
                                                          • Opcode Fuzzy Hash: b0fb37b4013faed45c4a54adca54d3953a4bd83df4e9806be36e1c9766283651
                                                          • Instruction Fuzzy Hash: 77B092300447088FC3486FBAA4089287729AF4021538104A9E91E0A39B8F36E884CA44

                                                          Non-executed Functions

                                                          Function 077E1BE0 Relevance: 22.9, Strings: 18, Instructions: 445COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2072300525.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_77e0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $cDk$4'q$4'q$4'q$4'q$84Ol$84Ol$tPq$tPq$$q$$q$JRl$JRl$JRl$JRl$JRl$rQl$rQl
                                                          • API String ID: 0-1189192882
                                                          • Opcode ID: 4b61a270940733265f214c0073d1c030635b832adcc377f1978cbc62f3a62dce
                                                          • Instruction ID: b9daa2971c036c2c3bce69dc07046c6942673d3e47851fa01e8b47de5feba96d
                                                          • Opcode Fuzzy Hash: 4b61a270940733265f214c0073d1c030635b832adcc377f1978cbc62f3a62dce
                                                          • Instruction Fuzzy Hash: 13E151B1B0430A8FC7219B6998057A6BBFAAFC9251F18C47BD555CF252DB31C842C7E1
                                                          Function 02F8EBB8 Relevance: 10.2, Strings: 8, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ,kAq$,q$$q$$q$$q$$q$$q$$q
                                                          • API String ID: 0-2047734230
                                                          • Opcode ID: 0efd9f4df2e34713b549df530f766664925d1c366b911959f489bab068ec1eaa
                                                          • Instruction ID: de714da4adaa1e4c3d9698271e4e5e1e4ab175204bf1f78aa1f0ad3e1e6546e1
                                                          • Opcode Fuzzy Hash: 0efd9f4df2e34713b549df530f766664925d1c366b911959f489bab068ec1eaa
                                                          • Instruction Fuzzy Hash: 5C51B431B046148FDB29B77AB85466CF796BF8969031504AAF25BCB771EF10CC09C7A2
                                                          Function 077E2190 Relevance: 10.1, Strings: 8, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2072300525.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_77e0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: TcDk$lcDk$JRl$JRl$JRl$JRl$JRl$JRl
                                                          • API String ID: 0-2222330712
                                                          • Opcode ID: 898ffaf93819a5bdc7be8f2826e523fb1c6e73e6b8b844bcd713b70ad94ec6f8
                                                          • Instruction ID: 266263b3ab1c27e87d4e91d579f10d677b635da69229f847f92c2add0082ce9b
                                                          • Opcode Fuzzy Hash: 898ffaf93819a5bdc7be8f2826e523fb1c6e73e6b8b844bcd713b70ad94ec6f8
                                                          • Instruction Fuzzy Hash: BE314BB2B0C7915FD31546646C11AA37BBEAFCB26071988ABD550DFA93CA348C41C3B7
                                                          Function 077E0568 Relevance: 9.2, Strings: 7, Instructions: 467COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2072300525.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_77e0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fq$4'q$4'q$4'q$4'q$rQl$rQl
                                                          • API String ID: 0-3537796538
                                                          • Opcode ID: 89ab0379de51d0ceec866117c9925c32240b0b1250a07a0b1bef33d47f6db9f6
                                                          • Instruction ID: 35b120f8ac0477a87d444d800d8fd84dcf058d645ae1bbca4a14a435249fb318
                                                          • Opcode Fuzzy Hash: 89ab0379de51d0ceec866117c9925c32240b0b1250a07a0b1bef33d47f6db9f6
                                                          • Instruction Fuzzy Hash: 0DE19BB1B083458FD7219B749810BAA7BB5AFCA254F2484BBD445CF292DB75CC42C7E2
                                                          Function 077E3678 Relevance: 8.9, Strings: 7, Instructions: 191COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2072300525.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_77e0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$$q$$q$$q$Gl$Gl
                                                          • API String ID: 0-2055229760
                                                          • Opcode ID: 461573b7cc78357d74656dc1d1be9d19dc90feacfa706a76a5f74a0b4e7f0ac8
                                                          • Instruction ID: be1a9f5c0ae7ff1b7269bf21689956519bfcb5888960a231ce3443738f9fdaf6
                                                          • Opcode Fuzzy Hash: 461573b7cc78357d74656dc1d1be9d19dc90feacfa706a76a5f74a0b4e7f0ac8
                                                          • Instruction Fuzzy Hash: AE5188F17043069FDB344A7988017A6BBFAAFCA6A1F28847BD405CB251DB35C842C7B1
                                                          Function 02F8EDE8 Relevance: 6.7, Strings: 5, Instructions: 453COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ,kAq$`Qq$$q$$q$$q
                                                          • API String ID: 0-3082558321
                                                          • Opcode ID: fc097e002b00dfc29b63467435e5f21caabf0c20e3283c5bd8c750c1015db560
                                                          • Instruction ID: 16227ab1c780d2459eafd8e4a87b52c474565d7e338bad8927bb0c3eb3da0383
                                                          • Opcode Fuzzy Hash: fc097e002b00dfc29b63467435e5f21caabf0c20e3283c5bd8c750c1015db560
                                                          • Instruction Fuzzy Hash: 11E1EA31F102104FEB246B79981472EF2D6AFC9B94B6545AAD606DF791EF34CC0287E2
                                                          Function 02F87A09 Relevance: 6.5, Strings: 5, Instructions: 239COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tMQl$`q$`q$`q$`q
                                                          • API String ID: 0-1815968527
                                                          • Opcode ID: c8da3014c6b8e8ad798f44f0852c474137a645872cba07c33be46976919f3616
                                                          • Instruction ID: f2b3e0ef6b09a840d3727f48c9d333bb9c846f8eefd213da8e6312652b1daf61
                                                          • Opcode Fuzzy Hash: c8da3014c6b8e8ad798f44f0852c474137a645872cba07c33be46976919f3616
                                                          • Instruction Fuzzy Hash: 79B1A274E003099FDB54DFA9D980A9DFBF2BF88314F208629D519AB345DB34A905CFA1
                                                          Function 02F87A18 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2044512682.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2f80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tMQl$`q$`q$`q$`q
                                                          • API String ID: 0-1815968527
                                                          • Opcode ID: 0f15dd6536895db7343c13f883815562bd25e6b53cd0eb831b2d3c128a52c113
                                                          • Instruction ID: f258826c71f9c39df576c29e25a9cf8fbb0b11817bc4e6ea4cd4502a53a1ae33
                                                          • Opcode Fuzzy Hash: 0f15dd6536895db7343c13f883815562bd25e6b53cd0eb831b2d3c128a52c113
                                                          • Instruction Fuzzy Hash: 35B19378E013099FDB54DFA9D980A9DFBF2BF88314F208629D519AB345DB30A905CF91
                                                          Function 077E5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2072300525.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_77e0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $q$$q$$q$$q
                                                          • API String ID: 0-4102054182
                                                          • Opcode ID: fb8b15ca816c115411b40963fb9805e0c9ec0b11d8ebc1f2aeaafd027cee3c08
                                                          • Instruction ID: eea6e02c974c19ee719d94db6936ff1b212cbc2dc945b629673fc0664b69f95b
                                                          • Opcode Fuzzy Hash: fb8b15ca816c115411b40963fb9805e0c9ec0b11d8ebc1f2aeaafd027cee3c08
                                                          • Instruction Fuzzy Hash: 9A2149B171430A9BEB34593A9C00B27B7DBABC9799F24443AE905CB381DD75D852C321
                                                          Function 077E0308 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2072300525.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_77e0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$$q$$q
                                                          • API String ID: 0-3199993180
                                                          • Opcode ID: 5e0cd1642bd76b6db8345267206d3ec40aded01bff084df28a1f226688067f80
                                                          • Instruction ID: dec66b84904919879019abadb79a8e894e8b3a192ba53f483168d178f5392cad
                                                          • Opcode Fuzzy Hash: 5e0cd1642bd76b6db8345267206d3ec40aded01bff084df28a1f226688067f80
                                                          • Instruction Fuzzy Hash: 85019271A0E3864FD327526878212A56FB65F8769072E40DBD481DF297C9688C06C7A7

                                                          Execution Graph

                                                          Execution Coverage:6.3%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:3
                                                          Total number of Limit Nodes:0
                                                          execution_graph 20947 8b06840 20948 8b06883 SetThreadToken 20947->20948 20949 8b068b1 20948->20949

                                                          Executed Functions

                                                          Function 04A8B490 Relevance: .3, Instructions: 258COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 904 4a8b490-4a8b4b9 905 4a8b4bb 904->905 906 4a8b4be-4a8b7f9 call 4a8a9a4 904->906 905->906 967 4a8b7fe-4a8b805 906->967
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f550e4c4d4923f8bb062c48e6a69611d280ab82ded809b3ee3ef8a35a11b7bc3
                                                          • Instruction ID: 04aed89b148b96a1fd534322ef0e7f92d927a4e1d0d1b79c14e4b3170d6acd1d
                                                          • Opcode Fuzzy Hash: f550e4c4d4923f8bb062c48e6a69611d280ab82ded809b3ee3ef8a35a11b7bc3
                                                          • Instruction Fuzzy Hash: 0D917F74B007145BEB19EFB984506AE7BE3EFC4700B008A1DD116AB344DF78AE058BD6
                                                          Function 04A8B4A0 Relevance: .3, Instructions: 252COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 968 4a8b4a0-4a8b4b9 969 4a8b4bb 968->969 970 4a8b4be-4a8b7f9 call 4a8a9a4 968->970 969->970 1031 4a8b7fe-4a8b805 970->1031
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6fc17d946d45ac20faafbf09421b4aef9f16338158ac50a20f28bd970459d300
                                                          • Instruction ID: 7d5beef4fe1b1e0aa698265cc3722be51f460f309a0e5faa3ac3cf555c5344ef
                                                          • Opcode Fuzzy Hash: 6fc17d946d45ac20faafbf09421b4aef9f16338158ac50a20f28bd970459d300
                                                          • Instruction Fuzzy Hash: 20914F74F007149BEB19EFB994506AE7AE3EFC4700B008A1DD516AB344DF78AE058BD6
                                                          Function 07992308 Relevance: 44.1, Strings: 34, Instructions: 1592COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2131723624.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7990000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ,SQl$,SQl$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$p5Ak$tPq$tPq$tPq$tPq$tPq$tPq$#Ak$$Ak$$q$$q$$q$JRl$JRl$JRl$JRl$JRl$JRl$RQl$RQl$rQl$rQl$Gl$Gl
                                                          • API String ID: 0-3170436593
                                                          • Opcode ID: 2ef191802e7a453936141e57241355b251de4306f89c4cf9a529321d97c1ed90
                                                          • Instruction ID: 09844c15c53d456c074de7e9165b8d83feb55cfdc2cccb2fac606ee1d41c04d9
                                                          • Opcode Fuzzy Hash: 2ef191802e7a453936141e57241355b251de4306f89c4cf9a529321d97c1ed90
                                                          • Instruction Fuzzy Hash: 09B246B1B04306AFFF249F6D88057AABBE6BF86218F14847AD505CF251DB75C842C7A1
                                                          Function 07993CE8 Relevance: 5.6, Strings: 4, Instructions: 584COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 477 7993ce8-7993d0d 478 7993f00-7993f4a 477->478 479 7993d13-7993d18 477->479 489 79940ce-7994112 478->489 490 7993f50-7993f55 478->490 480 7993d1a-7993d20 479->480 481 7993d30-7993d34 479->481 485 7993d22 480->485 486 7993d24-7993d2e 480->486 482 7993d3a-7993d3c 481->482 483 7993eb0-7993eba 481->483 487 7993d4c 482->487 488 7993d3e-7993d4a 482->488 491 7993ec8-7993ece 483->491 492 7993ebc-7993ec5 483->492 485->481 486->481 496 7993d4e-7993d50 487->496 488->496 506 7994228-799425d 489->506 507 7994118-799411d 489->507 497 7993f6d-7993f71 490->497 498 7993f57-7993f5d 490->498 494 7993ed0-7993ed2 491->494 495 7993ed4-7993ee0 491->495 500 7993ee2-7993efd 494->500 495->500 496->483 503 7993d56-7993d75 496->503 501 7994080-799408a 497->501 502 7993f77-7993f79 497->502 504 7993f5f 498->504 505 7993f61-7993f6b 498->505 509 799408c-7994094 501->509 510 7994097-799409d 501->510 511 7993f89 502->511 512 7993f7b-7993f87 502->512 542 7993d85 503->542 543 7993d77-7993d83 503->543 504->497 505->497 532 799428b-7994295 506->532 533 799425f-7994281 506->533 514 799411f-7994125 507->514 515 7994135-7994139 507->515 517 799409f-79940a1 510->517 518 79940a3-79940af 510->518 516 7993f8b-7993f8d 511->516 512->516 521 7994129-7994133 514->521 522 7994127 514->522 525 79941da-79941e4 515->525 526 799413f-7994141 515->526 516->501 523 7993f93-7993fb2 516->523 524 79940b1-79940cb 517->524 518->524 521->515 522->515 567 7993fc2 523->567 568 7993fb4-7993fc0 523->568 535 79941f1-79941f7 525->535 536 79941e6-79941ee 525->536 530 7994151 526->530 531 7994143-799414f 526->531 541 7994153-7994155 530->541 531->541 537 799429f-79942a5 532->537 538 7994297-799429c 532->538 570 7994283-7994288 533->570 571 79942d5-79942fe 533->571 545 79941f9-79941fb 535->545 546 79941fd-7994209 535->546 548 79942ab-79942b7 537->548 549 79942a7-79942a9 537->549 541->525 552 799415b-799415d 541->552 551 7993d87-7993d89 542->551 543->551 547 799420b-7994225 545->547 546->547 554 79942b9-79942d2 548->554 549->554 551->483 556 7993d8f-7993d96 551->556 557 799415f-7994165 552->557 558 7994177-799417e 552->558 556->478 560 7993d9c-7993da1 556->560 561 7994169-7994175 557->561 562 7994167 557->562 564 7994180-7994186 558->564 565 7994196-79941d7 558->565 572 7993db9-7993dc8 560->572 573 7993da3-7993da9 560->573 561->558 562->558 574 7994188 564->574 575 799418a-7994194 564->575 578 7993fc4-7993fc6 567->578 568->578 592 799432d-799435c 571->592 593 7994300-7994326 571->593 572->483 590 7993dce-7993dec 572->590 580 7993dab 573->580 581 7993dad-7993db7 573->581 574->565 575->565 578->501 579 7993fcc-7994003 578->579 600 799401d-7994024 579->600 601 7994005-799400b 579->601 580->572 581->572 590->483 604 7993df2-7993e17 590->604 602 799435e-799437b 592->602 603 7994395-799439f 592->603 593->592 610 799403c-799407d 600->610 611 7994026-799402c 600->611 608 799400d 601->608 609 799400f-799401b 601->609 619 799437d-799438f 602->619 620 79943e5-79943ea 602->620 606 79943a8-79943ae 603->606 607 79943a1-79943a5 603->607 604->483 626 7993e1d-7993e24 604->626 614 79943b0-79943b2 606->614 615 79943b4-79943c0 606->615 608->600 609->600 617 799402e 611->617 618 7994030-799403a 611->618 621 79943c2-79943e2 614->621 615->621 617->610 618->610 619->603 620->619 629 7993e6a-7993e9d 626->629 630 7993e26-7993e41 626->630 642 7993ea4-7993ead 629->642 634 7993e5b-7993e5f 630->634 635 7993e43-7993e49 630->635 639 7993e66-7993e68 634->639 637 7993e4b 635->637 638 7993e4d-7993e59 635->638 637->634 638->634 639->642
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2131723624.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7990000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$4'q$4'q
                                                          • API String ID: 0-4210068417
                                                          • Opcode ID: 6e185a8e2ed4865d3bfb5f5922dee949ef99b9009c4aad0a1bdb49121bfc58f1
                                                          • Instruction ID: 6225237edeac1a2371ced21624a6f51abc3b5ff504fdbd45cbb666a1d0bf08a9
                                                          • Opcode Fuzzy Hash: 6e185a8e2ed4865d3bfb5f5922dee949ef99b9009c4aad0a1bdb49121bfc58f1
                                                          • Instruction Fuzzy Hash: 161238B1B043558FEF269B6C98117ABBBF69FC2218F14807AD505CF661DB31C942C7A1
                                                          Function 079917B8 Relevance: 2.8, Strings: 2, Instructions: 340COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 646 79917b8-79917da 647 7991969-79919b5 646->647 648 79917e0-79917e5 646->648 656 79919bb-79919c0 647->656 657 7991b04-7991b25 647->657 649 79917fd-7991801 648->649 650 79917e7-79917ed 648->650 654 7991914-799191e 649->654 655 7991807-799180b 649->655 652 79917ef 650->652 653 79917f1-79917fb 650->653 652->649 653->649 658 799192c-7991932 654->658 659 7991920-7991929 654->659 660 799184b 655->660 661 799180d-799181e 655->661 662 79919d8-79919dc 656->662 663 79919c2-79919c8 656->663 679 7991b85-7991b86 657->679 680 7991b27-7991b34 657->680 665 7991938-7991944 658->665 666 7991934-7991936 658->666 664 799184d-799184f 660->664 661->647 676 7991824-7991829 661->676 674 79919e2-79919e4 662->674 675 7991ab4-7991abe 662->675 669 79919ca 663->669 670 79919cc-79919d6 663->670 664->654 672 7991855-7991859 664->672 671 7991946-7991966 665->671 666->671 669->662 670->662 672->654 677 799185f-7991863 672->677 681 79919f4 674->681 682 79919e6-79919f2 674->682 683 7991acc-7991ad2 675->683 684 7991ac0-7991ac9 675->684 685 799182b-7991831 676->685 686 7991841-7991849 676->686 690 7991865-799186e 677->690 691 7991886 677->691 687 7991b88-7991b8d 679->687 688 7991b90-7991b96 679->688 692 7991b44 680->692 693 7991b36-7991b42 680->693 694 79919f6-79919f8 681->694 682->694 696 7991ad8-7991ae4 683->696 697 7991ad4-7991ad6 683->697 698 7991833 685->698 699 7991835-799183f 685->699 686->664 700 7991b98-7991b9a 688->700 701 7991b9c-7991ba8 688->701 702 7991870-7991873 690->702 703 7991875-7991882 690->703 704 7991889-7991911 691->704 707 7991b46-7991b48 692->707 693->707 694->675 705 79919fe-7991a16 694->705 706 7991ae6-7991b01 696->706 697->706 698->686 699->686 708 7991baa-7991bc1 700->708 701->708 709 7991884 702->709 703->709 723 7991a18-7991a1e 705->723 724 7991a30-7991a34 705->724 710 7991b4a-7991b50 707->710 711 7991b7c-7991b84 707->711 709->704 720 7991b5e-7991b79 710->720 721 7991b52-7991b54 710->721 711->679 721->720 727 7991a20 723->727 728 7991a22-7991a2e 723->728 731 7991a3a-7991a41 724->731 727->724 728->724 734 7991a48-7991aa5 731->734 735 7991a43-7991a46 731->735 736 7991aaa-7991ab1 734->736 735->736
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2131723624.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7990000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Gl$Gl
                                                          • API String ID: 0-2956888029
                                                          • Opcode ID: 25c81639e0fe121fc38846489539a24cf10248758ae28db5eb391fe938ec6afd
                                                          • Instruction ID: d7910e275d80fe9af42352ad510fbaf1be535f96e4bd502552b700e11dbfdf40
                                                          • Opcode Fuzzy Hash: 25c81639e0fe121fc38846489539a24cf10248758ae28db5eb391fe938ec6afd
                                                          • Instruction Fuzzy Hash: 60B134B5B0430B8FEF259A6D94007AABBE6BFC6228F18807AD545CB251DA30DD41C7A1
                                                          Function 08B06838 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 744 8b06838-8b0687b 745 8b06883-8b068af SetThreadToken 744->745 746 8b068b1-8b068b7 745->746 747 8b068b8-8b068d5 745->747 746->747
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2136724796.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_8b00000_powershell.jbxd
                                                          Similarity
                                                          • API ID: ThreadToken
                                                          • String ID:
                                                          • API String ID: 3254676861-0
                                                          • Opcode ID: 84e84c7695ddf7217a5633d098d41d168f0022acadac9860dbbe5ac1aabb775e
                                                          • Instruction ID: 78f104405b1a2214afb9ab04e051fc58d1f2ebab38813734378178c160844c18
                                                          • Opcode Fuzzy Hash: 84e84c7695ddf7217a5633d098d41d168f0022acadac9860dbbe5ac1aabb775e
                                                          • Instruction Fuzzy Hash: 4E1134B5D003488FDB20CFAAD484BDEBBF4AB88220F24845AD418A7251C774A845CFA4
                                                          Function 08B06840 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 750 8b06840-8b068af SetThreadToken 752 8b068b1-8b068b7 750->752 753 8b068b8-8b068d5 750->753 752->753
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2136724796.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_8b00000_powershell.jbxd
                                                          Similarity
                                                          • API ID: ThreadToken
                                                          • String ID:
                                                          • API String ID: 3254676861-0
                                                          • Opcode ID: 22c01db7a9ca480226fb12a1cd959f2a9cb77d42914b51a1fd7f87f193576330
                                                          • Instruction ID: a6f75830c48f04759c8813022bbff9a0db9b8695ecd81609634d4f3e778645eb
                                                          • Opcode Fuzzy Hash: 22c01db7a9ca480226fb12a1cd959f2a9cb77d42914b51a1fd7f87f193576330
                                                          • Instruction Fuzzy Hash: DA11F5B5D003488FDB20DF9AC944B9EFBF8EB88224F14845AD418A7350D778A944CFA5
                                                          Function 04A86FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 756 4a86fe0-4a86fff 757 4a87105-4a87143 756->757 758 4a87005-4a87008 756->758 786 4a8700a call 4a8767c 758->786 787 4a8700a call 4a87697 758->787 760 4a87010-4a87022 761 4a8702e-4a87043 760->761 762 4a87024 760->762 767 4a87049-4a87059 761->767 768 4a870ce-4a870e7 761->768 762->761 771 4a8705b 767->771 772 4a87065-4a87073 call 4a8bf20 767->772 773 4a870e9 768->773 774 4a870f2-4a870f3 768->774 771->772 778 4a87079-4a8707d 772->778 773->774 774->757 779 4a870bd-4a870c8 778->779 780 4a8707f-4a8708f 778->780 779->767 779->768 781 4a870ab-4a870b5 780->781 782 4a87091-4a870a9 780->782 781->779 782->779 786->760 787->760
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (q
                                                          • API String ID: 0-2414175341
                                                          • Opcode ID: 8677a650ca9437728268374cf2b7402b445ffac2b960f9a30737aa045a930aac
                                                          • Instruction ID: 6113b9a2d6497aa043f643cd66995c9f160304b24b9b4f3878b7c2ce7ad914d0
                                                          • Opcode Fuzzy Hash: 8677a650ca9437728268374cf2b7402b445ffac2b960f9a30737aa045a930aac
                                                          • Instruction Fuzzy Hash: 20412B38B042048FDB15DFA4D854AAABBF1EF89711F245499D446EB391DB35EC01CB61
                                                          Function 04A8AFA8 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 788 4a8afa8-4a8afb1 call 4a8a6a8 790 4a8afb6-4a8afba 788->790 791 4a8afca-4a8b065 790->791 792 4a8afbc-4a8afc9 790->792 798 4a8b06e-4a8b08b 791->798 799 4a8b067-4a8b06d 791->799 799->798
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (&q
                                                          • API String ID: 0-583763264
                                                          • Opcode ID: 0eb92b431ef3e9a3feeefd4c6b266ab07e94ccc96ffa03989236ba781add0cee
                                                          • Instruction ID: 568d7cfb6cc343f2ea7856ac9cf5d9f06c2dbdddbc8d1651aa083bb6c1ab01da
                                                          • Opcode Fuzzy Hash: 0eb92b431ef3e9a3feeefd4c6b266ab07e94ccc96ffa03989236ba781add0cee
                                                          • Instruction Fuzzy Hash: D721D171A003588FDB14DBAAE400B9EBBF5EB88320F14846ED418A7340CA74A805CBA5
                                                          Function 04A829F0 Relevance: .2, Instructions: 210COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1032 4a829f0-4a82a1e 1033 4a82a24-4a82a3a 1032->1033 1034 4a82af5-4a82b37 1032->1034 1035 4a82a3c 1033->1035 1036 4a82a3f-4a82a52 1033->1036 1039 4a82b3d-4a82b56 1034->1039 1040 4a82c51-4a82c67 1034->1040 1035->1036 1036->1034 1041 4a82a58-4a82a65 1036->1041 1042 4a82b58 1039->1042 1043 4a82b5b-4a82b69 1039->1043 1044 4a82a6a-4a82a7c 1041->1044 1045 4a82a67 1041->1045 1042->1043 1043->1040 1050 4a82b6f-4a82b79 1043->1050 1044->1034 1051 4a82a7e-4a82a88 1044->1051 1045->1044 1052 4a82b7b-4a82b7d 1050->1052 1053 4a82b87-4a82b94 1050->1053 1055 4a82a8a-4a82a8c 1051->1055 1056 4a82a96-4a82aa6 1051->1056 1052->1053 1053->1040 1054 4a82b9a-4a82baa 1053->1054 1057 4a82bac 1054->1057 1058 4a82baf-4a82bbd 1054->1058 1055->1056 1056->1034 1059 4a82aa8-4a82ab2 1056->1059 1057->1058 1058->1040 1064 4a82bc3-4a82bd3 1058->1064 1060 4a82ac0-4a82af4 1059->1060 1061 4a82ab4-4a82ab6 1059->1061 1061->1060 1065 4a82bd8-4a82be5 1064->1065 1066 4a82bd5 1064->1066 1065->1040 1069 4a82be7-4a82bf7 1065->1069 1066->1065 1070 4a82bf9 1069->1070 1071 4a82bfc-4a82c08 1069->1071 1070->1071 1071->1040 1073 4a82c0a-4a82c24 1071->1073 1074 4a82c29 1073->1074 1075 4a82c26 1073->1075 1076 4a82c2e-4a82c38 1074->1076 1075->1074 1077 4a82c3d-4a82c50 1076->1077
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ecdea084c9d7b117c76cc53c9b3a2e2e2548d35f7fd0d073845c4811c32ed3f1
                                                          • Instruction ID: 8e2ee806df49900303928363125d9e8687c55f475cd8b9d8295bb5f143fbeca4
                                                          • Opcode Fuzzy Hash: ecdea084c9d7b117c76cc53c9b3a2e2e2548d35f7fd0d073845c4811c32ed3f1
                                                          • Instruction Fuzzy Hash: 95918B74A00205CFCB15DF59C498ABAFBB1FF88310B248699D915AB364C736FC91CBA4
                                                          Function 04A87740 Relevance: .2, Instructions: 155COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1215 4a87740-4a87776 1218 4a87778-4a8777a 1215->1218 1219 4a8777f-4a87788 1215->1219 1220 4a87829-4a8782e 1218->1220 1222 4a8778a-4a8778c 1219->1222 1223 4a87791-4a877af 1219->1223 1222->1220 1226 4a877b1-4a877b3 1223->1226 1227 4a877b5-4a877b9 1223->1227 1226->1220 1228 4a877c8-4a877cf 1227->1228 1229 4a877bb-4a877c0 1227->1229 1230 4a8782f-4a87860 1228->1230 1231 4a877d1-4a877fa 1228->1231 1229->1228 1239 4a878e2-4a878e6 1230->1239 1240 4a87866-4a878bd 1230->1240 1234 4a87808 1231->1234 1235 4a877fc-4a87806 1231->1235 1236 4a8780a-4a87816 1234->1236 1235->1236 1244 4a87818-4a8781a 1236->1244 1245 4a8781c-4a87823 1236->1245 1254 4a878e9 call 4a87938 1239->1254 1255 4a878e9 call 4a87940 1239->1255 1250 4a878c9-4a878d7 1240->1250 1251 4a878bf 1240->1251 1243 4a878ec-4a878f1 1244->1220 1245->1220 1250->1239 1253 4a878d9-4a878e1 1250->1253 1251->1250 1254->1243 1255->1243
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8b4dc9c0678cac7a95a9d9b535057ee373ee688fd9164a9355f51710bf17c984
                                                          • Instruction ID: 4fa967837f5bf516efac0ac3923b490cf8fdab6ad6076fbc7e347ffce4c7437e
                                                          • Opcode Fuzzy Hash: 8b4dc9c0678cac7a95a9d9b535057ee373ee688fd9164a9355f51710bf17c984
                                                          • Instruction Fuzzy Hash: DC51DE387002099FD714EB65DC44A6ABBE6EFC9214B2544ADD509CB351EB35EC02CBA0
                                                          Function 04A8BAD0 Relevance: .2, Instructions: 155COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1256 4a8bad0-4a8bb60 1260 4a8bb62 1256->1260 1261 4a8bb66-4a8bb71 1256->1261 1260->1261 1262 4a8bb73 1261->1262 1263 4a8bb76-4a8bbd0 call 4a8afa8 1261->1263 1262->1263 1270 4a8bc21-4a8bc25 1263->1270 1271 4a8bbd2-4a8bbd7 1263->1271 1272 4a8bc36 1270->1272 1273 4a8bc27-4a8bc31 1270->1273 1271->1270 1274 4a8bbd9-4a8bbfc 1271->1274 1275 4a8bc3b-4a8bc3d 1272->1275 1273->1272 1276 4a8bc02-4a8bc0d 1274->1276 1277 4a8bc3f-4a8bc60 1275->1277 1278 4a8bc62 1275->1278 1279 4a8bc0f-4a8bc15 1276->1279 1280 4a8bc16-4a8bc1f 1276->1280 1281 4a8bc6a-4a8bc6e 1277->1281 1278->1281 1282 4a8bc65 call 4a8a69c 1278->1282 1279->1280 1280->1275 1284 4a8bc70-4a8bc99 1281->1284 1285 4a8bca7-4a8bcd6 1281->1285 1282->1281 1284->1285
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 24a5c34d2ce0c72567c4c1cad8d4fc7df90a8e74bbc47ff0cbbeb2f4fded3658
                                                          • Instruction ID: 88b566f6bb057cac9d192099d39f47b164bc5910f120940e976254ff6c731ff0
                                                          • Opcode Fuzzy Hash: 24a5c34d2ce0c72567c4c1cad8d4fc7df90a8e74bbc47ff0cbbeb2f4fded3658
                                                          • Instruction Fuzzy Hash: A96118B5E002489FDB14DFA9D584BDDBBF1FF98310F14812AE819AB250DB34AC45CB60
                                                          Function 04A8BAC0 Relevance: .2, Instructions: 151COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 22f44a067530b96015b99b758812d8a6eace1eb230530e22b549929a18a773f9
                                                          • Instruction ID: ddb089c2b59bfaaf2fc630ab2e597407d9ea820a3c1b1c08980184a06bedb7ef
                                                          • Opcode Fuzzy Hash: 22f44a067530b96015b99b758812d8a6eace1eb230530e22b549929a18a773f9
                                                          • Instruction Fuzzy Hash: 035129B5E012489FDB14DFA9D584ADDBBF1FF88310F14806AE819AB351DB34AC45CB61
                                                          Function 07993CE6 Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2131723624.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7990000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a3b663d3b804ba4b31cf22ee05090971774ddc4a9e30ed561a33ca3b439f398d
                                                          • Instruction ID: 056ca6cb1daa66a16588b03b0d275fb496d7e8187824fc1e14d8755c5798bcb1
                                                          • Opcode Fuzzy Hash: a3b663d3b804ba4b31cf22ee05090971774ddc4a9e30ed561a33ca3b439f398d
                                                          • Instruction Fuzzy Hash: 6F3106F0A04202DBFF248E6DC911ABAB7FAAB8525CF188075D9008F655D735ED41C7A1
                                                          Function 04A86FB0 Relevance: .1, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f63933c53c1406001a27473951d01b13d5ca3d7863933f5caf284564cf4e17ee
                                                          • Instruction ID: fc3dacfe9e3f226808b0d5f2e174b9133dbdb1c36b1703c054e3f9fe3ac4a0b6
                                                          • Opcode Fuzzy Hash: f63933c53c1406001a27473951d01b13d5ca3d7863933f5caf284564cf4e17ee
                                                          • Instruction Fuzzy Hash: 89415F35A042458FDB15DFA4C964AAABFF1EF8A214F2540ADD845EB3A1DB35DC01CB60
                                                          Function 04A82B00 Relevance: .1, Instructions: 109COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0017c16709bd18953942b381cd8d4e9897ab14e703b1811c3fb0ff18a6939651
                                                          • Instruction ID: 172bdd44e1cd4363c2112d4d05529e9147feb2bfb13320781fa52f86b15875c3
                                                          • Opcode Fuzzy Hash: 0017c16709bd18953942b381cd8d4e9897ab14e703b1811c3fb0ff18a6939651
                                                          • Instruction Fuzzy Hash: 9B4169B5A00609CFDB15CF49C598ABAFBB1FF48310B118699D815AB364C732FC91CBA4
                                                          Function 04A8C398 Relevance: .1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 26d186a8cef69fc3f0776505959cd56f8d3684de9cc9ff4d3ce53a05a5d8898f
                                                          • Instruction ID: 919b0eb1375078e37b68ff80eaf88c4a72bd599079402f9edefecc03231a36b3
                                                          • Opcode Fuzzy Hash: 26d186a8cef69fc3f0776505959cd56f8d3684de9cc9ff4d3ce53a05a5d8898f
                                                          • Instruction Fuzzy Hash: 5E31A0393002019FD715EB78E894B9EB7D6EFC4225F048629E509CB351EF70A806CBA1
                                                          Function 04A8AE70 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8df9da4da23139d2d25ebeea559c4857bbe5b083cd0cbabb507016ccb3eb66ca
                                                          • Instruction ID: 789d16eb7f30d31dd8c42dc9a80cc3e3fffa9e02d13f989d1c53e91afd4daaef
                                                          • Opcode Fuzzy Hash: 8df9da4da23139d2d25ebeea559c4857bbe5b083cd0cbabb507016ccb3eb66ca
                                                          • Instruction Fuzzy Hash: 21316A74E002099FDB14EFA9D4947AEBBF2EF88304F14802EE405EB255EB749C468B61
                                                          Function 04A8AD38 Relevance: .1, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1c6d0a6cb497dc28b3db34bfa6fb9cd50970d275e55d5f78614b188781acdbe3
                                                          • Instruction ID: ef98fc8de1fde86ba62328f2d444a265b61881a52f10fae5896fff0a832fd808
                                                          • Opcode Fuzzy Hash: 1c6d0a6cb497dc28b3db34bfa6fb9cd50970d275e55d5f78614b188781acdbe3
                                                          • Instruction Fuzzy Hash: 1C3190B8E013449FDB01DBB4D494AEE7BB2EF85300F1584A9D510AF396CA38AD01CB61
                                                          Function 04A8AE80 Relevance: .1, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9ba2c990e295e0dc18e5dbe9b8f16093672767f42ee4feb60c9d7060b76ac3f6
                                                          • Instruction ID: b8874832e84f90ef08ec2f11d5a8c7f3e5bc04c7355e8e2b491240306744287f
                                                          • Opcode Fuzzy Hash: 9ba2c990e295e0dc18e5dbe9b8f16093672767f42ee4feb60c9d7060b76ac3f6
                                                          • Instruction Fuzzy Hash: 8D316F74E002099FDB14EFA9D5947AEBBF6EF88304F14802EE405EB350EB749C058B61
                                                          Function 04A8E209 Relevance: .1, Instructions: 81COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fe22cdd00062095ebd6f30040ca396cdfa6d94a254b5c067068466920dcd8ad1
                                                          • Instruction ID: 64a75626722a2f8642416a535e93f1eb08ebe766e9ba6fd61f459339e68927b8
                                                          • Opcode Fuzzy Hash: fe22cdd00062095ebd6f30040ca396cdfa6d94a254b5c067068466920dcd8ad1
                                                          • Instruction Fuzzy Hash: 20314B74A002049FCB18DF68D49869EBFF2EF8D220F14456DD406EB3A1DB31AC45CB91
                                                          Function 04A8E218 Relevance: .1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ff8b97c2a3e30ee20287b8d764e1ac7ec6dd0a348bc662b3afaccc697daca47c
                                                          • Instruction ID: 4390f018c9bcfbe3b524338e7e2345736f932b6c4e066072e8ee665e80ca87eb
                                                          • Opcode Fuzzy Hash: ff8b97c2a3e30ee20287b8d764e1ac7ec6dd0a348bc662b3afaccc697daca47c
                                                          • Instruction Fuzzy Hash: 7A31F674A002048FCB18EF69D558A9EBBF2EF8D614F14856DD406EB390DB74AC45CF91
                                                          Function 04A8AD48 Relevance: .1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d3600c56708199ce813f8cf4552adb749c916ef8e5a9ae5b933e661e3478561f
                                                          • Instruction ID: 9bd74d66a992db04db307c0d5399712f66b84499a854a156b240e909a97bb858
                                                          • Opcode Fuzzy Hash: d3600c56708199ce813f8cf4552adb749c916ef8e5a9ae5b933e661e3478561f
                                                          • Instruction Fuzzy Hash: 83312FB8E013099FDB04EFA4D454AEE7BB6EFC5300F108469D511AB395DA39ED018B91
                                                          Function 030DF3D8 Relevance: .1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2102125640.00000000030DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030DD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_30dd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1b2a5b7ea2caa949cd63befa549c047eb9e8f3ef7242ff2a4778ed2c4a714830
                                                          • Instruction ID: 87c239ba3f481a184cd1e18cb3c0f1785006de1826d251873f4444e66e2f9ec5
                                                          • Opcode Fuzzy Hash: 1b2a5b7ea2caa949cd63befa549c047eb9e8f3ef7242ff2a4778ed2c4a714830
                                                          • Instruction Fuzzy Hash: 8921F172508301EFDF05DF10D9C0B1ABBE5FB88214F24C9ADE90A0B656C336C456CBA1
                                                          Function 04A89400 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4a5b236924e1f4020e15a41ea0a7cc947f9dc02107efc3b002af48d0bb7de98a
                                                          • Instruction ID: 84cc014e346425c46f0f38d55966e6e3a588ff0de57e9a0bad2ae93a92e38ba6
                                                          • Opcode Fuzzy Hash: 4a5b236924e1f4020e15a41ea0a7cc947f9dc02107efc3b002af48d0bb7de98a
                                                          • Instruction Fuzzy Hash: F3318BB5A053848EDB64DF6AD0883DAFFF6EB89320F28C05ED44D9B206C6746445CB51
                                                          Function 030DF02C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2102125640.00000000030DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030DD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_30dd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aa479a6ff8db76884c81c12a47efa5a6f3939a94e4d0bf5153c15a6373726956
                                                          • Instruction ID: c3d09d50bb89bf39128b02e8de81176215da6f2ef8e3e478d9396d0cb67ed54c
                                                          • Opcode Fuzzy Hash: aa479a6ff8db76884c81c12a47efa5a6f3939a94e4d0bf5153c15a6373726956
                                                          • Instruction Fuzzy Hash: 8121F275505341EFDB14DF24E9C0B16BFE5EB88314F24C9ADE90A4F242C336D446CA62
                                                          Function 04A89410 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7fed6c8ed4eff6f6e81a4d0891645718ce82aa0e1a4fcb71b0e837ff8ffd878f
                                                          • Instruction ID: 732e77f8fdb4f9dd8234e307cbb39a2923d8975ef1d4541fabe9a0484d8d0b5c
                                                          • Opcode Fuzzy Hash: 7fed6c8ed4eff6f6e81a4d0891645718ce82aa0e1a4fcb71b0e837ff8ffd878f
                                                          • Instruction Fuzzy Hash: 332177B4A017448FEB64DF6AC4883DAFFFAEB89314F28C01ED84D9B205D77464858B65
                                                          Function 030DF4CC Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2102125640.00000000030DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030DD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_30dd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4d7a8d60280a57bd4ab76c4ceea91c400082cf58766305ed82f770040a28917a
                                                          • Instruction ID: 79ae3f3f641f724753a941f82882a779d86e2742998dd66658c373a150afa4e5
                                                          • Opcode Fuzzy Hash: 4d7a8d60280a57bd4ab76c4ceea91c400082cf58766305ed82f770040a28917a
                                                          • Instruction Fuzzy Hash: 392105B1A053419FDB14DF24D5C4B2ABBE5EB84314F24C9ADDA0A4B345C336D946CA62
                                                          Function 04A8767C Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 130b0d49b5333635a3402aace2525c82f0d6e923d9c61633632ccafa96c81605
                                                          • Instruction ID: 3476d150b1ec973643cdaffcef83a6c521d9d003aed00617eefcf9cbfc051bb1
                                                          • Opcode Fuzzy Hash: 130b0d49b5333635a3402aace2525c82f0d6e923d9c61633632ccafa96c81605
                                                          • Instruction Fuzzy Hash: C011333AB002198FCB14DFA8E840ADD77F6EFCC611B1440A9E509DB314DB35DC068BA0
                                                          Function 030DF3D3 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2102125640.00000000030DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030DD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_30dd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3db14e1fbd481c373aa523bb9b771c634d45f7ce68899f9c04ab426dc2dff8be
                                                          • Instruction ID: ca84e2ba79a2cb7517b4d111f4265e6c9fa31e86c17d3a87cd3a7cf98f844ea0
                                                          • Opcode Fuzzy Hash: 3db14e1fbd481c373aa523bb9b771c634d45f7ce68899f9c04ab426dc2dff8be
                                                          • Instruction Fuzzy Hash: 66216A76508240DFCB16CF10D9C4B16BBB2FB88314F28C5A9E9494AA56C33AD46ACF91
                                                          Function 030DF027 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2102125640.00000000030DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030DD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_30dd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0ddb3734c724926600bbb3f8bc75d71c7802c012624ff9d398f3a9d8363b068c
                                                          • Instruction ID: f0f0f281e6437f01096f24819e8b9295b263306b50ac69905f4b2d8394975525
                                                          • Opcode Fuzzy Hash: 0ddb3734c724926600bbb3f8bc75d71c7802c012624ff9d398f3a9d8363b068c
                                                          • Instruction Fuzzy Hash: C1119075505380DFCB15CF14D5C4B15FFA1FB84318F28C6A9D84A4B656C33AD44ACB51
                                                          Function 04A8BCF0 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aec8f26e1cd5458bf0cfd8eef0a6d76e872cbaee664d1b1d3161c6b312525828
                                                          • Instruction ID: 3eec3295bc0e162bc51f7ed65d16156474d4ae8957e82992ad5e235731bcb5c7
                                                          • Opcode Fuzzy Hash: aec8f26e1cd5458bf0cfd8eef0a6d76e872cbaee664d1b1d3161c6b312525828
                                                          • Instruction Fuzzy Hash: 2D01F9316087449FD715DB75D994A9A7FF0EF45220F1884EEE08DCB6A3C621F845C701
                                                          Function 030DF4C7 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2102125640.00000000030DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030DD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_30dd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3ed5684ea9962eee80dbadc863b26c31e8d70c5354f6a484d6a1ef7ea59348ea
                                                          • Instruction ID: 64ee57ec194db90d19759e4a768eaf62080f55796aaf8c61b3c820894e03a879
                                                          • Opcode Fuzzy Hash: 3ed5684ea9962eee80dbadc863b26c31e8d70c5354f6a484d6a1ef7ea59348ea
                                                          • Instruction Fuzzy Hash: 5611BCB55052808FCB15DF24D5C4B15BBE1FB48314F28C6ADC94A8B656C33AD44ACB92
                                                          Function 04A8E058 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8ff70c359c2277713df4873c6c52f95a7bdc4866105fdf0be020d2047958fc78
                                                          • Instruction ID: 5851f4b84d4c4d033b62ceb8d2d790470be17711deb07d053f37948fcc28997e
                                                          • Opcode Fuzzy Hash: 8ff70c359c2277713df4873c6c52f95a7bdc4866105fdf0be020d2047958fc78
                                                          • Instruction Fuzzy Hash: 9D019235700214CFCB119F74E8486AEBBF5FB88319F04406DE51AD3252DB329915CB91
                                                          Function 04A8E190 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c0c944ccaca7a7b4c34b9153585609e902b680019cea2bd5b5c9e7bea241c89e
                                                          • Instruction ID: 8b93719b2f8d2bf32d008910d33202a668e6da359510b22d3fd9ab10b85992f0
                                                          • Opcode Fuzzy Hash: c0c944ccaca7a7b4c34b9153585609e902b680019cea2bd5b5c9e7bea241c89e
                                                          • Instruction Fuzzy Hash: C0110534204754CFC768DF35D49085ABBF6EF8931532089ADD48A8B7A1DB36F846CB50
                                                          Function 04A8BF20 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b0406faebede0352411023e65463e7a0eb64aeddbd1bbe26389dbb321f6040f5
                                                          • Instruction ID: fe442674efc1381ec7d3d6629a93787b44ec519f8995874c44b85f3e92794af5
                                                          • Opcode Fuzzy Hash: b0406faebede0352411023e65463e7a0eb64aeddbd1bbe26389dbb321f6040f5
                                                          • Instruction Fuzzy Hash: 220181313093A05FD7158A7A98909677FF9EF8662071544ABF584CB262CA71CC04C760
                                                          Function 030DD01D Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2102125640.00000000030DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030DD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_30dd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 813716bc3e19f864c24ff3456d188eda54791544886081e499222e2afb074f27
                                                          • Instruction ID: b5e63f06832ba234fea9d9bd8492ad782c25742fbeeccfbc1a1f6338860b2828
                                                          • Opcode Fuzzy Hash: 813716bc3e19f864c24ff3456d188eda54791544886081e499222e2afb074f27
                                                          • Instruction Fuzzy Hash: C601A771406340ABE760DA25DD84B66FFDCDF81264F1C8559ED484F242C2799845CAB5
                                                          Function 030DD006 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2102125640.00000000030DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030DD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_30dd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fc13966b207110cbd027c33dc3c6c276ed39d4e00e37d5e0a428a1eab7ddf398
                                                          • Instruction ID: 14c55d0ab3b13f170e792af7657c4ef29bfcbd268b8ccb1edafa3baf7fffe0f2
                                                          • Opcode Fuzzy Hash: fc13966b207110cbd027c33dc3c6c276ed39d4e00e37d5e0a428a1eab7ddf398
                                                          • Instruction Fuzzy Hash: 7801526240E3C05FD7128B219994B52BFF8DF53224F1D81DBD8888F193C2695844C772
                                                          Function 04A8F581 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 083fd3591e44ff50bd07431a443fefdf65e4d57d6dc315db80609868732e0fa3
                                                          • Instruction ID: 4beb33a3980c59a1db5829e3ac2f6387e6ed5683c8891eab918e6fa27b7d98e2
                                                          • Opcode Fuzzy Hash: 083fd3591e44ff50bd07431a443fefdf65e4d57d6dc315db80609868732e0fa3
                                                          • Instruction Fuzzy Hash: 5801E971D0075AAFCB44DFA4C9846EEFBF0FF99310F24071AE005A6601EBB12685CB80
                                                          Function 04A87958 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 28a638b50aecea8906601a7a005a23a900ab176160da61296d09b206775e6cb1
                                                          • Instruction ID: 65da0eabebfca837c9d053074b2a6e0462b5553a9cbda0e146b766fa48f4c46e
                                                          • Opcode Fuzzy Hash: 28a638b50aecea8906601a7a005a23a900ab176160da61296d09b206775e6cb1
                                                          • Instruction Fuzzy Hash: F4F0813070A3909FC712A7249C44A6F7FE4DFC9524700099EE089C7681CF345C85C7B1
                                                          Function 04A890E8 Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1e84e3cb3dd907fbde007bb2b6818041ccfb67504c2aa24f7c8cd265e73bdf67
                                                          • Instruction ID: a6c8fdae14e35be26ff3329529dcdb986f5485d6f2eecc5232e155845fcce4d8
                                                          • Opcode Fuzzy Hash: 1e84e3cb3dd907fbde007bb2b6818041ccfb67504c2aa24f7c8cd265e73bdf67
                                                          • Instruction Fuzzy Hash: A0F022356083009FD301ABA8D0593ABBFE1EFC2318F10819EC4058B386CE396C06CBE1
                                                          Function 030DD9A7 Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2102125640.00000000030DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030DD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_30dd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 830842952d9599b812a7a58bb39902f14448d1184db31ff25aeb8bc124aa5299
                                                          • Instruction ID: a9c4b1e0ca73525e609adfdc39c047224130493d74994a75b6aced8171b73e0b
                                                          • Opcode Fuzzy Hash: 830842952d9599b812a7a58bb39902f14448d1184db31ff25aeb8bc124aa5299
                                                          • Instruction Fuzzy Hash: 74F0F976601600AFD760CF0AD985C27FBEDEFD4670719C55AF84A4B612C672EC42CEA0
                                                          Function 04A8DFF8 Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 70f7b5416f5b6407e171113406ab197ebe1842432e2a916a75331eea8c5628f8
                                                          • Instruction ID: 54a29d93737bf9fdc55e95e9dc1c6bd2f92e1aac35f81b6bf342629ef7694179
                                                          • Opcode Fuzzy Hash: 70f7b5416f5b6407e171113406ab197ebe1842432e2a916a75331eea8c5628f8
                                                          • Instruction Fuzzy Hash: 49F05E397441808FC3118B2CD8949A6BBF5AFCA719329049EE585DB732DA61DC02CB50
                                                          Function 04A8F590 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 83114949b754a21fc1f5b8bb811cdb04d9ecd71394d56fed3cdb373cc3458d24
                                                          • Instruction ID: c6a03622fa51cc7f72dd4953838b389263b9cd6ad79c71dc983c82b0873ebb56
                                                          • Opcode Fuzzy Hash: 83114949b754a21fc1f5b8bb811cdb04d9ecd71394d56fed3cdb373cc3458d24
                                                          • Instruction Fuzzy Hash: BC01A471D1075ADFCB04DFE4C9846EDBBB5FF99300F24072AE015A6600EBB06A95CB80
                                                          Function 04A89168 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 05b76afa3cc34442984ef39e76b15996154a99462fd895414be8fe76bd0ac7b7
                                                          • Instruction ID: a918cc92c7ff1aa4e83c0a9de182a8bf0973391ac61d1ad18fed24856148df03
                                                          • Opcode Fuzzy Hash: 05b76afa3cc34442984ef39e76b15996154a99462fd895414be8fe76bd0ac7b7
                                                          • Instruction Fuzzy Hash: 66F0B4705093405FC7519B78D4D8396BFE4EF42310F0444AED14DCB242CB396884C751
                                                          Function 04A87968 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ddd751a3c70a9d7ca5787e235a175248dc5c8ae6e2fb82b40586cd01fb77d952
                                                          • Instruction ID: 8356f78f672a2d9522e6b9a73772b9530f2255b9ba216a158ee0642d8bcb0b71
                                                          • Opcode Fuzzy Hash: ddd751a3c70a9d7ca5787e235a175248dc5c8ae6e2fb82b40586cd01fb77d952
                                                          • Instruction Fuzzy Hash: B3F0A7357007249FD710AB59E88496F77E9EBC8675B00052DE10AD7340DF30AC0187E1
                                                          Function 030DD998 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2102125640.00000000030DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030DD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_30dd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e4065a2509352ed78433749eba0c7740c159e1502be1b97dbbd8d52a3875055a
                                                          • Instruction ID: 17ab91a49216eba3a1baa01f9063f64db3daffe09c75e70147b9fc6455bdefea
                                                          • Opcode Fuzzy Hash: e4065a2509352ed78433749eba0c7740c159e1502be1b97dbbd8d52a3875055a
                                                          • Instruction Fuzzy Hash: 60F0F975101680AFD765CF06C985D23BBF9EF85660B198489F85A4B312C631FC42CF60
                                                          Function 04A87697 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 466001220d2da284155e7abac69b0a44151ce54997d43556cac6a23fd0bdf87c
                                                          • Instruction ID: ab08ef2307a4f4b3ed832d1561cf2b4af6500fcc89a360869e154b1dafd91ca1
                                                          • Opcode Fuzzy Hash: 466001220d2da284155e7abac69b0a44151ce54997d43556cac6a23fd0bdf87c
                                                          • Instruction Fuzzy Hash: 19F0123D7002158BDB10EB6D984069A77A2EFC97557254569E909CB314DF24DC068BD1
                                                          Function 04A890F8 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 44da422b0ca55e754252dc54b2bd2389b7d7c558d2fe13bd7144419f92aed321
                                                          • Instruction ID: e3753f37cb110a7cf9d76ceaed71dabadb014c460b48aedffbdf60fdcc462774
                                                          • Opcode Fuzzy Hash: 44da422b0ca55e754252dc54b2bd2389b7d7c558d2fe13bd7144419f92aed321
                                                          • Instruction Fuzzy Hash: 57F027796047148BE304BBA9D0557DB7BD6EFC2318F10816EC5095B385CE39B805CBE1
                                                          Function 04A8DE48 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eb02a829e10d727c270028ac79bea3bca1f51272418c4133dce2f8787637c1e3
                                                          • Instruction ID: c224467b3675c3b658a7dc8d84f46be73eedfb87ff75680150711638414405a3
                                                          • Opcode Fuzzy Hash: eb02a829e10d727c270028ac79bea3bca1f51272418c4133dce2f8787637c1e3
                                                          • Instruction Fuzzy Hash: C3F0A0352097906B8317932DA81089E7FE6CEC61B4318409ED085CB252CA55980587A7
                                                          Function 04A8E008 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 090ef53b6b8c79c6b7c620a66cdf62e1844dd055a2727bf9fba6c49456622fc5
                                                          • Instruction ID: d2deac7d99247f4d818a9604a3eed80b1315056e1f87f52d176fee23906d354e
                                                          • Opcode Fuzzy Hash: 090ef53b6b8c79c6b7c620a66cdf62e1844dd055a2727bf9fba6c49456622fc5
                                                          • Instruction Fuzzy Hash: 7DE0E5357402108F83149B1DD498D67B7FAEFCEB6932904AAF549CB721DA72EC02CB90
                                                          Function 04A89552 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cb4df13b1991cb8578b9cd1f2d276a60d7664386731146e22a0d4680548a0458
                                                          • Instruction ID: 81175d1f6f891d61e04ee9d1fa11220a4c0ee34ea958fa54070505d819dc8397
                                                          • Opcode Fuzzy Hash: cb4df13b1991cb8578b9cd1f2d276a60d7664386731146e22a0d4680548a0458
                                                          • Instruction Fuzzy Hash: 9BE0D82134A2D50E979A73BD155017B6FDA8FCA06471900FFC545CF143DC488C0683A2
                                                          Function 04A8DE99 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c02c683c03c48aa1af6fe1eee9926e4e5c867c54a2eae737aa71af1cfc7bffc0
                                                          • Instruction ID: 1516c094ccace27da52cc90a1fe183f225bc81735159cd3d5aa300edd1c1ee6d
                                                          • Opcode Fuzzy Hash: c02c683c03c48aa1af6fe1eee9926e4e5c867c54a2eae737aa71af1cfc7bffc0
                                                          • Instruction Fuzzy Hash: 43E02B35704040678B08D26CE4408EAFFF5DFC9221F0480BFD506A7281CA326816D7E0
                                                          Function 04A8896A Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d89ce89223a90a1308b748c2855630d198a99881fd9cd3fa58d4ac6f0cf19e90
                                                          • Instruction ID: 97e388d3aaafd96b0e259afa8d91915b521b1773e89ac9be522b4a48443bb719
                                                          • Opcode Fuzzy Hash: d89ce89223a90a1308b748c2855630d198a99881fd9cd3fa58d4ac6f0cf19e90
                                                          • Instruction Fuzzy Hash: 7EF0A03530D2905FC70A6778A4582EE3FA1DBC2268F0501AFD6168B243CE2808098392
                                                          Function 04A8AF98 Relevance: .0, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 22f00ed4d1a9b3c6ebe5d61c74e2d9ca63eacdab10f067165ebcdbde3a782eb7
                                                          • Instruction ID: a81ccd64c9422e650064e4d06d470205e5200fa53c5666a9b40a38310142290e
                                                          • Opcode Fuzzy Hash: 22f00ed4d1a9b3c6ebe5d61c74e2d9ca63eacdab10f067165ebcdbde3a782eb7
                                                          • Instruction Fuzzy Hash: 2FE04F2675E2E11A8B16923D74A04AAAFB2CAC763031D85FFE485CF297D8919C46C361
                                                          Function 04A89178 Relevance: .0, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 197a44ba2169d25ca7e9c017dec4444d8c33476ca9dfa71887506c834f8486e6
                                                          • Instruction ID: b8babbde955d4d94f8d1dde9043cf309f84b7a6f38374d68997ce4d9c00556da
                                                          • Opcode Fuzzy Hash: 197a44ba2169d25ca7e9c017dec4444d8c33476ca9dfa71887506c834f8486e6
                                                          • Instruction Fuzzy Hash: F4F06D749013044BD360DF78D4DC39B7BE9FB45314F00446DD21EC7240DB39A8848B90
                                                          Function 04A88978 Relevance: .0, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 99ad9b06c713aa7dc1e0e1ceed686dd08e9fd55abb560f8bb0f39d8a629ae123
                                                          • Instruction ID: b7a282326119634467578382140b9c06a75c8132e5eb5cff9a0597c27f181fd0
                                                          • Opcode Fuzzy Hash: 99ad9b06c713aa7dc1e0e1ceed686dd08e9fd55abb560f8bb0f39d8a629ae123
                                                          • Instruction Fuzzy Hash: 6BE026393086109BCB083B78A45C2EE7A96EBC5768F00002FD61A83341CF386C0993E5
                                                          Function 04A89560 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4c007b9499b820e328ef46e85a9fd04f8eb2e62e84e885b6b7d7721e400f7c36
                                                          • Instruction ID: e150563acf72bb01022f150699662761b2cf8a0072810d46f32a8bdde064d43c
                                                          • Opcode Fuzzy Hash: 4c007b9499b820e328ef46e85a9fd04f8eb2e62e84e885b6b7d7721e400f7c36
                                                          • Instruction Fuzzy Hash: 58D0A7123815250B279872FE190067BA6CFCFCC4A5B45003E9A09C7342FC48EC0643F1
                                                          Function 04A8DEA8 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                          • Instruction ID: e344becbbaf1c613d4ab150392fee09294d421b55535ba9207e353e66fc70ada
                                                          • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                          • Instruction Fuzzy Hash: 08E08635B00014978B089559D4104D9F7BADFCC220F04807ED90AA7381DE326D1696E1
                                                          Function 04A8DE58 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6952d44fd653d11f79d142d12806e130598cb8390d5e91a4149aedce10eb25be
                                                          • Instruction ID: 8e6c6a4df60d7620bc59dc9a4879861fd48882e6a097c00ea72fd896905dd2e7
                                                          • Opcode Fuzzy Hash: 6952d44fd653d11f79d142d12806e130598cb8390d5e91a4149aedce10eb25be
                                                          • Instruction Fuzzy Hash: 01E0C2357007145B8712B71EA81089F77EBDFC95B9704842EE049CB340DE64EC0647E7
                                                          Function 04A88739 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4f9cb33bed82a0f0d1517eb1bfd536f8e5d9b3bc6bcac1dd0df149b840fb91d1
                                                          • Instruction ID: 3de88d438d5710f3809fd18910efeaedff0531d5e630919a019c72ae3789ddc8
                                                          • Opcode Fuzzy Hash: 4f9cb33bed82a0f0d1517eb1bfd536f8e5d9b3bc6bcac1dd0df149b840fb91d1
                                                          • Instruction Fuzzy Hash: 34E04F319041499BCF09BBB4E89A4EDBFB0EE15315F40019DD95652592EA61198ACBC0
                                                          Function 04A88800 Relevance: .0, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7a0d283b2888ec2f599aa3a7b692e524ca29bb4300b9d7669f78dbdb201119e0
                                                          • Instruction ID: 674589c25c16dc1a1caf89823c035ee3292251186e883384d9a5b2a07686df00
                                                          • Opcode Fuzzy Hash: 7a0d283b2888ec2f599aa3a7b692e524ca29bb4300b9d7669f78dbdb201119e0
                                                          • Instruction Fuzzy Hash: FAE048359082465BCB45DFB8E08646EBFF0DF56214F10419ED94597203E6315486DF81
                                                          Function 04A8F620 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 41579d8dd58f284f19bf7db9573a2c5b2e905ca77855d19ad185ff2229c0ef8b
                                                          • Instruction ID: 216e41893a300d6160f72355ab72cf8414385b900fdc1d06e1f960babbf9b2b1
                                                          • Opcode Fuzzy Hash: 41579d8dd58f284f19bf7db9573a2c5b2e905ca77855d19ad185ff2229c0ef8b
                                                          • Instruction Fuzzy Hash: B5E09AB0D052468FCB40EFADC48256AFFF0EF49210B1082AEC948D7201E3324641CB81
                                                          Function 04A8F630 Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                          • Instruction ID: 955cc37446e1beab0d26f4bf2ffc1d638cdd9fb885a324317ecc7b226bac0ac7
                                                          • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                          • Instruction Fuzzy Hash: ABD067B0D0420A9F8780EFADC94156EFBF4EB48204F6085BE9919E7311F7329A129BD1
                                                          Function 04A88748 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d393abf53c003b98eb3074ff26e337d6ce18702afe0ba98e0e485d9475b65b47
                                                          • Instruction ID: 793b0785e533cb0bc7fc00e653db862fa2663b25510dc1a8e0b334696f519b4f
                                                          • Opcode Fuzzy Hash: d393abf53c003b98eb3074ff26e337d6ce18702afe0ba98e0e485d9475b65b47
                                                          • Instruction Fuzzy Hash: 22D067319041098BCF08BBA5E89B4FDBB74FE14305F40416DDA1752591EE312A5ADFC5
                                                          Function 04A88810 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9f99dbab5c6c0e60f6be959096b39d4aeaea2044d937dd67f360eb5898e9a5c5
                                                          • Instruction ID: 02a7cb788c68bdf0f0eb6c71f004094c47ee514696407395dc12a2f75f3e65d5
                                                          • Opcode Fuzzy Hash: 9f99dbab5c6c0e60f6be959096b39d4aeaea2044d937dd67f360eb5898e9a5c5
                                                          • Instruction Fuzzy Hash: CFD01734A0820A8B8B08EFA4E48A86EBFB4EB45208F00816DDD4993340EA306805DBC1
                                                          Function 04A87EA0 Relevance: .0, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 584e53da3468e8408ffd5896c4469da8f8a0faf90fc3c7efae78e0fd52bdaaf0
                                                          • Instruction ID: fcdaa1658a9c4ab555bc091bbb7e12e6c21c09c19f270cf3d978eb00145bc9fc
                                                          • Opcode Fuzzy Hash: 584e53da3468e8408ffd5896c4469da8f8a0faf90fc3c7efae78e0fd52bdaaf0
                                                          • Instruction Fuzzy Hash: 42C0021550A7C49FEF43567118A63553FB14D53A1870B49C69CC18B4A3CA588849CBA1
                                                          Function 04A87938 Relevance: .0, Instructions: 10COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78ace51699e6c6007ee5e1cab64a66353292b02eb284ac5ca8153ae108c04061
                                                          • Instruction ID: 6b3e1e28c4e115de7f35e17b500f80f07706390f54faa594625918bd25e429f8
                                                          • Opcode Fuzzy Hash: 78ace51699e6c6007ee5e1cab64a66353292b02eb284ac5ca8153ae108c04061
                                                          • Instruction Fuzzy Hash: 26C08C3E48938A85C20A27F42B202543F944DC221872A8CDBE8491A9B28D3AA8D1C641
                                                          Function 04A87940 Relevance: .0, Instructions: 8COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e5cbc23d3e70286c94e55a699f625ab608fe58c5356cda4b40490b6e24e48bf5
                                                          • Instruction ID: 27688c4e2ca65547e307901b8bfd76213b2b2f4bf5791fe0dd6a1ed5092d563c
                                                          • Opcode Fuzzy Hash: e5cbc23d3e70286c94e55a699f625ab608fe58c5356cda4b40490b6e24e48bf5
                                                          • Instruction Fuzzy Hash: 3EB09230448708CFC2486FB9A4489197729AF4021978104A9E90F0A2968E36E884CA84

                                                          Non-executed Functions

                                                          Function 07991BE0 Relevance: 20.4, Strings: 16, Instructions: 399COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2131723624.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7990000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $cDk$4'q$4'q$4'q$4'q$84Ol$84Ol$tPq$tPq$JRl$JRl$JRl$JRl$JRl$rQl$rQl
                                                          • API String ID: 0-3285622846
                                                          • Opcode ID: d28f8b957b8c8075dc3933a9987e46e0b35d0efaa46be0c57f15a4340b36fb6d
                                                          • Instruction ID: 7a0dc7f402b7af32cf8b558b2a6cbaa96c213235d9800814d240358f5a96c13e
                                                          • Opcode Fuzzy Hash: d28f8b957b8c8075dc3933a9987e46e0b35d0efaa46be0c57f15a4340b36fb6d
                                                          • Instruction Fuzzy Hash: B3D128B1B4430B8FEF249B6D98056AABBF6BFC5214F1884BBD5158F251DB31C842C7A1
                                                          Function 07993678 Relevance: 8.9, Strings: 7, Instructions: 188COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2131723624.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7990000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$$q$$q$$q$Gl$Gl
                                                          • API String ID: 0-2055229760
                                                          • Opcode ID: 03e6dedb25c71b60d2bfb2ce20d35495556184b85158200c35a0e3f5793a2633
                                                          • Instruction ID: cdad793945b18cd45410976c7b7861eb48d46734cb6d528221b0aeb33205e84c
                                                          • Opcode Fuzzy Hash: 03e6dedb25c71b60d2bfb2ce20d35495556184b85158200c35a0e3f5793a2633
                                                          • Instruction Fuzzy Hash: E85148B57043069FFF245E6E98017A6FBBAAFC6618F18807BD405CB351DA35C842C7A1
                                                          Function 07992190 Relevance: 7.6, Strings: 6, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2131723624.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7990000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: TcDk$lcDk$JRl$JRl$JRl$JRl
                                                          • API String ID: 0-4195200314
                                                          • Opcode ID: 73adbc23a137285951f3de4edfe782ad0d2c82fa846782b5f6a2e1e55f272fdd
                                                          • Instruction ID: 2f04ab757cea219e200bf7286a0b61cb9a0a433369e531624a73177c87a3f3ff
                                                          • Opcode Fuzzy Hash: 73adbc23a137285951f3de4edfe782ad0d2c82fa846782b5f6a2e1e55f272fdd
                                                          • Instruction Fuzzy Hash: 6321D77560E3D1AFE72A97285C10AD27FB5AF97604B0984F7C190CF5A3C6688C45C3A6
                                                          Function 04A87A21 Relevance: 6.5, Strings: 5, Instructions: 239COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tMQl$`q$`q$`q$`q
                                                          • API String ID: 0-1815968527
                                                          • Opcode ID: 22362bf340587cdebe930bc527a7aa629f9631201469471788c1272d413caa3a
                                                          • Instruction ID: de098d3e1f2ef98e43f3293c1205fb8a1aa3c9f0a64cf270716d04848bacc6df
                                                          • Opcode Fuzzy Hash: 22362bf340587cdebe930bc527a7aa629f9631201469471788c1272d413caa3a
                                                          • Instruction Fuzzy Hash: ABB19378E013099FDB55DFA9D980A9DFBF2FF88314F148629D419AB305DB30A9058F91
                                                          Function 04A87A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tMQl$`q$`q$`q$`q
                                                          • API String ID: 0-1815968527
                                                          • Opcode ID: e51e6f0166f20ce098270a8182174d618d59eb7ad1df81dc036a05a43e39a3b3
                                                          • Instruction ID: df49a805e6e10a2d40f4fdcc7f72021023f325985f833bc1443aa28e64196529
                                                          • Opcode Fuzzy Hash: e51e6f0166f20ce098270a8182174d618d59eb7ad1df81dc036a05a43e39a3b3
                                                          • Instruction Fuzzy Hash: 3EB18378E013099FDB54DFA9D980A9DFBF2FF88314F208629D419AB304DB30A9058F91
                                                          Function 04A87240 Relevance: 5.2, Strings: 4, Instructions: 187COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2104469774.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_4a80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `q$`q$`q$`q
                                                          • API String ID: 0-10485352
                                                          • Opcode ID: 84c412db75d548771649ff26cb2e39deab0b62146f85ebbd74206a620b9ce849
                                                          • Instruction ID: 3f51bb31f8b3ac768b8aa89d0018631f46f57dd52af1afef84e1309d054b3334
                                                          • Opcode Fuzzy Hash: 84c412db75d548771649ff26cb2e39deab0b62146f85ebbd74206a620b9ce849
                                                          • Instruction Fuzzy Hash: BB915078E012199FDB54DFA9D990ADDFBF2FF48314F24822AD819AB305D730A9058F91
                                                          Function 07995798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2131723624.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7990000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $q$$q$$q$$q
                                                          • API String ID: 0-4102054182
                                                          • Opcode ID: 17b955e9ab0f9bf02622671320b6a5a01073969bea9b73bfb5dcb7ac5cf03e9e
                                                          • Instruction ID: 51cea16ccd71b378ed446019fe2eaa315b3861c82595c05a8114d0a0a3eca90a
                                                          • Opcode Fuzzy Hash: 17b955e9ab0f9bf02622671320b6a5a01073969bea9b73bfb5dcb7ac5cf03e9e
                                                          • Instruction Fuzzy Hash: B12147B17143069BFF35563F9800B67F7DAABC1619F2A843AA9058B3C1DE75C912C321
                                                          Function 07990308 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2131723624.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7990000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$$q$$q
                                                          • API String ID: 0-3199993180
                                                          • Opcode ID: 047a0bd19e5846002eabc6f2f229dbfe1094e823a5a2db69e51ef8b1b2477e97
                                                          • Instruction ID: 71f48bed097c2b21756f490b0eb804bd874975a0af9d8ec3d205a7dacc6e9cc5
                                                          • Opcode Fuzzy Hash: 047a0bd19e5846002eabc6f2f229dbfe1094e823a5a2db69e51ef8b1b2477e97
                                                          • Instruction Fuzzy Hash: B001A260A0D7878FEB2A522C78222A66FB69FC351472D40EBD491CF653C9258C06C3A7
                                                          Function 07992108 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2131723624.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7990000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $q$$q$JRl$JRl
                                                          • API String ID: 0-2494032063
                                                          • Opcode ID: e5f092affaaf705d28ac324ed8e343b25b86f6ce423eca6b626c95d0fe51cdc1
                                                          • Instruction ID: 1b688d94d96e544e5fc675dace45ce85b3337b03008cc09571c3fd8a90f158f3
                                                          • Opcode Fuzzy Hash: e5f092affaaf705d28ac324ed8e343b25b86f6ce423eca6b626c95d0fe51cdc1
                                                          • Instruction Fuzzy Hash: 1301F7B2A0D3829FE736872C2C101D66BBAAFC3514B1945F7C551DF166C6384C06C366

                                                          Executed Functions

                                                          Function 070AB490 Relevance: 6.5, Strings: 5, Instructions: 258COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: KU-l^$[U-l^$kU-l^${U-l^$\-l^
                                                          • API String ID: 0-848589921
                                                          • Opcode ID: d5a0c6efdd2b898e9b6b201c10ed5f8dd198e5a9b6e36973a9e56886de8bff3f
                                                          • Instruction ID: e381e944f13441fa5951951d13d242f79a897c5e567ba134897e3d9a33ea2f19
                                                          • Opcode Fuzzy Hash: d5a0c6efdd2b898e9b6b201c10ed5f8dd198e5a9b6e36973a9e56886de8bff3f
                                                          • Instruction Fuzzy Hash: FF9152B4F007146BDB19DFB58810AAE7BE2EF84710B408A2DD516AF384DF789E058BD5
                                                          Function 070AB4A0 Relevance: 6.5, Strings: 5, Instructions: 252COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: KU-l^$[U-l^$kU-l^${U-l^$\-l^
                                                          • API String ID: 0-848589921
                                                          • Opcode ID: 2826b2d78143c3e4fe83b2e15b9f7827515deca34595b938ecf91b057c997a51
                                                          • Instruction ID: c85733f7ae40f846e0df346819dbb2f0185b114fec69bd09fc3a9d78745a8bec
                                                          • Opcode Fuzzy Hash: 2826b2d78143c3e4fe83b2e15b9f7827515deca34595b938ecf91b057c997a51
                                                          • Instruction Fuzzy Hash: 739153B4F007146BDB19DFB58810AAE7BE2EF84710B408A2DD516AF384DF789E058BD5
                                                          Function 07AB3CE8 Relevance: 5.6, Strings: 4, Instructions: 585COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2205592180.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_7ab0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$4'q$4'q
                                                          • API String ID: 0-4210068417
                                                          • Opcode ID: 0ec171eeb048ecc7ed444daf613fdea61526f2927e0a14a3863899594c40f7ce
                                                          • Instruction ID: 3308236d2a7bde55e41b9ef6a8bc1986f4b40d10bbd5ed30c3032610e1dda553
                                                          • Opcode Fuzzy Hash: 0ec171eeb048ecc7ed444daf613fdea61526f2927e0a14a3863899594c40f7ce
                                                          • Instruction Fuzzy Hash: 5E1246B1B043568FEB358B6898017EABBF6AFC6214F14807AD515CF293DB35C942C7A1
                                                          Function 07AB17B8 Relevance: 2.8, Strings: 2, Instructions: 341COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2205592180.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_7ab0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Gl$Gl
                                                          • API String ID: 0-2956888029
                                                          • Opcode ID: f6975236d1252d93e71dfa330c1bae18be086d1c1b84bba9dd1a2f81364eb85e
                                                          • Instruction ID: 0ea648c775a6d5cb57eb6c5b13b704338de0ff4ba968ee8841f458dd134ea372
                                                          • Opcode Fuzzy Hash: f6975236d1252d93e71dfa330c1bae18be086d1c1b84bba9dd1a2f81364eb85e
                                                          • Instruction Fuzzy Hash: C1B169B1B0024A8FDB24DB79D4647EABBFAAFC5211F14C07AE425CB252DB31D941C7A1
                                                          Function 070AE779 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: JRl
                                                          • API String ID: 0-2598050757
                                                          • Opcode ID: 6cf3476cb0c314941431f173579e8a31dbc4915adf3d37527e21e36f9e989187
                                                          • Instruction ID: 13c57b590d16127da5ad471582040effddced7f27045d4e366eb87233ddad717
                                                          • Opcode Fuzzy Hash: 6cf3476cb0c314941431f173579e8a31dbc4915adf3d37527e21e36f9e989187
                                                          • Instruction Fuzzy Hash: BB41AFB4E00249AFCB24DFB9D495ADDBBF1EF49214F108269E406AB395DB306D06CB91
                                                          Function 070A6FC8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (q
                                                          • API String ID: 0-2414175341
                                                          • Opcode ID: 19a9ab3aaaece9977e284e16dbf84b8a955f67e49809b5dac50ca2939b4ee331
                                                          • Instruction ID: 3b03f360d4cada3868c98d3980305de834f07823ee8865f1396c7b0dd94bfb57
                                                          • Opcode Fuzzy Hash: 19a9ab3aaaece9977e284e16dbf84b8a955f67e49809b5dac50ca2939b4ee331
                                                          • Instruction Fuzzy Hash: A1415C74B00205DFDB14DFA4C854AAEBBF1EF8D610F1495A9E506EB391DA35DC01CB60
                                                          Function 070AE7D0 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: JRl
                                                          • API String ID: 0-2598050757
                                                          • Opcode ID: e8b6be7d30c09e3d86a1465ce70d5608f1355cda89161b9ebfcaaff3a75f835c
                                                          • Instruction ID: a244d5fcccd9e89efb00009126806bf1f618f5a6beffeecb6a7c09b5d5d1183e
                                                          • Opcode Fuzzy Hash: e8b6be7d30c09e3d86a1465ce70d5608f1355cda89161b9ebfcaaff3a75f835c
                                                          • Instruction Fuzzy Hash: 8241B3B4A00245AFCB20DFB9D495ADDBBF1FF49214F148669D406BB355DB30AC05CBA1
                                                          Function 070AE800 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: JRl
                                                          • API String ID: 0-2598050757
                                                          • Opcode ID: 9638c92a900b21dc9fe61fba1e1963fab0c6ce3aa8f133745cf791663e3a8bba
                                                          • Instruction ID: 1508ef81302b8a6fd49e6bbfaf94358eee904026a77ec9686717969c7c3cb9f0
                                                          • Opcode Fuzzy Hash: 9638c92a900b21dc9fe61fba1e1963fab0c6ce3aa8f133745cf791663e3a8bba
                                                          • Instruction Fuzzy Hash: FB317E74A002059FCB24DFB9D594A9EBBF2FF48714F108628E406BB354CB30AD05CBA0
                                                          Function 070AAFA8 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (&q
                                                          • API String ID: 0-583763264
                                                          • Opcode ID: 1f76f530153c37a44e2b6f13ea15a86d74ce47b17b9209eaf27c5cabcc6851bd
                                                          • Instruction ID: f3971589fdb0bf00befe6ff1ed675ba1e8bf264fe026352ed3e61790c949204e
                                                          • Opcode Fuzzy Hash: 1f76f530153c37a44e2b6f13ea15a86d74ce47b17b9209eaf27c5cabcc6851bd
                                                          • Instruction Fuzzy Hash: 6D21C7B5E003599FDB14DFAAD400B9EBBF5EF88220F14846AD419E7340CB759905CBA5
                                                          Function 070A29F0 Relevance: .2, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4efee2194f9afb2082cc2802f34936450c28aa55df9da45c21f897cd1a829125
                                                          • Instruction ID: 7464f68ac5261117281a1576132c0a09d3eebad6de86a2b7179f2b1b4efee9ee
                                                          • Opcode Fuzzy Hash: 4efee2194f9afb2082cc2802f34936450c28aa55df9da45c21f897cd1a829125
                                                          • Instruction Fuzzy Hash: E4918EB0A00605DFCB15CF98C494AAAFBF1FF88320F258669D915AB364C735EC91CB94
                                                          Function 070A7728 Relevance: .2, Instructions: 156COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 939dbd0d4a1c48a71c9079a99212f48bf96f7a568779794f4d372b180eb6a936
                                                          • Instruction ID: 9226265b85cf202930710318ee5f8748706761d4ddd87d41dec2c48aa9608a84
                                                          • Opcode Fuzzy Hash: 939dbd0d4a1c48a71c9079a99212f48bf96f7a568779794f4d372b180eb6a936
                                                          • Instruction Fuzzy Hash: E351CE74704205AFD754DBA8D844A2E77E6FFC9224F1486B9E509CB392EB35DC02CBA0
                                                          Function 070ABAD0 Relevance: .2, Instructions: 155COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b885c156e36240be0ac5f26c75202f98bfe7dd0091a86b866eb29c2609da9442
                                                          • Instruction ID: 8d62025c7e72f3e7a310dc9c4e027c7984c96855945275c3232e8fbaa94a7c91
                                                          • Opcode Fuzzy Hash: b885c156e36240be0ac5f26c75202f98bfe7dd0091a86b866eb29c2609da9442
                                                          • Instruction Fuzzy Hash: FF6104B5E002499FDB54DFA9D584BDDFBF2FF88310F14812AE809AB254EB749941CB60
                                                          Function 070ABAC0 Relevance: .2, Instructions: 152COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fdc04be410325e8b88d7b9a45aeebf6d6840c1fdf94e784aa13288f3bcaadc39
                                                          • Instruction ID: fd87223b2a64c564f4726c15ec891ec7293047022f4e230084aabd76a345a152
                                                          • Opcode Fuzzy Hash: fdc04be410325e8b88d7b9a45aeebf6d6840c1fdf94e784aa13288f3bcaadc39
                                                          • Instruction Fuzzy Hash: 135126B5E002499FCB54DFA9D484BDDBBF1FF88310F14812AE819AB364EB349845CB60
                                                          Function 070AE5D9 Relevance: .1, Instructions: 141COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a94d932724bb646d4c8cb40dc4de78b25447a309a47d983aa1225763b705c91b
                                                          • Instruction ID: e0f179925ea5629b3aa3fba539238d7ef38f2642c229d662f5c8f333d1b4fc10
                                                          • Opcode Fuzzy Hash: a94d932724bb646d4c8cb40dc4de78b25447a309a47d983aa1225763b705c91b
                                                          • Instruction Fuzzy Hash: 08516074B003069FDB24DBACC595A6EB7F6EFC8254B148A68E449CF355EB34DC028B61
                                                          Function 070AE5E8 Relevance: .1, Instructions: 130COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 38d6736e5e32536f6e4a42c71359dbc4d603050a21f6cd1101b3cc8df32417cc
                                                          • Instruction ID: 0da2696cafd2fada30ad37fe62f801304e8d36e81e2a1acd72d993c2b663eb05
                                                          • Opcode Fuzzy Hash: 38d6736e5e32536f6e4a42c71359dbc4d603050a21f6cd1101b3cc8df32417cc
                                                          • Instruction Fuzzy Hash: 46412B74B003069FDB24DBACC59496AB7F6EFC8254B148A68E449CF355DB34EC028BA1
                                                          Function 07AB2907 Relevance: .1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2205592180.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_7ab0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 55afba83c2ff6d0c29de1886f7a55933cf90aff0186de5dde5a9b3d042a17bdc
                                                          • Instruction ID: 26afc5ed3543a75c963a947224ef898d5cb96d5cb837b1aa81e6163a7257e5a6
                                                          • Opcode Fuzzy Hash: 55afba83c2ff6d0c29de1886f7a55933cf90aff0186de5dde5a9b3d042a17bdc
                                                          • Instruction Fuzzy Hash: 0B3117B1B043068FEB359B7488407EAB7E6BFC6215F1480BBE5558B693DA31CC42C762
                                                          Function 070A2B00 Relevance: .1, Instructions: 109COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1675b770a2af5225a7aa4dfcd9931a26f15e30090c5f49298e22e4801e01074b
                                                          • Instruction ID: b6636ca274343f77ab1e6fb35a7ff817cf1a816f963a5966ef9924117f06c6cd
                                                          • Opcode Fuzzy Hash: 1675b770a2af5225a7aa4dfcd9931a26f15e30090c5f49298e22e4801e01074b
                                                          • Instruction Fuzzy Hash: AA415EB4900605DFDB15CF98C498AAAF7B1FF88314F158269D8169B364C736FC91CB94
                                                          Function 07AB3CE4 Relevance: .1, Instructions: 109COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2205592180.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_7ab0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 968b9c5e3e6fab30d10bfc11092935775cbb583464055727e279a123e8e93c47
                                                          • Instruction ID: bfea84afab870cb5efd4dcbe2f20c29133087ff4cdb97974b3e1a942e5fb60d6
                                                          • Opcode Fuzzy Hash: 968b9c5e3e6fab30d10bfc11092935775cbb583464055727e279a123e8e93c47
                                                          • Instruction Fuzzy Hash: E131D0F1A05202DBDF308F64C941AEA7BFAEFC1244F5484AAD9109F252D736ED44C7A1
                                                          Function 070AC398 Relevance: .1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c3db2deedd5f4b0fc20b87ef0f1ddbca1db886a72e4d878fed03e4ad2db26971
                                                          • Instruction ID: 458ad9df467053073c88959c8d66653d4181593176b673c4b6c038b712288cd6
                                                          • Opcode Fuzzy Hash: c3db2deedd5f4b0fc20b87ef0f1ddbca1db886a72e4d878fed03e4ad2db26971
                                                          • Instruction Fuzzy Hash: E8315C35300601AFD715DB78E894B9AB7E6EBD4261F00862DD60ACB355DF71A8068BA2
                                                          Function 070A6FB9 Relevance: .1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 90ca86ca7ce46975c46f6990baca319b9b9e0551ae943e7b31be92d895d64b5d
                                                          • Instruction ID: c2bf53e5ae1fa84a4c4ccbe760714191ca8c74797813a9901cb3477e6a9d934c
                                                          • Opcode Fuzzy Hash: 90ca86ca7ce46975c46f6990baca319b9b9e0551ae943e7b31be92d895d64b5d
                                                          • Instruction Fuzzy Hash: AF311BB4A00205DFDB14DFA8C998AAEBBF1EF8D615F1495A8E406EB351DB71DC01CB60
                                                          Function 070AAE70 Relevance: .1, Instructions: 93COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e0bd1ac233c938725d3d08fa8a9a3e0d5b6842c25303a17b05df1c794e94f1e9
                                                          • Instruction ID: 708c388e64e5335f9600987966b275213d9ff788ccad156aaef73de2bd4d3e61
                                                          • Opcode Fuzzy Hash: e0bd1ac233c938725d3d08fa8a9a3e0d5b6842c25303a17b05df1c794e94f1e9
                                                          • Instruction Fuzzy Hash: 13316FF0F002099FDB58DBA9C4947EE7BF6EF88254F10C129E405EB294EB349841CB61
                                                          Function 070ADE99 Relevance: .1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 859ea0a8421e39e85752cca4caa458c0cce1de79f0b1ef17766ca81100c1c9ee
                                                          • Instruction ID: 02ae1c10c886dab0bca4e0ee3a24dda38afc1abe91ca38d3f41ad87e1d74d170
                                                          • Opcode Fuzzy Hash: 859ea0a8421e39e85752cca4caa458c0cce1de79f0b1ef17766ca81100c1c9ee
                                                          • Instruction Fuzzy Hash: 083108B1F04246AFCB45DBA8C444BEEBFF29F89314F1881A9D415A766ECB305C45CB61
                                                          Function 070ABCF0 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a81943e2b516097e0de38ab81ea110b4d06193a3e0ca944aabce563c39dd2ef7
                                                          • Instruction ID: 08a3dbed9c6fb44a33abfbc1dc801fdfff3d191152d0e4dde53ed5ed7d413616
                                                          • Opcode Fuzzy Hash: a81943e2b516097e0de38ab81ea110b4d06193a3e0ca944aabce563c39dd2ef7
                                                          • Instruction Fuzzy Hash: 223108B49087819FD724DF78D444A9ABFF0AF06310F5485EED09EC76A2E735A805CB41
                                                          Function 070AE180 Relevance: .1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2e7c345b3368b99952700477e0c07d2175413a27d2ef5bdcd91368c61f914833
                                                          • Instruction ID: 583531b8dd00dce186d6ad37911741054f5a798f129e3c7bb3db6d843ab5deee
                                                          • Opcode Fuzzy Hash: 2e7c345b3368b99952700477e0c07d2175413a27d2ef5bdcd91368c61f914833
                                                          • Instruction Fuzzy Hash: D4315CB4A002059FCB18DFA8D498AAEBFF1EF89264F04856DE406FB355DB309C41CB91
                                                          Function 070AAD38 Relevance: .1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 482c929ded78e2ddef204fa105baac55f9c124aba7e2e562c594c5dabfcdbcd3
                                                          • Instruction ID: d338421aee00ecf838aad86fd74b17b518094256a93b82461f91ef50849d0eeb
                                                          • Opcode Fuzzy Hash: 482c929ded78e2ddef204fa105baac55f9c124aba7e2e562c594c5dabfcdbcd3
                                                          • Instruction Fuzzy Hash: A931AEF8E00305AFDB01DBA4D894AEE7BB2EF85300F5584A9D211AF395CA389D41CB61
                                                          Function 070AAE80 Relevance: .1, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aa723c7823e06bd1032011406f0a8c08f294207669f0124666bf7aa1f56933a9
                                                          • Instruction ID: eae4619d0675b9d0b8438d05bf7e4ea5176d8cd0b6e6516fe4401380b302cc7f
                                                          • Opcode Fuzzy Hash: aa723c7823e06bd1032011406f0a8c08f294207669f0124666bf7aa1f56933a9
                                                          • Instruction Fuzzy Hash: B2311EB0F0060A9FDB58DFA9D4947AE7BF6AF88254F148129E405E7394EB348C41CB65
                                                          Function 070AE190 Relevance: .1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 772dba542391846178a24b7b7dbd3a3ee32373ddd679268010f51ad3e75abfb2
                                                          • Instruction ID: 0812382ff5507765d946d4589dc5eb901db1aaf885fe9edcd122ab30c80d5992
                                                          • Opcode Fuzzy Hash: 772dba542391846178a24b7b7dbd3a3ee32373ddd679268010f51ad3e75abfb2
                                                          • Instruction Fuzzy Hash: E1311A74A002059FCB28DFA9D458A9EBBF2FF89324F14856DE406EB394DB709C41CB91
                                                          Function 070AAD48 Relevance: .1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b773737b6a0a1cd2ada926aa9de6c06294bc5083d4b19e827110e270d508e396
                                                          • Instruction ID: a28631aa7e7f0597dff5c1d059296ea4be0018794d569ed2dc56aab72449fd7d
                                                          • Opcode Fuzzy Hash: b773737b6a0a1cd2ada926aa9de6c06294bc5083d4b19e827110e270d508e396
                                                          • Instruction Fuzzy Hash: B5314CF8E00209AFDB04EFA4D894AEE77B2EF88310F548469D611AB395DA39DD418F50
                                                          Function 070A9400 Relevance: .1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: affa8bacd0f5d77febdc59073bc28409c16aad8d1005c2f2c40b64b2ae78f3ba
                                                          • Instruction ID: a69ca33adfa802e11a4b042030ca7fa0ad7ca708b6d38df598baa766e784a1db
                                                          • Opcode Fuzzy Hash: affa8bacd0f5d77febdc59073bc28409c16aad8d1005c2f2c40b64b2ae78f3ba
                                                          • Instruction Fuzzy Hash: CE31ABB4A153449EDB60CFAAC08879AFBF2EF89310F28C11DD4499B205D6B4A4418B61
                                                          Function 033FF3D8 Relevance: .1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2155951351.00000000033FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_33fd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 50626a22a796c4de56e253392deb7129644bd7a95a214057f4ee36aa2e213cd3
                                                          • Instruction ID: ca2cfa6db1cc704d7c59756661cfb84b75fc5be4a8ea198b26a866a2e0cf9d2b
                                                          • Opcode Fuzzy Hash: 50626a22a796c4de56e253392deb7129644bd7a95a214057f4ee36aa2e213cd3
                                                          • Instruction Fuzzy Hash: 6521E272508700EFDF15DF50D9C0B16BBA9FB88314F64C5A9EE090B656C336D496CBA1
                                                          Function 033FF02C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2155951351.00000000033FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_33fd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 98244b79081e17f12fc9638b662f5d076e9190cebdca782b68eaaf3afd7e9290
                                                          • Instruction ID: abfbc62dd0aade459324f70f2bda44d33097ccac27be511070609b5f5e877d51
                                                          • Opcode Fuzzy Hash: 98244b79081e17f12fc9638b662f5d076e9190cebdca782b68eaaf3afd7e9290
                                                          • Instruction Fuzzy Hash: DC210475604240EFDB14DF20D9C0B26BBA9FB84314F64C5ADEE0A4B692C33AD446CA62
                                                          Function 07AB2784 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2205592180.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_7ab0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d5c99081d1890e9432d7d4144c5ead3ba642734359861b2ddef4d7a2724754c0
                                                          • Instruction ID: fd889b6542e73b185e131e91695937c23975631b73e32a45100a51b171a169f4
                                                          • Opcode Fuzzy Hash: d5c99081d1890e9432d7d4144c5ead3ba642734359861b2ddef4d7a2724754c0
                                                          • Instruction Fuzzy Hash: C021B6B1B002059FEB209B64C444BEA77F6FBCA311F40C0A6E9559F692CB75DC418B76
                                                          Function 070A9410 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ccd0f3a00f4f9c4e596fa79b193755cc12f808df6434b28b2b2cf4613f9f7e94
                                                          • Instruction ID: 923bc3e51f29656fa3ba582daac65b2b310e88efd3c50be800745bba0c724c28
                                                          • Opcode Fuzzy Hash: ccd0f3a00f4f9c4e596fa79b193755cc12f808df6434b28b2b2cf4613f9f7e94
                                                          • Instruction Fuzzy Hash: 5021ADB4E117449FDB60CFAAC08878AFBF2EF88310F28C11ED45D9B205C77464808B60
                                                          Function 033FF4CC Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2155951351.00000000033FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_33fd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c87c6015a98655b2b17c8202133b3f0c4347a862e032b47d06040bfaf843725
                                                          • Instruction ID: c67448485ddaabdb9ccae9cb583f337776f631e3e5088211566f060670245b66
                                                          • Opcode Fuzzy Hash: 3c87c6015a98655b2b17c8202133b3f0c4347a862e032b47d06040bfaf843725
                                                          • Instruction Fuzzy Hash: 8921E7B1A043449FDB14DF24D9C4B36BBA9EB84318F64C5ADDE0D4B741C73AD446CA62
                                                          Function 070A7664 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 60c5466952fe166a0cf9b261e1c30df3cce82cfbdeb2ce764c9fb3edd30c75b8
                                                          • Instruction ID: bd13cfbaa01cd7ca38db78ec2c68369beb1f0b04af9903b501bd5fce57d1cf41
                                                          • Opcode Fuzzy Hash: 60c5466952fe166a0cf9b261e1c30df3cce82cfbdeb2ce764c9fb3edd30c75b8
                                                          • Instruction Fuzzy Hash: A9114279B002198FDF14DBA8E840BDE77F6EBCC625B1441A8E509DB715DB34DC028BA0
                                                          Function 070A2C70 Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 725795e3cbecfabdf3e75aefd0486fb46626eb0289b26ce243a4eb3bfd8660f0
                                                          • Instruction ID: ddde381cddec2a9241ac71cda01a9b3ee080d9352e995964466cc8531e0fee2c
                                                          • Opcode Fuzzy Hash: 725795e3cbecfabdf3e75aefd0486fb46626eb0289b26ce243a4eb3bfd8660f0
                                                          • Instruction Fuzzy Hash: 511108719093909FDB03DFA8D8606E9BFB0EF86328F0582D7D0519B2A2C626DC45CB65
                                                          Function 07AB1990 Relevance: .1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2205592180.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_7ab0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ad4f9bc0b9a2400e99e2e14db85fc6d9ef9abfae6c6b07928181a70ce34fcd6c
                                                          • Instruction ID: 94ce6d272b78b525c7d0ff182a361f603cb9ccd03f0aeac85e5580f6bf368896
                                                          • Opcode Fuzzy Hash: ad4f9bc0b9a2400e99e2e14db85fc6d9ef9abfae6c6b07928181a70ce34fcd6c
                                                          • Instruction Fuzzy Hash: E111B6F1A0024ADFDB30CF59C594BE6B7F9EB85311F44816AE92497113D331E940CB91
                                                          Function 033FF3D3 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2155951351.00000000033FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_33fd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3db14e1fbd481c373aa523bb9b771c634d45f7ce68899f9c04ab426dc2dff8be
                                                          • Instruction ID: 736cc53872be90d6f527a54d5a0a0a6f1d70123e5684c7a7b8681c714957e005
                                                          • Opcode Fuzzy Hash: 3db14e1fbd481c373aa523bb9b771c634d45f7ce68899f9c04ab426dc2dff8be
                                                          • Instruction Fuzzy Hash: BE216D76508640DFCB16CF10D9C4B15BB72FB48314F28C5A9DE494A656C33AD456CB91
                                                          Function 033FF027 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2155951351.00000000033FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_33fd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0ddb3734c724926600bbb3f8bc75d71c7802c012624ff9d398f3a9d8363b068c
                                                          • Instruction ID: 334d85bf17276cc49b3def3dd3bca4fce08ada343fdaa3c760e9fcc04b6d835c
                                                          • Opcode Fuzzy Hash: 0ddb3734c724926600bbb3f8bc75d71c7802c012624ff9d398f3a9d8363b068c
                                                          • Instruction Fuzzy Hash: 16119D75504280DFCB15CF24D9C4B15FFA1FB84328F28C6AADD494B656C33AD44ACB61
                                                          Function 033FF4C7 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2155951351.00000000033FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_33fd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3ed5684ea9962eee80dbadc863b26c31e8d70c5354f6a484d6a1ef7ea59348ea
                                                          • Instruction ID: 5edcfa53742e55cd62f88e9303c8a4fea4ceb05393c65a7c478de7e8115c3924
                                                          • Opcode Fuzzy Hash: 3ed5684ea9962eee80dbadc863b26c31e8d70c5354f6a484d6a1ef7ea59348ea
                                                          • Instruction Fuzzy Hash: 40119AB55042848FDB15DF24DAC4B25BBA1FB88318F28C6ADCD494B652C33AD44ACB92
                                                          Function 070AE2C0 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6b9ce9fb850085dbe25eb6f55f58cd5d60157fa35bed66b3fddffea631b835a5
                                                          • Instruction ID: e711e0fafd354309365cdbdefaa65e055a973e2ef9efa3c69a2464fde2c20fa9
                                                          • Opcode Fuzzy Hash: 6b9ce9fb850085dbe25eb6f55f58cd5d60157fa35bed66b3fddffea631b835a5
                                                          • Instruction Fuzzy Hash: CB1135342047408FC728DF35C08085ABBF6EF8931532089ADD48A8B7A0DB36F802CB50
                                                          Function 070AE058 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f8b2a0dcd62dfdb67ba0c6128dcd8e2456368c877205b018df67abb7bfb3ae52
                                                          • Instruction ID: f37fe4dd3be2173dc8c58a534a5b1c8d9a3929a7fe02d5e518d834d6c0d90310
                                                          • Opcode Fuzzy Hash: f8b2a0dcd62dfdb67ba0c6128dcd8e2456368c877205b018df67abb7bfb3ae52
                                                          • Instruction Fuzzy Hash: 300192357002149FCB15DF78E848AAEBBF5FB88315F04806DE51AD3242DB319911CF91
                                                          Function 070ABF20 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3eb32cb9d3ba2e4b0f48bdb2534c3a328dfb4d20ee265c06355097c62a33b311
                                                          • Instruction ID: 199cc7cbda220ec0af9c58efd5e9acac03a5ed68909f0a19b3d0ecab1c3ee564
                                                          • Opcode Fuzzy Hash: 3eb32cb9d3ba2e4b0f48bdb2534c3a328dfb4d20ee265c06355097c62a33b311
                                                          • Instruction Fuzzy Hash: 55F0C8B170A3916FD7018A795C549BB7FE9DF86650B1841ABF844C7352DAB0CD058B60
                                                          Function 033FD01D Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2155951351.00000000033FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_33fd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6d588a6ecf57fc291e04d60c1ab0dbab482812b4e3a02121bc0aae8b808f340a
                                                          • Instruction ID: fbc2916381abb14a59c14d512cb4f29cecebab1aa697569494f528cc270d3ada
                                                          • Opcode Fuzzy Hash: 6d588a6ecf57fc291e04d60c1ab0dbab482812b4e3a02121bc0aae8b808f340a
                                                          • Instruction Fuzzy Hash: C101F771408301AFE720CA22CDC8B66FBDCEF41624F08C15AEE480F646C37C9441CAB5
                                                          Function 033FD006 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2155951351.00000000033FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_33fd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1cf1f101f7bf1a7bcfd1e403d26341c2ae339923351f085b115a590ca165d01b
                                                          • Instruction ID: c59d1089760bbc9957c249cc1350838bb179c5bcce9da4998c3cb3490c19fab1
                                                          • Opcode Fuzzy Hash: 1cf1f101f7bf1a7bcfd1e403d26341c2ae339923351f085b115a590ca165d01b
                                                          • Instruction Fuzzy Hash: 9201E17140D3C09FD7128B258D94752BFB49F53624F1D81DBD9848F297C2695845C772
                                                          Function 070A90E8 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6f1a9b1b7f9bf477ab45f169af3d7cbfac3d9a72559b3757e40ea4b3bee1c206
                                                          • Instruction ID: 7a2c9872b4d945865c5ab5603fc54e9c722d9080f27386c59bff0cf0a4f05bec
                                                          • Opcode Fuzzy Hash: 6f1a9b1b7f9bf477ab45f169af3d7cbfac3d9a72559b3757e40ea4b3bee1c206
                                                          • Instruction Fuzzy Hash: 76012BB6B087406FE7169B78C4553DA7FA1DBC2320F44C1ABD1058B386CE396846C7B1
                                                          Function 070ADE48 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 140a07214e5ec8c803587075590a1ab8eb1ef910f87737490b6d62425dce85eb
                                                          • Instruction ID: f4a97afff63200911e6a71af6a0477a700afc5d23e02959aa46442271f40d26b
                                                          • Opcode Fuzzy Hash: 140a07214e5ec8c803587075590a1ab8eb1ef910f87737490b6d62425dce85eb
                                                          • Instruction Fuzzy Hash: 66F021B57006147F4B19E2D9A8008EF7799C9F65F4F004167E105C7918DA104C0542F6
                                                          Function 070A7940 Relevance: .0, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fbd83077e15894019ceabf89f08b57497f9700de72057b4f6cea2c464f294c37
                                                          • Instruction ID: 65cb02e3e2c2006c3a87a598a77a2dd739d66fede942f58c4504acd04840f151
                                                          • Opcode Fuzzy Hash: fbd83077e15894019ceabf89f08b57497f9700de72057b4f6cea2c464f294c37
                                                          • Instruction Fuzzy Hash: AAF028313053406FCB018765D840D6FBBF4EB8A130B10056ED149CB251CE709C45C772
                                                          Function 033FD9A7 Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2155951351.00000000033FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_33fd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6d361a84fb74e9a0ee7475a3d958cdb30f42643e4eb3dc12622c10d2a665d645
                                                          • Instruction ID: 748ad10a6395c31928176df8aad3d0b3dee93d30856922fbbb7e204a570c272c
                                                          • Opcode Fuzzy Hash: 6d361a84fb74e9a0ee7475a3d958cdb30f42643e4eb3dc12622c10d2a665d645
                                                          • Instruction Fuzzy Hash: 4AF0E776600600AFD720CF0AD985C23FBADEBD4A70719C55AE94A4B616C671EC41CEA0
                                                          Function 070ADFF8 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 43c68e188ed0dddd5de748d11a178ca7ee89f62a1626a7c3fe32a58937793bd4
                                                          • Instruction ID: 80cd3eebc743bcf206c1c4e6c740f6a2824d0a1d70561e2c686810aeb85a8d17
                                                          • Opcode Fuzzy Hash: 43c68e188ed0dddd5de748d11a178ca7ee89f62a1626a7c3fe32a58937793bd4
                                                          • Instruction Fuzzy Hash: 5BF0EC383042418FC3108B2CD8A4D62BBF9AFCA71472811AAE184CF732CA32DC02CB90
                                                          Function 070A7950 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 23952d348d99c9ba241aa916fbeb7d07f1e64f9a1efc29f7ec683da3de5a044d
                                                          • Instruction ID: 580788d974a3154859c982f6a8ed86343a28f3f8eafaf58925ad011f6eb07e97
                                                          • Opcode Fuzzy Hash: 23952d348d99c9ba241aa916fbeb7d07f1e64f9a1efc29f7ec683da3de5a044d
                                                          • Instruction Fuzzy Hash: B9F0A775700715AFDB149A65E844EAF77F9EBC8671B00052DE14AD7740DF30AC418765
                                                          Function 033FD998 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2155951351.00000000033FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_33fd000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 33d9c81aec4befcfab925e43dea55d86a5ba802ddd334ec6b45ef353f73100f2
                                                          • Instruction ID: 00b4d431591028bb0a0df23effb802a98e99810fed91b394cc1c4d5016012e27
                                                          • Opcode Fuzzy Hash: 33d9c81aec4befcfab925e43dea55d86a5ba802ddd334ec6b45ef353f73100f2
                                                          • Instruction Fuzzy Hash: 9AF04975100640AFD720CF06CD85D23BBB9EB85A20B198489F85A4B312C771FC02CF60
                                                          Function 070A9168 Relevance: .0, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4fb2d44aeebe3bf142516c97c91bd6cebca835a174437000d5591e211004e651
                                                          • Instruction ID: 0b4ccfcecf57c4806c0804246717c3eb60b008f268d3716206deb99d060aa2b9
                                                          • Opcode Fuzzy Hash: 4fb2d44aeebe3bf142516c97c91bd6cebca835a174437000d5591e211004e651
                                                          • Instruction Fuzzy Hash: BFF0BE75A153005FD760DBB8D4AC3AABFE0EB06320F0045AED14ECB382DB35A8828B50
                                                          Function 070A767F Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5bdf8f98bcadb8ce8b1d9234822a37aab6863ec9bd179890924c116774e67dcc
                                                          • Instruction ID: 2d4f22983248e397515f886036afa9e07a4452f75504f10e4529c12b1a74b238
                                                          • Opcode Fuzzy Hash: 5bdf8f98bcadb8ce8b1d9234822a37aab6863ec9bd179890924c116774e67dcc
                                                          • Instruction Fuzzy Hash: 30F030797002158FDB10EBADA84079A77F6EBC8655B1582A8E509CF715DF34DC034B91
                                                          Function 070A90F8 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f8e5a0749877c0a573405c433546009a6e3e33c382f706afce9b7ea0155fb4af
                                                          • Instruction ID: 0b8189dca680de74a65f69792cb0e909cc8da65fc1ffb05674b55240921cd1d3
                                                          • Opcode Fuzzy Hash: f8e5a0749877c0a573405c433546009a6e3e33c382f706afce9b7ea0155fb4af
                                                          • Instruction Fuzzy Hash: DFF02779B046049FE304EB69D04579FBB96DBC4325F50C12ED5194B388CE39A841C7F0
                                                          Function 070AE008 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 16624e7204b28e6c1a9a396d4b8f1b9ea21c94c5caf3301baed6c541958c89fd
                                                          • Instruction ID: f78d07bb0ba0f343e08123f3b60b4f30ac291f423267cf0a13866167d0173a0f
                                                          • Opcode Fuzzy Hash: 16624e7204b28e6c1a9a396d4b8f1b9ea21c94c5caf3301baed6c541958c89fd
                                                          • Instruction Fuzzy Hash: DDE09A353002018F83108B5DD498C26B7FAEFCEB2571901AAE549CF320CA32EC02CB90
                                                          Function 070A8969 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 32bfcfd2c7ad142d2ad169c16e36f76454bc14aadf38973c5f3796eb45c7f46c
                                                          • Instruction ID: f41be70a9ca715625e2b5efe0cef0c017632004cbd6e40fcecc532ff6f7d67a8
                                                          • Opcode Fuzzy Hash: 32bfcfd2c7ad142d2ad169c16e36f76454bc14aadf38973c5f3796eb45c7f46c
                                                          • Instruction Fuzzy Hash: 00F027357183806FC70B6B74941C2AD7FA1EFC6225F04409FDA058B283CF68480283E2
                                                          Function 070AAF98 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5de932f7a69b55e81a537c3fe0b7c4486ad2de04d06965fbd7ba4f9804f8f831
                                                          • Instruction ID: 36876b8c08d430e72406d5e5663a7cb0125a509cd0359586e5ab51cd0825d230
                                                          • Opcode Fuzzy Hash: 5de932f7a69b55e81a537c3fe0b7c4486ad2de04d06965fbd7ba4f9804f8f831
                                                          • Instruction Fuzzy Hash: 97E092F13083972F8B1E40EA98140E6ABB746C3070B08C2B7A144CB6C6D8118802C360
                                                          Function 070A9559 Relevance: .0, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d8af9bbe0d9720ea7ff22a5bfb996b8e80cc11d84fd252d0ad9c739c58691863
                                                          • Instruction ID: 68174de82fd656f1b82f720bdaca56beead68c7e75486c762539671a359d899a
                                                          • Opcode Fuzzy Hash: d8af9bbe0d9720ea7ff22a5bfb996b8e80cc11d84fd252d0ad9c739c58691863
                                                          • Instruction Fuzzy Hash: 62E0CDA17012657B595960F548056F776CE8FD9052F4843759A08C7345DD20DC0243F2
                                                          Function 070A8739 Relevance: .0, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9309c1d76801f78c66259158db2d75c6de17893333408070cdaa741e323b60da
                                                          • Instruction ID: 33c24c7c38b68a4e44bab1ddd806f6f72a6ae3f5f609287131ea7006a22234db
                                                          • Opcode Fuzzy Hash: 9309c1d76801f78c66259158db2d75c6de17893333408070cdaa741e323b60da
                                                          • Instruction Fuzzy Hash: FBE09A708282099BCF0AEBF8D44A5FDBF70EA01210F0082ADC513D22C6EB2095CACB81
                                                          Function 070A9178 Relevance: .0, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7dc42721cdaa3a460d8eb8361e88e0252f387ed77ead07361ba699a4e77c3ea6
                                                          • Instruction ID: f8fb70e1138f7a69812705b32397f336848205599b4301b237925ec719d613d2
                                                          • Opcode Fuzzy Hash: 7dc42721cdaa3a460d8eb8361e88e0252f387ed77ead07361ba699a4e77c3ea6
                                                          • Instruction Fuzzy Hash: 43F06D70A003045FD3A0DBB8D4DC39ABBE5FB44320F00442DD21EC7341DB35A8808B90
                                                          Function 070A8978 Relevance: .0, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 69797974616f25f42a5c104588fbe14ab763520f4b107e67a1546ad306f74b2f
                                                          • Instruction ID: 7a4e418f5110d4e2176018b4b44bb94771aaa28f9ad9329e9ecaae4bef1a80fc
                                                          • Opcode Fuzzy Hash: 69797974616f25f42a5c104588fbe14ab763520f4b107e67a1546ad306f74b2f
                                                          • Instruction Fuzzy Hash: A1E02639714614ABCB097B79A40C2AE7A56EBC4720F00412ED71A83386CF78580183E9
                                                          Function 070A9560 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d82b47c01d9f1cc205992ca4ba68f4bf3ba938e2850c458227464fa6e8a1742e
                                                          • Instruction ID: d5ac5907f5adbe62a2c8d1701517a9752179092fab3baef5ee8ed7aced8aeb8c
                                                          • Opcode Fuzzy Hash: d82b47c01d9f1cc205992ca4ba68f4bf3ba938e2850c458227464fa6e8a1742e
                                                          • Instruction Fuzzy Hash: 93D0A7A23112667B499570FE58016FBA2CFCFC84A2F458336AA08C7381ED50DC0243F2
                                                          Function 070ADE58 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 54d06724203f717794bf40becfd93356e0ee6caa614edb92cec25592fb82dbb2
                                                          • Instruction ID: be0531236b0e7fcadcc92f340233bc489e2782e9b595d490432a93d99eedfaf2
                                                          • Opcode Fuzzy Hash: 54d06724203f717794bf40becfd93356e0ee6caa614edb92cec25592fb82dbb2
                                                          • Instruction Fuzzy Hash: 24E0C275B007156B865AE25EA80089F77EBDEC95F5704842EE01ACB704EE64DC024BE6
                                                          Function 070ADEA8 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                          • Instruction ID: 01fa9c2d73f1da1b6d50a7d4f5a408aea51515c33ccd4f9aa761675eac8f734b
                                                          • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                          • Instruction Fuzzy Hash: 0DE08635B10014A78B089699D4104DDF7A9DBCD220F04807BD91AA7748DA32591686E1
                                                          Function 070A8800 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 169b3b4efb57678df73baea89bd65e5ca52185888f03902c25c63e302ebe7a08
                                                          • Instruction ID: 7ee7f2f2bada3ec186fcb0b81946d81c3f001d3fdb2a890ecc5d41092cf5044b
                                                          • Opcode Fuzzy Hash: 169b3b4efb57678df73baea89bd65e5ca52185888f03902c25c63e302ebe7a08
                                                          • Instruction Fuzzy Hash: EBE092B0D1834AAF8715DBA4D44A9ADBFB0DB15304F00C26DDD0497386DE305842CB81
                                                          Function 070AF620 Relevance: .0, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5d14d6587466fed55e642b2ecb74cc1d116b19ec975d900ae0599f9610d85bf5
                                                          • Instruction ID: 8e993e883dd7fb254a75680d7f1e5e56a70f5807a235397655a008a8aa24cdc3
                                                          • Opcode Fuzzy Hash: 5d14d6587466fed55e642b2ecb74cc1d116b19ec975d900ae0599f9610d85bf5
                                                          • Instruction Fuzzy Hash: F7E0DFF08102826E8790DB788040099FFF0AF0A268B1482EE8825DB296EA329503CBC0
                                                          Function 070AF630 Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                          • Instruction ID: 6e5f91a6a5a18f4b751e6975f1fc7c614c48d80f315acfa9a36bca581ea1000d
                                                          • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                          • Instruction Fuzzy Hash: C7D062B0D142099F8780EFADC94156DFBF4EB49204F5085AA8919E7311E7319A128BD1
                                                          Function 070A8748 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b5b0ece4cd094f09fabdea5749c07fa3c063f9394ffb55b64268f42d43c409ec
                                                          • Instruction ID: b73080b2ecad0d25d5b6ef4db751f46cfbf3bf039055a4b3582971073fb65de2
                                                          • Opcode Fuzzy Hash: b5b0ece4cd094f09fabdea5749c07fa3c063f9394ffb55b64268f42d43c409ec
                                                          • Instruction Fuzzy Hash: EFD067318141099BCB09EBA4E85A4BDBB74FA14301F41816DD92793196EF315A9ACAC5
                                                          Function 070A8810 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 464e7eaf21d598176e0e32755121b5946bc840537c3ee0fba1f961c82817a660
                                                          • Instruction ID: b1be4eda4468da51b3da2ee6aca179b174b0e8e2e594de0fafa8e0c0e02f04f0
                                                          • Opcode Fuzzy Hash: 464e7eaf21d598176e0e32755121b5946bc840537c3ee0fba1f961c82817a660
                                                          • Instruction Fuzzy Hash: 48D0123491420A9B8754DFA4D44686DBBB4E745300F00815DD91593345EA305841CBC1
                                                          Function 070A791A Relevance: .0, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a5dc1d019938c8fe1092f8eb2370d438a86ba5d358dd04d3a3f383cd6b517447
                                                          • Instruction ID: d227787edb5bae5d15c1bcefc46e6f5360043ded46c4ed5f267f49815cd62761
                                                          • Opcode Fuzzy Hash: a5dc1d019938c8fe1092f8eb2370d438a86ba5d358dd04d3a3f383cd6b517447
                                                          • Instruction Fuzzy Hash: 8BD0923444E7C49FCB168F7894988187F30AE5322432A05DEE88A9F5A7CA768848DB16
                                                          Function 070A7E90 Relevance: .0, Instructions: 12COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 471be6e032dc881f3e7ab1640a3140eaa25828bb46a1e325d815103b0758f67d
                                                          • Instruction ID: 82ed214b6f817c08ba7d2e8d2028b4000581284a88331198c7213d8c7013591f
                                                          • Opcode Fuzzy Hash: 471be6e032dc881f3e7ab1640a3140eaa25828bb46a1e325d815103b0758f67d
                                                          • Instruction Fuzzy Hash: 15C04C2550E3D14FDF4B873588755267F329A4720431F41DEC082CB863CA65440AEB96
                                                          Function 070A7928 Relevance: .0, Instructions: 8COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d3ffc7de7aac2ec761602b65571b21aeeaa749c559b4022564fdf7118151d8dd
                                                          • Instruction ID: 16d96faba05cb2ccc37c428823a240e2a9b2e8e02cb4a74b746a3e21ad455817
                                                          • Opcode Fuzzy Hash: d3ffc7de7aac2ec761602b65571b21aeeaa749c559b4022564fdf7118151d8dd
                                                          • Instruction Fuzzy Hash: EFB092300447088FC6486FB9A408A187729AB8031538104A9E90E5A6978F36E884CA44

                                                          Non-executed Functions

                                                          Function 07AB1BE0 Relevance: 20.4, Strings: 16, Instructions: 398COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2205592180.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_7ab0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $cDk$4'q$4'q$4'q$4'q$84Ol$84Ol$tPq$tPq$JRl$JRl$JRl$JRl$JRl$rQl$rQl
                                                          • API String ID: 0-3285622846
                                                          • Opcode ID: 09004eb19d50a522097ebc45253f7cf625a2285d68bf9bd5add0092b2af264e9
                                                          • Instruction ID: 04fcba706f671fd65ce50f778cd17f9355ff505788e171173f4150bec69f7a13
                                                          • Opcode Fuzzy Hash: 09004eb19d50a522097ebc45253f7cf625a2285d68bf9bd5add0092b2af264e9
                                                          • Instruction Fuzzy Hash: 33D107B1B0420A8FD7358B69D4147EABBF6AFC6210F18807BD9658F256DB31C842C7A1
                                                          Function 070AED78 Relevance: 10.2, Strings: 8, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ,kAq$,q$$q$$q$$q$$q$$q$$q
                                                          • API String ID: 0-2047734230
                                                          • Opcode ID: eb1da1d1aebc383e156695e0ea847262a273c19634b893f67e21389223addb06
                                                          • Instruction ID: 9c1bf9899b50cc730594376615d14ca5603f4ecf696265781f00d1f49f048106
                                                          • Opcode Fuzzy Hash: eb1da1d1aebc383e156695e0ea847262a273c19634b893f67e21389223addb06
                                                          • Instruction Fuzzy Hash: 2F5106B03122139FDB28D7BAF45666CB7D2BF89614B5405AAF066CF761DE11CC028762
                                                          Function 07AB0568 Relevance: 9.2, Strings: 7, Instructions: 428COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2205592180.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_7ab0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fq$4'q$4'q$4'q$4'q$rQl$rQl
                                                          • API String ID: 0-3537796538
                                                          • Opcode ID: 846249d8971e48a24a65568017c0dfc235c82d8f018ca5b541cd70eaa175e060
                                                          • Instruction ID: abc0a77d9c1be43652b60a8008302eab5d81dbe0799c80eb9ec0bb4e0322e7e4
                                                          • Opcode Fuzzy Hash: 846249d8971e48a24a65568017c0dfc235c82d8f018ca5b541cd70eaa175e060
                                                          • Instruction Fuzzy Hash: 11E134B1B043468FD7259B7898117EBBBB6AFC6214F14C0AFD455CF292DB318942C7A2
                                                          Function 07AB3678 Relevance: 8.9, Strings: 7, Instructions: 190COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2205592180.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_7ab0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$$q$$q$$q$Gl$Gl
                                                          • API String ID: 0-2055229760
                                                          • Opcode ID: be1b4b77dcad419c07dcb6b080605f32c4a50b92f65eecd4bc26220aa289da93
                                                          • Instruction ID: f36a2adb353fe081e98c6c61be1b450f3710bd980550ea96b8f04baed487f549
                                                          • Opcode Fuzzy Hash: be1b4b77dcad419c07dcb6b080605f32c4a50b92f65eecd4bc26220aa289da93
                                                          • Instruction Fuzzy Hash: EF5148B17043069FDF348B6998057E6BBBAEBC6611F14807BD415CB253DA35C882CBA2
                                                          Function 070AEFA8 Relevance: 6.7, Strings: 5, Instructions: 453COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ,kAq$`Qq$$q$$q$$q
                                                          • API String ID: 0-3082558321
                                                          • Opcode ID: 3ecac82ee6e5a0aac968cbe55a301e6f36cbd60fb8f3198556625d91bb5b87a7
                                                          • Instruction ID: 593e289cc154d4e291ac7d3e380647bbb302cd4ec5a4b7b3773a3ee59afacac8
                                                          • Opcode Fuzzy Hash: 3ecac82ee6e5a0aac968cbe55a301e6f36cbd60fb8f3198556625d91bb5b87a7
                                                          • Instruction Fuzzy Hash: BBE12C70B102139FEB649BB9E85476EB3D6AFC9614F2541BAD406DF351DE70EC0283A1
                                                          Function 070A7A09 Relevance: 6.5, Strings: 5, Instructions: 241COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tMQl$`q$`q$`q$`q
                                                          • API String ID: 0-1815968527
                                                          • Opcode ID: 1eb515005c53e860da1e2940d11d8d5d67465b846c5d57160fb6167b331e990c
                                                          • Instruction ID: c58eb73ec51bfb5b710495b7287207ead66b6c67c14258bb37aba3965f11a041
                                                          • Opcode Fuzzy Hash: 1eb515005c53e860da1e2940d11d8d5d67465b846c5d57160fb6167b331e990c
                                                          • Instruction Fuzzy Hash: 36B1A5B4E0030A9FDB55DFA9D980A9DFBF2BF88310F148629D419AB305DB34A905CF91
                                                          Function 070A7A18 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tMQl$`q$`q$`q$`q
                                                          • API String ID: 0-1815968527
                                                          • Opcode ID: ac2411138e98a2ef4ed2b21c5c2c58b6e7a28e59212c55cb6bbd63409fe1e89c
                                                          • Instruction ID: 354bdc29ff394554ff3fca38c2af4db21abf30e87e50c2c948e98e7f254761e6
                                                          • Opcode Fuzzy Hash: ac2411138e98a2ef4ed2b21c5c2c58b6e7a28e59212c55cb6bbd63409fe1e89c
                                                          • Instruction Fuzzy Hash: 28B184B4E0030A9FDB54DFA9D980A9DFBF2BF88310F148629D419AB304DB74A945CF91
                                                          Function 07AB1EF8 Relevance: 6.3, Strings: 5, Instructions: 81COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2205592180.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_7ab0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$84Ol$tPq$JRl$JRl
                                                          • API String ID: 0-2090232548
                                                          • Opcode ID: 55dd287613f15cf0d96d4d28d6f4b1d650ab6dce8e8121ec314b27c4ba2790e6
                                                          • Instruction ID: 41f7f527676887b40a95c42db10c0510101b0e138364550b2466e622f25b9fe9
                                                          • Opcode Fuzzy Hash: 55dd287613f15cf0d96d4d28d6f4b1d650ab6dce8e8121ec314b27c4ba2790e6
                                                          • Instruction Fuzzy Hash: 6D218DB2A0020ADBDB308B55D451BA6F7BAABC1311F18C0ABDA245B197C332E941C7A1
                                                          Function 070A4D62 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2201977875.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_70a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: -l^$-l^$-l^$-l^
                                                          • API String ID: 0-2687830276
                                                          • Opcode ID: 5e34ca7dc45cb11847c5356a015459b01272bc5d94217c42f21a6937a9263569
                                                          • Instruction ID: b13e1f64a16df7bbf185125dc910a236ab42a9b990c64584b18ee04cb7014aff
                                                          • Opcode Fuzzy Hash: 5e34ca7dc45cb11847c5356a015459b01272bc5d94217c42f21a6937a9263569
                                                          • Instruction Fuzzy Hash: C1415C6160E7C05FD7139B3C98A49953FF1AFA719871A00EBD4C4CF263D928AC0AC766
                                                          Function 07AB5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2205592180.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_7ab0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $q$$q$$q$$q
                                                          • API String ID: 0-4102054182
                                                          • Opcode ID: 2fafeee1ada97f02b72d5cfe1d20166a6d836e03e6d4c97857b7517b197cd3d1
                                                          • Instruction ID: 7fc9ce9b7a8a2d3eab3cf4c4f5f3cdb3f767ab80727a23f6ebaae4cb42f8d74b
                                                          • Opcode Fuzzy Hash: 2fafeee1ada97f02b72d5cfe1d20166a6d836e03e6d4c97857b7517b197cd3d1
                                                          • Instruction Fuzzy Hash: E6216EB2B143069BEB345BAA5800BA7B7EF9BC1716F24843AE515CB383DD35C5528721
                                                          Function 07AB0308 Relevance: 5.1, Strings: 4, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2205592180.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_7ab0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$$q$$q
                                                          • API String ID: 0-3199993180
                                                          • Opcode ID: e795daddaa42dc5a485adc4c9354d9e167492ae9a65bdae406978f01f78bad6c
                                                          • Instruction ID: f25dc4ff38f61f9ac25022cdb31d21811b3b71b943a707f8b78c74386950ac72
                                                          • Opcode Fuzzy Hash: e795daddaa42dc5a485adc4c9354d9e167492ae9a65bdae406978f01f78bad6c
                                                          • Instruction Fuzzy Hash: 94018F65B0D3974FD33B222829252D76FB6ABC355072E40EBD491DF3A3C9148D0A83A7
                                                          Function 07AB2107 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2205592180.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_16_2_7ab0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $q$$q$JRl$JRl
                                                          • API String ID: 0-2494032063
                                                          • Opcode ID: 910362b8a963cf6491780e683d6d76b50935ebef744f659c05e01789c38bbfbc
                                                          • Instruction ID: c1a612adfd98e96e106e0c6ae99e5ed306dce0633eb912851d3168bfa1759342
                                                          • Opcode Fuzzy Hash: 910362b8a963cf6491780e683d6d76b50935ebef744f659c05e01789c38bbfbc
                                                          • Instruction Fuzzy Hash: 3E0184B5A0D3C24FD33346246C112966BF6AAD795071A81E7C691DF2E7C6388C06C3A3