Edit tour

Windows Analysis Report
r10072024085940.scr.exe

Overview

General Information

Sample name:	r10072024085940.scr.exe
Analysis ID:	1480135
MD5:	618cd424097ed299ff5869779f36054a
SHA1:	0b125df7fa521a8000d22481e7fa3384818f43c1
SHA256:	89dc59a7a775dfe1f77a49a7e7c964ffc70ae523d209ea78d7854410fe476b90
Tags:	exescr
Infos:

Detection

PureLog Stealer, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

r10072024085940.scr.exe (PID: 5040 cmdline: "C:\Users\user\Desktop\r10072024085940.scr.exe" MD5: 618CD424097ED299FF5869779F36054A)

r10072024085940.scr.exe (PID: 4364 cmdline: "C:\Users\user\Desktop\r10072024085940.scr.exe" MD5: 618CD424097ED299FF5869779F36054A)

powershell.exe (PID: 2496 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\r10072024085940.scr.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6980 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'r10072024085940.scr.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6920 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5392 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["104.250.180.178"], "Port": "7061", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2151669243.0000000009040000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.4597735932.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000002.4597735932.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10068:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10105:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1021a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf55a:$cnc4: POST / HTTP/1.1
00000001.00000002.2148203556.0000000002A89000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000001.00000002.2148203556.0000000002A89000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x13e04:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x260f4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3898c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x13ea1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x26191:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x38a29:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x13fb6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x262a6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x38b3e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x132f6:$cnc4: POST / HTTP/1.1 0x255e6:$cnc4: POST / HTTP/1.1 0x37e7e:$cnc4: POST / HTTP/1.1
00000001.00000002.2148203556.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: r10072024085940.scr.exe PID: 5040	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: r10072024085940.scr.exe PID: 5040	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: r10072024085940.scr.exe PID: 4364	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.r10072024085940.scr.exe.9040000.11.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.r10072024085940.scr.exe.9040000.11.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.r10072024085940.scr.exe.2a4f0c4.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.r10072024085940.scr.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.2.r10072024085940.scr.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10268:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10305:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1041a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf75a:$cnc4: POST / HTTP/1.1
1.2.r10072024085940.scr.exe.2a8cb9c.6.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.2.r10072024085940.scr.exe.2a8cb9c.6.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xe468:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe505:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xe61a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd95a:$cnc4: POST / HTTP/1.1
1.2.r10072024085940.scr.exe.2a9ee8c.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.2.r10072024085940.scr.exe.2a9ee8c.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xe468:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe505:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xe61a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd95a:$cnc4: POST / HTTP/1.1
1.2.r10072024085940.scr.exe.2a4f0c4.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10268:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x22558:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x34df0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10305:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x225f5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x34e8d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1041a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2270a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x34fa2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf75a:$cnc4: POST / HTTP/1.1 0x21a4a:$cnc4: POST / HTTP/1.1 0x342e2:$cnc4: POST / HTTP/1.1
1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10268:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x22b00:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10305:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x22b9d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1041a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x22cb2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf75a:$cnc4: POST / HTTP/1.1 0x21ff2:$cnc4: POST / HTTP/1.1
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\r10072024085940.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\r10072024085940.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\r10072024085940.scr.exe", ParentImage: C:\Users\user\Desktop\r10072024085940.scr.exe, ParentProcessId: 4364, ParentProcessName: r10072024085940.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\r10072024085940.scr.exe', ProcessId: 2496, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\r10072024085940.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\r10072024085940.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\r10072024085940.scr.exe", ParentImage: C:\Users\user\Desktop\r10072024085940.scr.exe, ParentProcessId: 4364, ParentProcessName: r10072024085940.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\r10072024085940.scr.exe', ProcessId: 2496, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\r10072024085940.scr.exe, ProcessId: 4364, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\r10072024085940.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\r10072024085940.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\r10072024085940.scr.exe", ParentImage: C:\Users\user\Desktop\r10072024085940.scr.exe, ParentProcessId: 4364, ParentProcessName: r10072024085940.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\r10072024085940.scr.exe', ProcessId: 2496, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.6 - Destination IP: 104.250.180.178

Timestamp:	2024-07-24T15:42:54.092872+0200
SID:	2855924
Source Port:	49726
Destination Port:	7061
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.6 - Destination IP: 104.250.180.178

Timestamp:	2024-07-24T15:44:41.561420+0200
SID:	2853193
Source Port:	49736
Destination Port:	7061
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.6 - Destination IP: 104.250.180.178

Timestamp:	2024-07-24T15:42:28.902236+0200
SID:	2855924
Source Port:	49722
Destination Port:	7061
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000001.00000002.2148203556.0000000002A89000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["104.250.180.178"], "Port": "7061", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: r10072024085940.scr.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: r10072024085940.scr.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 3.2.r10072024085940.scr.exe.400000.0.unpack	String decryptor: 104.250.180.178
Source: 3.2.r10072024085940.scr.exe.400000.0.unpack	String decryptor: 7061
Source: 3.2.r10072024085940.scr.exe.400000.0.unpack	String decryptor: <123456789>
Source: 3.2.r10072024085940.scr.exe.400000.0.unpack	String decryptor: <Xwormmm>
Source: 3.2.r10072024085940.scr.exe.400000.0.unpack	String decryptor: XWorm V5.2
Source: 3.2.r10072024085940.scr.exe.400000.0.unpack	String decryptor: USB.exe
Source: 3.2.r10072024085940.scr.exe.400000.0.unpack	String decryptor: %AppData%
Source: 3.2.r10072024085940.scr.exe.400000.0.unpack	String decryptor: XClient.exe

Source: r10072024085940.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: r10072024085940.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: LnPA.pdb source: r10072024085940.scr.exe, XClient.exe.3.dr
Source:	Binary string: LnPA.pdbSHA256x source: r10072024085940.scr.exe, XClient.exe.3.dr

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 104.250.180.178

Source: global traffic

TCP traffic: 192.168.2.6:49722 -> 104.250.180.178:7061

Source: Joe Sandbox View

IP Address: 104.250.180.178 104.250.180.178

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178

Source: powershell.exe, 0000000E.00000002.2325415061.00000000032E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000004.00000002.2203786870.0000000005538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2241264306.00000000057A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2291307877.0000000005FB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2353334687.0000000005DE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000E.00000002.2329810672.0000000004ED6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.2198283869.0000000004626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228813077.0000000004897000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2273572627.00000000050A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2329810672.0000000004ED6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: r10072024085940.scr.exe, 00000001.00000002.2148203556.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, r10072024085940.scr.exe, 00000003.00000002.4606757606.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2198283869.00000000044D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228813077.0000000004741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2273572627.0000000004F51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2329810672.0000000004D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2198283869.0000000004626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228813077.0000000004897000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2273572627.00000000050A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2329810672.0000000004ED6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: r10072024085940.scr.exe, XClient.exe.3.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: powershell.exe, 0000000E.00000002.2329810672.0000000004ED6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000009.00000002.2304106697.00000000089C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 0000000E.00000002.2370487996.0000000008843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co0
Source: powershell.exe, 00000004.00000002.2198283869.00000000044D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228813077.0000000004741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2273572627.0000000004F51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2329810672.0000000004D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000E.00000002.2353334687.0000000005DE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.2353334687.0000000005DE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.2353334687.0000000005DE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000E.00000002.2329810672.0000000004ED6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2203786870.0000000005538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2241264306.00000000057A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2291307877.0000000005FB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2353334687.0000000005DE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.r10072024085940.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.4597735932.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000002.2148203556.0000000002A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\r10072024085940.scr.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 1_2_0282DFAC	1_2_0282DFAC
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 1_2_07313439	1_2_07313439
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 1_2_07313448	1_2_07313448
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 1_2_073154C0	1_2_073154C0
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 1_2_07313010	1_2_07313010
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 1_2_07313003	1_2_07313003
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 1_2_07313870	1_2_07313870
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 1_2_07315078	1_2_07315078
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 1_2_07313880	1_2_07313880
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 1_2_07315088	1_2_07315088
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 1_2_08E630F8	1_2_08E630F8
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 1_2_08E6B508	1_2_08E6B508
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 1_2_08E6B518	1_2_08E6B518
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 1_2_08E62E87	1_2_08E62E87
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 1_2_08E62E98	1_2_08E62E98
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 3_2_010A44C7	3_2_010A44C7
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 3_2_010A4AC0	3_2_010A4AC0
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 3_2_010A1458	3_2_010A1458
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 3_2_06A6F9B8	3_2_06A6F9B8
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 3_2_06A6B998	3_2_06A6B998
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 3_2_06A6F670	3_2_06A6F670
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 3_2_06A61B4C	3_2_06A61B4C
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 3_2_06BA6E90	3_2_06BA6E90
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 3_2_06BA4FA2	3_2_06BA4FA2
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 3_2_06BA55C8	3_2_06BA55C8
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 3_2_06BA0040	3_2_06BA0040
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 3_2_06BA1F09	3_2_06BA1F09
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_040BB490	4_2_040BB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_080B3E98	4_2_080B3E98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02CFB4A0	7_2_02CFB4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02CFB490	7_2_02CFB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_08703A98	7_2_08703A98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04EAB490	9_2_04EAB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08E83A98	9_2_08E83A98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_04CCB4A0	14_2_04CCB4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_04CCB490	14_2_04CCB490

Source: r10072024085940.scr.exe, 00000001.00000000.2132023644.000000000060C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLnPA.exeT vs r10072024085940.scr.exe
Source: r10072024085940.scr.exe, 00000001.00000002.2148694173.0000000003BFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs r10072024085940.scr.exe
Source: r10072024085940.scr.exe, 00000001.00000002.2151038435.00000000072A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs r10072024085940.scr.exe
Source: r10072024085940.scr.exe, 00000001.00000002.2145073306.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs r10072024085940.scr.exe
Source: r10072024085940.scr.exe, 00000001.00000002.2151669243.0000000009040000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCAA.dll4 vs r10072024085940.scr.exe
Source: r10072024085940.scr.exe, 00000001.00000002.2148203556.0000000002A89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs r10072024085940.scr.exe
Source: r10072024085940.scr.exe, 00000001.00000002.2148203556.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCAA.dll4 vs r10072024085940.scr.exe
Source: r10072024085940.scr.exe, 00000003.00000002.4622241871.0000000005EC9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs r10072024085940.scr.exe
Source: r10072024085940.scr.exe, 00000003.00000002.4619603404.0000000003E41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLnPA.exeT vs r10072024085940.scr.exe
Source: r10072024085940.scr.exe, 00000003.00000002.4597735932.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs r10072024085940.scr.exe
Source: r10072024085940.scr.exe	Binary or memory string: OriginalFilenameLnPA.exeT vs r10072024085940.scr.exe

Source: r10072024085940.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.r10072024085940.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.4597735932.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000002.2148203556.0000000002A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: r10072024085940.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.r10072024085940.scr.exe.9040000.11.raw.unpack, lNjw1JhxSV5n0cCMNW.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.r10072024085940.scr.exe.9040000.11.raw.unpack, lNjw1JhxSV5n0cCMNW.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.r10072024085940.scr.exe.2a4f0c4.0.raw.unpack, lNjw1JhxSV5n0cCMNW.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.r10072024085940.scr.exe.2a4f0c4.0.raw.unpack, lNjw1JhxSV5n0cCMNW.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, 0jpphwwqZqta9yNAU1rmvPgO8j.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, LQsPA89PDgnCWG85KTzaHUxHxV.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, LQsPA89PDgnCWG85KTzaHUxHxV.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, 0jpphwwqZqta9yNAU1rmvPgO8j.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, LQsPA89PDgnCWG85KTzaHUxHxV.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, LQsPA89PDgnCWG85KTzaHUxHxV.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, N4P4GWcQkqHPddwcWa.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, N4P4GWcQkqHPddwcWa.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, MA7oxPPspVKDSv5kbor4FnogXhSLqN9jk8XGyoEg4DmabG3T3zwnypMQ3ZJUTHsOLdOneQe3sw7pXikdZGn4uDbXtV5HzjkClf7.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, MA7oxPPspVKDSv5kbor4FnogXhSLqN9jk8XGyoEg4DmabG3T3zwnypMQ3ZJUTHsOLdOneQe3sw7pXikdZGn4uDbXtV5HzjkClf7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, MA7oxPPspVKDSv5kbor4FnogXhSLqN9jk8XGyoEg4DmabG3T3zwnypMQ3ZJUTHsOLdOneQe3sw7pXikdZGn4uDbXtV5HzjkClf7.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, MA7oxPPspVKDSv5kbor4FnogXhSLqN9jk8XGyoEg4DmabG3T3zwnypMQ3ZJUTHsOLdOneQe3sw7pXikdZGn4uDbXtV5HzjkClf7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, j5bf5aHanl77EJZvqk.cs	Security API names: _0020.SetAccessControl
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, j5bf5aHanl77EJZvqk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, j5bf5aHanl77EJZvqk.cs	Security API names: _0020.AddAccessRule
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, j5bf5aHanl77EJZvqk.cs	Security API names: _0020.SetAccessControl
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, j5bf5aHanl77EJZvqk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, j5bf5aHanl77EJZvqk.cs	Security API names: _0020.AddAccessRule
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, N4P4GWcQkqHPddwcWa.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, j5bf5aHanl77EJZvqk.cs	Security API names: _0020.SetAccessControl
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, j5bf5aHanl77EJZvqk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, j5bf5aHanl77EJZvqk.cs	Security API names: _0020.AddAccessRule

Source: 1.2.r10072024085940.scr.exe.7060000.9.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 1.2.r10072024085940.scr.exe.2ad5b4c.4.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 1.2.r10072024085940.scr.exe.2acd4d0.5.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/20@0/1

Source: C:\Users\user\Desktop\r10072024085940.scr.exe

File created: C:\Users\user\AppData\Roaming\XClient.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1224:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1016:120:WilError_03
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\f8RKHn3SOlVxjC9t
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4892:120:WilError_03
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: C:\Users\user\Desktop\r10072024085940.scr.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: r10072024085940.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: r10072024085940.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\r10072024085940.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\r10072024085940.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: r10072024085940.scr.exe

ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\r10072024085940.scr.exe

File read: C:\Users\user\Desktop\r10072024085940.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\r10072024085940.scr.exe "C:\Users\user\Desktop\r10072024085940.scr.exe"
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process created: C:\Users\user\Desktop\r10072024085940.scr.exe "C:\Users\user\Desktop\r10072024085940.scr.exe"
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\r10072024085940.scr.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'r10072024085940.scr.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process created: C:\Users\user\Desktop\r10072024085940.scr.exe "C:\Users\user\Desktop\r10072024085940.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\r10072024085940.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'r10072024085940.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior

Source: C:\Users\user\Desktop\r10072024085940.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\r10072024085940.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: r10072024085940.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: r10072024085940.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: r10072024085940.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: LnPA.pdb source: r10072024085940.scr.exe, XClient.exe.3.dr
Source:	Binary string: LnPA.pdbSHA256x source: r10072024085940.scr.exe, XClient.exe.3.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 1.2.r10072024085940.scr.exe.9040000.11.raw.unpack, lNjw1JhxSV5n0cCMNW.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.r10072024085940.scr.exe.2a4f0c4.0.raw.unpack, lNjw1JhxSV5n0cCMNW.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw.kpaiBhymIJGBuLt851gqZoLAoD2fiZkc0DA3Lc823wxxdIa6PYsvKZlA56OH12YQ41sSLHjT4iWQJiKp8tggB2I54feK1c86Mqm,WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw.zZbnUIep0vWxKxGVBok7L3PrzjZoEnwL0TSMXbwigCiaVp6nuwuxywUGaEN9dKldJ3TrYBoPGwVErMlqUaYHm6AAkBixXvLS97V,WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw._1fd035fDiEoy57pBpWpWQTfLABgAwu559F98CfIdCDdRJ74x4qfREzt6LaVDN65xSX6mXNev2t5WO73ujfaH60MUncnZRoGV4vj,WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw.IW9FNA672lsDi2tCYs0XmXfyWkYhTHM1nl8C6baQ9lTI8YY8Qyto5zkIeoHh2Zcqmqyiuv94riMmQCcGwepP0z2tUnSyyl1yoCb,LQsPA89PDgnCWG85KTzaHUxHxV.WufUBprPTFHXMI553kXybp9FaY()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_9CLWboLL8arHgBpNMCHih5iKc1[2],LQsPA89PDgnCWG85KTzaHUxHxV.WL37fsRxQxlu6tAK1xjQRngPmh(Convert.FromBase64String(_9CLWboLL8arHgBpNMCHih5iKc1[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _9CLWboLL8arHgBpNMCHih5iKc1[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw.kpaiBhymIJGBuLt851gqZoLAoD2fiZkc0DA3Lc823wxxdIa6PYsvKZlA56OH12YQ41sSLHjT4iWQJiKp8tggB2I54feK1c86Mqm,WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw.zZbnUIep0vWxKxGVBok7L3PrzjZoEnwL0TSMXbwigCiaVp6nuwuxywUGaEN9dKldJ3TrYBoPGwVErMlqUaYHm6AAkBixXvLS97V,WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw._1fd035fDiEoy57pBpWpWQTfLABgAwu559F98CfIdCDdRJ74x4qfREzt6LaVDN65xSX6mXNev2t5WO73ujfaH60MUncnZRoGV4vj,WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw.IW9FNA672lsDi2tCYs0XmXfyWkYhTHM1nl8C6baQ9lTI8YY8Qyto5zkIeoHh2Zcqmqyiuv94riMmQCcGwepP0z2tUnSyyl1yoCb,LQsPA89PDgnCWG85KTzaHUxHxV.WufUBprPTFHXMI553kXybp9FaY()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_9CLWboLL8arHgBpNMCHih5iKc1[2],LQsPA89PDgnCWG85KTzaHUxHxV.WL37fsRxQxlu6tAK1xjQRngPmh(Convert.FromBase64String(_9CLWboLL8arHgBpNMCHih5iKc1[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _9CLWboLL8arHgBpNMCHih5iKc1[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: r10072024085940.scr.exe, FrmLogin.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, j5bf5aHanl77EJZvqk.cs	.Net Code: Gw1vaX5SMB System.Reflection.Assembly.Load(byte[])
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, j5bf5aHanl77EJZvqk.cs	.Net Code: Gw1vaX5SMB System.Reflection.Assembly.Load(byte[])
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, j5bf5aHanl77EJZvqk.cs	.Net Code: Gw1vaX5SMB System.Reflection.Assembly.Load(byte[])
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: HFKY311DFA0CknBmafbCyAhvOzvwUW3ViyV49tKstRpT8xAE2GnNPEVulKkb5ija7d4jHOKsf5tq0JZu3yzP System.AppDomain.Load(byte[])
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: iXIBZqNvKivS6RYy8lRx3sDnEn System.AppDomain.Load(byte[])
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: iXIBZqNvKivS6RYy8lRx3sDnEn
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: HFKY311DFA0CknBmafbCyAhvOzvwUW3ViyV49tKstRpT8xAE2GnNPEVulKkb5ija7d4jHOKsf5tq0JZu3yzP System.AppDomain.Load(byte[])
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: iXIBZqNvKivS6RYy8lRx3sDnEn System.AppDomain.Load(byte[])
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: iXIBZqNvKivS6RYy8lRx3sDnEn

Source: r10072024085940.scr.exe

Static PE information: 0x81C33332 [Mon Dec 27 09:04:50 2038 UTC]

Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 1_2_0731725A push ebx; ret	1_2_0731725B
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 1_2_07A401B0 push eax; iretd	1_2_07A401B1
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 1_2_08E65B48 pushfd ; retf	1_2_08E65B4C
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 1_2_08E6CDBE push esp; iretd	1_2_08E6CDC1
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 3_2_06A66692 push eax; iretd	3_2_06A66699
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 3_2_06A66690 pushad ; iretd	3_2_06A66691
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Code function: 3_2_06A6349B push ss; retf	3_2_06A634AE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_040B633D push eax; ret	4_2_040B6351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02CF5A2C push edi; iretd	7_2_02CF5A32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02CF5A37 push edi; iretd	7_2_02CF5A3E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04EA633D push eax; ret	9_2_04EA6351

Source: r10072024085940.scr.exe

Static PE information: section name: .text entropy: 7.830777991010836

Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, FdpYDqOiy2IvChmLkJ.cs	High entropy of concatenated method names: 'fY8hGyMLEX', 'UQ2hnT2FS4', 'zQihvpNlDo', 'vluh4scX5L', 'dg6hE88N2u', 'vYsh3o631b', 'Vt4hZCxaxT', 'faL0L7E78V', 'ay00DpXCed', 'tb40MvANAs'
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, paHssNzsyx7OV5Wnor.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bfnhXZJKvE', 'j7vhmg8uM0', 'NkmhdtTYAm', 'XIGhTHss3E', 'qqrh0OxJvm', 'NAQhhSebWV', 'leNhSxLvqY'
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, rl3bo7GCCHjpa7YPXI8.cs	High entropy of concatenated method names: 'TRMhFjKSvn', 'kauhPurUGn', 'u1SharKI32', 'UnohQXFOCX', 'BEfhVMfVaX', 'zaphrWsjRE', 'HvyhArvuBw', 'q3vhcA2cKN', 'VM4hjfM91T', 'AeNhxyOCd4'
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, oZ0N5nD8lvgOXppBOh.cs	High entropy of concatenated method names: 'aQM04rDK1T', 'MP00EeOCFT', 'mMA01mdgt9', 'wS603pbYPe', 'KgT0Za7Nbd', 'H8o0wRawsg', 'bgL0Hn2in3', 'PTs0BV8Y1k', 'kvR0eE6guV', 'QEL0KanJ3p'
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, Hhw20K1cFSSgBvvOkS.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'uHLRMqtFyx', 'NScROIEw0r', 'IDkRze57Ri', 'F4NnCBkp2J', 'HconGsAv2s', 'z4UnRaTKpY', 'REQnnwUlse', 'p68g7Mj1vADpaIxwjWc'
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, b27GmituljWVrhMVYf.cs	High entropy of concatenated method names: 'YfGw4BQnjW', 'PGXw1DOgUJ', 'nVNwZfuJG7', 'XIGZOAux4h', 'hp2ZznNlQN', 'E8KwCObZbS', 'SMtwGfyafx', 'RCFwRB4Dlp', 'GS3wn44c8s', 'ECfwvnEi9d'
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, kp2r6GGG7y0YEVVNxfq.cs	High entropy of concatenated method names: 'ToString', 'XMvSn7VjSa', 'CdASvQrY02', 'JSTSfZ55ZZ', 'GqbS4Hsy99', 'VqWSEg1mDm', 'vXfS1lOtnK', 'xdUS3JR3mX', 'pMNH7ocdc1a5JB03id6', 'YxXhUwcQC4mlesXgtjL'
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, KksAkZufFMpkv6tC6g.cs	High entropy of concatenated method names: 'AtyTD2tRrQ', 'ktATONBkfR', 'YVO0CjOlV1', 'm6W0GmRegJ', 'nEZTi6ygpW', 'jvITp0iR0E', 'eloTski6FL', 'MADTNaXuEG', 'GO9T5wowdH', 'hvHTJQDXpt'
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, OvZs7NRiZpB5A90qmm.cs	High entropy of concatenated method names: 'yLtaeiGti', 'UP8QCRQpf', 'NKnrUOPIp', 'XlyAuEwJA', 'RK2jatWTB', 'xQXxHtHlc', 'BsxMqD8yLRmfYgle27', 'iIonu3dgoxmj3uowg6', 'JiFxMNQwSplB1bXvDU', 'nhR0qeE0W'
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, N4P4GWcQkqHPddwcWa.cs	High entropy of concatenated method names: 'TDQENassNU', 'uVGE554yUx', 'DnDEJ122hR', 'P3nE789b6v', 'IjAEWx8KpL', 'R9xEuSWBBg', 'CRPELvTSK3', 'tU1EDOUkMm', 'T9qEM79IVf', 'wA4EOnn4Lb'
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, G7Effxjk7aXCFjWdQP.cs	High entropy of concatenated method names: 'CJ01QAv0H8', 'StL1r7nVv0', 'RA31cuG7Xc', 'QUk1j4NxJc', 'chk1m8F5hN', 'gPP1d7jwn0', 'Tj61TTIEkT', 'N1U104xn7k', 'Ajc1h4S0OE', 'CKF1SK1fSo'
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, Dxg7bilcDZidr2uZv7.cs	High entropy of concatenated method names: 'wN4ZffCHCv', 'mpqZEdl4mt', 'VODZ3220dl', 'lxUZwsPRAu', 'v34ZHpnOHK', 'nBG3WA1ZXj', 'v113urETGi', 'p2D3LgWksg', 'pgC3DmTauR', 'Uxb3M4DqbE'
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, VQZFtdM8ACEDTEWPeB.cs	High entropy of concatenated method names: 'QJI0l1qdmB', 'd4n08AFms0', 'FX506CIcqw', 'TSA0ybsYoA', 'lQ20NTbqqZ', 'aFa0olxnnd', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, mnef8vkpabqtGHcdwg.cs	High entropy of concatenated method names: 'bfLwF5Xj5I', 'DqbwPYlmKp', 'OkYwatF8CX', 'O5hwQn25BN', 'tGhwVsB9NW', 'loVwrvobjk', 'ANbwAL0ETX', 'xDhwcOjNnb', 's5iwj99rGx', 'q2Pwx1KxF5'
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, QjQ4YH7Utrfw1y2mIT.cs	High entropy of concatenated method names: 'bavTeUctEf', 'TPgTKyo26a', 'ToString', 'rGdT4lnwxc', 'EKrTEh2Mf7', 'Ll4T1Zq01b', 'EcHT3Y4d0x', 'LQfTZvDUpD', 'ygcTwvXI6F', 'AolTH6Phq7'
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, j5bf5aHanl77EJZvqk.cs	High entropy of concatenated method names: 'LptnfPwmRq', 'D8qn4DhUGR', 'DxinESRYd2', 'UK7n13kKrk', 'BPfn3YY9aK', 'ytvnZJog92', 'DZVnwKy95H', 'PaqnHxRSvT', 'xfpnB4ylME', 'k0nneRr5KO'
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, HpjZYhs8gsBTDbTvIp.cs	High entropy of concatenated method names: 'rl1Xc2h2da', 'hfTXjec844', 'nBIXlkqDJO', 'rqcX85PKNw', 'zCuXyO7bvm', 'li3Xo4rmaF', 'LyaXtXEjGY', 'PlTX2018Yv', 'PGJXgaivbR', 'wLIXixPkgF'
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, hctR6TGnfA5n5CVANP8.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lMBSN9KZ60', 'BxoS51TLKF', 'na6SJ7QeQ5', 'LxLS7YmxPw', 'zedSWvji4q', 'q4TSuysKjK', 'uZqSLLttCO'
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, vjP4fSv21lfb6YAjlG.cs	High entropy of concatenated method names: 'opgGw4P4GW', 'AkqGHHPddw', 'Fk7GeaXCFj', 'UdQGKP0qTj', 'SdEGmMAcxg', 'TbiGdcDZid', 'KIWsOdaR3XngBjjcoS', 'dnXVW7PlW4og3ZwAtv', 'ug5GG62Nwo', 'JDXGn9cAvg'
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, NyIRJ0EmmImnIn0S0S.cs	High entropy of concatenated method names: 'Dispose', 'WQrGMW2qaZ', 'RVHR8SCIC3', 'cb777O886u', 'YmZGO0N5n8', 'GvgGzOXppB', 'ProcessDialogKey', 'YhuRCQZFtd', 'HACRGEDTEW', 'yeBRRldpYD'
Source: 1.2.r10072024085940.scr.exe.3c59af0.7.raw.unpack, rqTjWCxO2IvYhJdEMA.cs	High entropy of concatenated method names: 'TbJ3VKh3hX', 'f3V3A6bQ7h', 'NQK16SMRV9', 'x2k1yK333v', 'avZ1oQB0Jt', 'utB19KUXqy', 'Q9e1tvKiOh', 'zU712tGOHh', 'fP71k8uYLh', 'PBD1gAd4Zs'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, FdpYDqOiy2IvChmLkJ.cs	High entropy of concatenated method names: 'fY8hGyMLEX', 'UQ2hnT2FS4', 'zQihvpNlDo', 'vluh4scX5L', 'dg6hE88N2u', 'vYsh3o631b', 'Vt4hZCxaxT', 'faL0L7E78V', 'ay00DpXCed', 'tb40MvANAs'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, paHssNzsyx7OV5Wnor.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bfnhXZJKvE', 'j7vhmg8uM0', 'NkmhdtTYAm', 'XIGhTHss3E', 'qqrh0OxJvm', 'NAQhhSebWV', 'leNhSxLvqY'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, rl3bo7GCCHjpa7YPXI8.cs	High entropy of concatenated method names: 'TRMhFjKSvn', 'kauhPurUGn', 'u1SharKI32', 'UnohQXFOCX', 'BEfhVMfVaX', 'zaphrWsjRE', 'HvyhArvuBw', 'q3vhcA2cKN', 'VM4hjfM91T', 'AeNhxyOCd4'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, oZ0N5nD8lvgOXppBOh.cs	High entropy of concatenated method names: 'aQM04rDK1T', 'MP00EeOCFT', 'mMA01mdgt9', 'wS603pbYPe', 'KgT0Za7Nbd', 'H8o0wRawsg', 'bgL0Hn2in3', 'PTs0BV8Y1k', 'kvR0eE6guV', 'QEL0KanJ3p'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, Hhw20K1cFSSgBvvOkS.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'uHLRMqtFyx', 'NScROIEw0r', 'IDkRze57Ri', 'F4NnCBkp2J', 'HconGsAv2s', 'z4UnRaTKpY', 'REQnnwUlse', 'p68g7Mj1vADpaIxwjWc'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, b27GmituljWVrhMVYf.cs	High entropy of concatenated method names: 'YfGw4BQnjW', 'PGXw1DOgUJ', 'nVNwZfuJG7', 'XIGZOAux4h', 'hp2ZznNlQN', 'E8KwCObZbS', 'SMtwGfyafx', 'RCFwRB4Dlp', 'GS3wn44c8s', 'ECfwvnEi9d'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, kp2r6GGG7y0YEVVNxfq.cs	High entropy of concatenated method names: 'ToString', 'XMvSn7VjSa', 'CdASvQrY02', 'JSTSfZ55ZZ', 'GqbS4Hsy99', 'VqWSEg1mDm', 'vXfS1lOtnK', 'xdUS3JR3mX', 'pMNH7ocdc1a5JB03id6', 'YxXhUwcQC4mlesXgtjL'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, KksAkZufFMpkv6tC6g.cs	High entropy of concatenated method names: 'AtyTD2tRrQ', 'ktATONBkfR', 'YVO0CjOlV1', 'm6W0GmRegJ', 'nEZTi6ygpW', 'jvITp0iR0E', 'eloTski6FL', 'MADTNaXuEG', 'GO9T5wowdH', 'hvHTJQDXpt'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, OvZs7NRiZpB5A90qmm.cs	High entropy of concatenated method names: 'yLtaeiGti', 'UP8QCRQpf', 'NKnrUOPIp', 'XlyAuEwJA', 'RK2jatWTB', 'xQXxHtHlc', 'BsxMqD8yLRmfYgle27', 'iIonu3dgoxmj3uowg6', 'JiFxMNQwSplB1bXvDU', 'nhR0qeE0W'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, N4P4GWcQkqHPddwcWa.cs	High entropy of concatenated method names: 'TDQENassNU', 'uVGE554yUx', 'DnDEJ122hR', 'P3nE789b6v', 'IjAEWx8KpL', 'R9xEuSWBBg', 'CRPELvTSK3', 'tU1EDOUkMm', 'T9qEM79IVf', 'wA4EOnn4Lb'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, G7Effxjk7aXCFjWdQP.cs	High entropy of concatenated method names: 'CJ01QAv0H8', 'StL1r7nVv0', 'RA31cuG7Xc', 'QUk1j4NxJc', 'chk1m8F5hN', 'gPP1d7jwn0', 'Tj61TTIEkT', 'N1U104xn7k', 'Ajc1h4S0OE', 'CKF1SK1fSo'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, Dxg7bilcDZidr2uZv7.cs	High entropy of concatenated method names: 'wN4ZffCHCv', 'mpqZEdl4mt', 'VODZ3220dl', 'lxUZwsPRAu', 'v34ZHpnOHK', 'nBG3WA1ZXj', 'v113urETGi', 'p2D3LgWksg', 'pgC3DmTauR', 'Uxb3M4DqbE'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, VQZFtdM8ACEDTEWPeB.cs	High entropy of concatenated method names: 'QJI0l1qdmB', 'd4n08AFms0', 'FX506CIcqw', 'TSA0ybsYoA', 'lQ20NTbqqZ', 'aFa0olxnnd', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, mnef8vkpabqtGHcdwg.cs	High entropy of concatenated method names: 'bfLwF5Xj5I', 'DqbwPYlmKp', 'OkYwatF8CX', 'O5hwQn25BN', 'tGhwVsB9NW', 'loVwrvobjk', 'ANbwAL0ETX', 'xDhwcOjNnb', 's5iwj99rGx', 'q2Pwx1KxF5'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, QjQ4YH7Utrfw1y2mIT.cs	High entropy of concatenated method names: 'bavTeUctEf', 'TPgTKyo26a', 'ToString', 'rGdT4lnwxc', 'EKrTEh2Mf7', 'Ll4T1Zq01b', 'EcHT3Y4d0x', 'LQfTZvDUpD', 'ygcTwvXI6F', 'AolTH6Phq7'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, j5bf5aHanl77EJZvqk.cs	High entropy of concatenated method names: 'LptnfPwmRq', 'D8qn4DhUGR', 'DxinESRYd2', 'UK7n13kKrk', 'BPfn3YY9aK', 'ytvnZJog92', 'DZVnwKy95H', 'PaqnHxRSvT', 'xfpnB4ylME', 'k0nneRr5KO'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, HpjZYhs8gsBTDbTvIp.cs	High entropy of concatenated method names: 'rl1Xc2h2da', 'hfTXjec844', 'nBIXlkqDJO', 'rqcX85PKNw', 'zCuXyO7bvm', 'li3Xo4rmaF', 'LyaXtXEjGY', 'PlTX2018Yv', 'PGJXgaivbR', 'wLIXixPkgF'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, hctR6TGnfA5n5CVANP8.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lMBSN9KZ60', 'BxoS51TLKF', 'na6SJ7QeQ5', 'LxLS7YmxPw', 'zedSWvji4q', 'q4TSuysKjK', 'uZqSLLttCO'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, vjP4fSv21lfb6YAjlG.cs	High entropy of concatenated method names: 'opgGw4P4GW', 'AkqGHHPddw', 'Fk7GeaXCFj', 'UdQGKP0qTj', 'SdEGmMAcxg', 'TbiGdcDZid', 'KIWsOdaR3XngBjjcoS', 'dnXVW7PlW4og3ZwAtv', 'ug5GG62Nwo', 'JDXGn9cAvg'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, NyIRJ0EmmImnIn0S0S.cs	High entropy of concatenated method names: 'Dispose', 'WQrGMW2qaZ', 'RVHR8SCIC3', 'cb777O886u', 'YmZGO0N5n8', 'GvgGzOXppB', 'ProcessDialogKey', 'YhuRCQZFtd', 'HACRGEDTEW', 'yeBRRldpYD'
Source: 1.2.r10072024085940.scr.exe.72a0000.10.raw.unpack, rqTjWCxO2IvYhJdEMA.cs	High entropy of concatenated method names: 'TbJ3VKh3hX', 'f3V3A6bQ7h', 'NQK16SMRV9', 'x2k1yK333v', 'avZ1oQB0Jt', 'utB19KUXqy', 'Q9e1tvKiOh', 'zU712tGOHh', 'fP71k8uYLh', 'PBD1gAd4Zs'
Source: 1.2.r10072024085940.scr.exe.9040000.11.raw.unpack, lNjw1JhxSV5n0cCMNW.cs	High entropy of concatenated method names: 'Kb0HWSL22O', 'RgtTUJcyZL', 'jHu2HrxObq', 'UAF22bihQq', 'Hla2xZGvyo', 'XAB2tPq0q8', 'aeMUEk3AsB3Pt', 'xw8jvYcwb', 'eSADOWkF2', 'hfhQtMtDc'
Source: 1.2.r10072024085940.scr.exe.9040000.11.raw.unpack, NkEtj4xdihRGcDPjVY.cs	High entropy of concatenated method names: 'HVYMFtP2f', 'CuEekxjKf', 'WGqJ3oTFt', 'GCn1bRmSG', 'Kbtl1TeP0', 'Fy7hiDf8S', 'e5JqCGSck', 'C2SLkryPZ', 'ksT8NQvKO', 'zvqT1Z212'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, FdpYDqOiy2IvChmLkJ.cs	High entropy of concatenated method names: 'fY8hGyMLEX', 'UQ2hnT2FS4', 'zQihvpNlDo', 'vluh4scX5L', 'dg6hE88N2u', 'vYsh3o631b', 'Vt4hZCxaxT', 'faL0L7E78V', 'ay00DpXCed', 'tb40MvANAs'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, paHssNzsyx7OV5Wnor.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bfnhXZJKvE', 'j7vhmg8uM0', 'NkmhdtTYAm', 'XIGhTHss3E', 'qqrh0OxJvm', 'NAQhhSebWV', 'leNhSxLvqY'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, rl3bo7GCCHjpa7YPXI8.cs	High entropy of concatenated method names: 'TRMhFjKSvn', 'kauhPurUGn', 'u1SharKI32', 'UnohQXFOCX', 'BEfhVMfVaX', 'zaphrWsjRE', 'HvyhArvuBw', 'q3vhcA2cKN', 'VM4hjfM91T', 'AeNhxyOCd4'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, oZ0N5nD8lvgOXppBOh.cs	High entropy of concatenated method names: 'aQM04rDK1T', 'MP00EeOCFT', 'mMA01mdgt9', 'wS603pbYPe', 'KgT0Za7Nbd', 'H8o0wRawsg', 'bgL0Hn2in3', 'PTs0BV8Y1k', 'kvR0eE6guV', 'QEL0KanJ3p'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, Hhw20K1cFSSgBvvOkS.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'uHLRMqtFyx', 'NScROIEw0r', 'IDkRze57Ri', 'F4NnCBkp2J', 'HconGsAv2s', 'z4UnRaTKpY', 'REQnnwUlse', 'p68g7Mj1vADpaIxwjWc'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, b27GmituljWVrhMVYf.cs	High entropy of concatenated method names: 'YfGw4BQnjW', 'PGXw1DOgUJ', 'nVNwZfuJG7', 'XIGZOAux4h', 'hp2ZznNlQN', 'E8KwCObZbS', 'SMtwGfyafx', 'RCFwRB4Dlp', 'GS3wn44c8s', 'ECfwvnEi9d'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, kp2r6GGG7y0YEVVNxfq.cs	High entropy of concatenated method names: 'ToString', 'XMvSn7VjSa', 'CdASvQrY02', 'JSTSfZ55ZZ', 'GqbS4Hsy99', 'VqWSEg1mDm', 'vXfS1lOtnK', 'xdUS3JR3mX', 'pMNH7ocdc1a5JB03id6', 'YxXhUwcQC4mlesXgtjL'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, KksAkZufFMpkv6tC6g.cs	High entropy of concatenated method names: 'AtyTD2tRrQ', 'ktATONBkfR', 'YVO0CjOlV1', 'm6W0GmRegJ', 'nEZTi6ygpW', 'jvITp0iR0E', 'eloTski6FL', 'MADTNaXuEG', 'GO9T5wowdH', 'hvHTJQDXpt'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, OvZs7NRiZpB5A90qmm.cs	High entropy of concatenated method names: 'yLtaeiGti', 'UP8QCRQpf', 'NKnrUOPIp', 'XlyAuEwJA', 'RK2jatWTB', 'xQXxHtHlc', 'BsxMqD8yLRmfYgle27', 'iIonu3dgoxmj3uowg6', 'JiFxMNQwSplB1bXvDU', 'nhR0qeE0W'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, N4P4GWcQkqHPddwcWa.cs	High entropy of concatenated method names: 'TDQENassNU', 'uVGE554yUx', 'DnDEJ122hR', 'P3nE789b6v', 'IjAEWx8KpL', 'R9xEuSWBBg', 'CRPELvTSK3', 'tU1EDOUkMm', 'T9qEM79IVf', 'wA4EOnn4Lb'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, G7Effxjk7aXCFjWdQP.cs	High entropy of concatenated method names: 'CJ01QAv0H8', 'StL1r7nVv0', 'RA31cuG7Xc', 'QUk1j4NxJc', 'chk1m8F5hN', 'gPP1d7jwn0', 'Tj61TTIEkT', 'N1U104xn7k', 'Ajc1h4S0OE', 'CKF1SK1fSo'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, Dxg7bilcDZidr2uZv7.cs	High entropy of concatenated method names: 'wN4ZffCHCv', 'mpqZEdl4mt', 'VODZ3220dl', 'lxUZwsPRAu', 'v34ZHpnOHK', 'nBG3WA1ZXj', 'v113urETGi', 'p2D3LgWksg', 'pgC3DmTauR', 'Uxb3M4DqbE'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, VQZFtdM8ACEDTEWPeB.cs	High entropy of concatenated method names: 'QJI0l1qdmB', 'd4n08AFms0', 'FX506CIcqw', 'TSA0ybsYoA', 'lQ20NTbqqZ', 'aFa0olxnnd', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, mnef8vkpabqtGHcdwg.cs	High entropy of concatenated method names: 'bfLwF5Xj5I', 'DqbwPYlmKp', 'OkYwatF8CX', 'O5hwQn25BN', 'tGhwVsB9NW', 'loVwrvobjk', 'ANbwAL0ETX', 'xDhwcOjNnb', 's5iwj99rGx', 'q2Pwx1KxF5'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, QjQ4YH7Utrfw1y2mIT.cs	High entropy of concatenated method names: 'bavTeUctEf', 'TPgTKyo26a', 'ToString', 'rGdT4lnwxc', 'EKrTEh2Mf7', 'Ll4T1Zq01b', 'EcHT3Y4d0x', 'LQfTZvDUpD', 'ygcTwvXI6F', 'AolTH6Phq7'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, j5bf5aHanl77EJZvqk.cs	High entropy of concatenated method names: 'LptnfPwmRq', 'D8qn4DhUGR', 'DxinESRYd2', 'UK7n13kKrk', 'BPfn3YY9aK', 'ytvnZJog92', 'DZVnwKy95H', 'PaqnHxRSvT', 'xfpnB4ylME', 'k0nneRr5KO'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, HpjZYhs8gsBTDbTvIp.cs	High entropy of concatenated method names: 'rl1Xc2h2da', 'hfTXjec844', 'nBIXlkqDJO', 'rqcX85PKNw', 'zCuXyO7bvm', 'li3Xo4rmaF', 'LyaXtXEjGY', 'PlTX2018Yv', 'PGJXgaivbR', 'wLIXixPkgF'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, hctR6TGnfA5n5CVANP8.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lMBSN9KZ60', 'BxoS51TLKF', 'na6SJ7QeQ5', 'LxLS7YmxPw', 'zedSWvji4q', 'q4TSuysKjK', 'uZqSLLttCO'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, vjP4fSv21lfb6YAjlG.cs	High entropy of concatenated method names: 'opgGw4P4GW', 'AkqGHHPddw', 'Fk7GeaXCFj', 'UdQGKP0qTj', 'SdEGmMAcxg', 'TbiGdcDZid', 'KIWsOdaR3XngBjjcoS', 'dnXVW7PlW4og3ZwAtv', 'ug5GG62Nwo', 'JDXGn9cAvg'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, NyIRJ0EmmImnIn0S0S.cs	High entropy of concatenated method names: 'Dispose', 'WQrGMW2qaZ', 'RVHR8SCIC3', 'cb777O886u', 'YmZGO0N5n8', 'GvgGzOXppB', 'ProcessDialogKey', 'YhuRCQZFtd', 'HACRGEDTEW', 'yeBRRldpYD'
Source: 1.2.r10072024085940.scr.exe.3cad510.8.raw.unpack, rqTjWCxO2IvYhJdEMA.cs	High entropy of concatenated method names: 'TbJ3VKh3hX', 'f3V3A6bQ7h', 'NQK16SMRV9', 'x2k1yK333v', 'avZ1oQB0Jt', 'utB19KUXqy', 'Q9e1tvKiOh', 'zU712tGOHh', 'fP71k8uYLh', 'PBD1gAd4Zs'
Source: 1.2.r10072024085940.scr.exe.2a4f0c4.0.raw.unpack, lNjw1JhxSV5n0cCMNW.cs	High entropy of concatenated method names: 'Kb0HWSL22O', 'RgtTUJcyZL', 'jHu2HrxObq', 'UAF22bihQq', 'Hla2xZGvyo', 'XAB2tPq0q8', 'aeMUEk3AsB3Pt', 'xw8jvYcwb', 'eSADOWkF2', 'hfhQtMtDc'
Source: 1.2.r10072024085940.scr.exe.2a4f0c4.0.raw.unpack, NkEtj4xdihRGcDPjVY.cs	High entropy of concatenated method names: 'HVYMFtP2f', 'CuEekxjKf', 'WGqJ3oTFt', 'GCn1bRmSG', 'Kbtl1TeP0', 'Fy7hiDf8S', 'e5JqCGSck', 'C2SLkryPZ', 'ksT8NQvKO', 'zvqT1Z212'
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw.cs	High entropy of concatenated method names: 'nzpq34I2Owdcl9fMv5UC2J5bWAhYRAKaulM2epxdlOUgYAwStJcbsQF2LV7', '_3TV7y1L0UdqugSHqWSFDQgjIB1RLAMta0zbdfnGtgjiEucMaYzlPshW9VtV', 'pjvrCbuiTImLYchYZBIntOVyvPn3ZfSMtWVvNsM0Nvur9iH1fX2B8axAglC', 'jI7KmqV1ayX8qwmay9TzwN1cwR8kqb0h8EMRQLIOnFHgagzy7qGeZFVymwQ'
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, 8vDNxxr6KA56TLeIORtyRLSVXe.cs	High entropy of concatenated method names: '_00wnbuD6N1v3u4tAFw3wul2CM0', 'fbuqWesh3CVNj2RtuGY4FmHJps', 'HFqUUv7DJAEEhvrSsywavqaOIT', 'lO3fdbWbA8cdJSM60XZlTyTo1nRw6RJ0TkcvaWTmeXkk', 'o454lDfZaM893ftJX7v3O4qrjBaqZgXKn8MLidOK6Wep', 'dGQ7XoqybmSzxfRt5TDkZgPg2kC5INkjb6ybBBTnIQBQ', 'qnxpDMttXO5Q6RWMOugTF1OB5xiLTvjjuAAVGH4HMLQO', 'HeZsr9e5BNhQhw2tx7EzDGOu3oFSOtiNHoENJsbWOQXf', 'DJjUyYbm7hNYuN3aTC7191TEVjaM3TCFuJXKVoTOyfXP', 'gZOiEnnJ6n7BiHg1PhnYUfFDonaGra3pPadwz8Md8Lwa'
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, TvXNMPQzFStCY57ElDLFZF5wAWyu0HVKP74m0eYWEhLZU5ek0outej2CSyzPAywwqGzOP32wGaNx3OfXdD6rsa5uWywfJM4PgHN.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'cqdgMqYlqVr2WPbYU5d9YHP80OHFw99M9Y6CT3Cr4bu1pDH343obGJOq7xC', 'g5ZfxcIQ2yYANiEqDIDYC5MiH24kf8WoOop4sg9QRmMmIwIekfETxLRXPUs', '_26HTuFzrNZYByDsAEiZbqNFA59SdHCtVcYm4RrYlYDtfKTpyB7EqJpy61DM', 'Hta5nog2yoVHh9zNcyUS7cXHn92CKJeikSJ96C9reTxLwGxghqe54UiXCun'
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, JJqNIbmAEnE7SiPqGMTQm6czGZ9oDVL8xeYwvixsqiqWp3UZE3bbHqW0DPuSoU7Yz04fIfeMVsV3xLKVxXwRTrLXVvtHRM473Hj.cs	High entropy of concatenated method names: '_0wZ0aYgmMl7kCbvj6Ou4SqrdhKMFXGYofIhw64PZvBBBcVwz8edGsmoVjHZbxfJWPFhXcFK7G5Pkh3B9nMhjygTmnsyHZe5BwKO', 'wKAxAa74PvSccIjVWKrzIU9aAbAaHgp2F7R6H71jGdpLfaJQlfMmCgmIYeOq3bhY2kwGWp326CXODtRaQ1K7UejHfChjJCsd4w6', 'mblvCI5AALNqM17akKxCiwWFqw4LHtX9ugJUzGVJ5hX19rmDg285YT5yERlcJs18nWe8lJA3wuvI431UqKVZVz65vnGkNFR36WN', '_7CaW1EWN4UJVbiroC1AJiLX9lGWRa1euvVKutGGoR8xtke3Xu7QmRXrUL6xaZijXX9TQVdzIzydglyCWCssa48rnFFFPU2xct98', 'GywKF26peTAjyqmA0CwBA9qjJy4zhnHgjQ3LQ24bOXCR5e8HHJQUHzAMBVF6ruq9Qx8IW2od06bo2WNzKmI5vXL99DfhdVs0lR0', 'wJj4dvHtMignilEHYXN1NqGKGCvTZPsAQfYt5ZUtqcHgRruffEstHQHFzzP', 'z8wKUA2RKriNaMffEKpb4ppJCmTntUt8oajciBxfzbgAWeF0darr6JKmGCE', 'gDKN5mrHJddJ7SGyk37vE8BX8FDQO4LE9MUKXE6gr3ZBhTUKPL1dpb7nZJU', 'q59SA0UWlBieLpkTGLZQ2MuXoOR0y6UAwZUuPLi7j5XLYpj5l0PTYnG4bR2', '_5HnHp0XZFWIe58Rxw2X8ec6Ak3NpUsaEP4gwO8SsoiNMr9hESe9256VyQLT'
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, 0jpphwwqZqta9yNAU1rmvPgO8j.cs	High entropy of concatenated method names: '_1Rspokhmbe63QRMYYW7YaeFX0v', 'yq2uAsopTtMnLlhOp3DDOI5x0D3nFRlhWfKcOXT4v4gy', 'P6kUAuGkBsoDc6hkTCoEjAFeZebruUYkj9lWD5A2Wa30', '_5fL5nT5bzWd4k9YU5fI6Mpi6WWp4SBBmZ5CDOZK7cqqb', 'OZMMPGeVcmQdHwJF9epKtonlDSwhlOm5WEq7HAmYKxkl'
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	High entropy of concatenated method names: 'LdFLkiKlLrIfANYkDqDQXycHmXxIRUaNL4TkP4RHu7gZe8lku41k0ght9Et3VdaNL2d3xxicXkR3nKgFLeTJ', 'HFKY311DFA0CknBmafbCyAhvOzvwUW3ViyV49tKstRpT8xAE2GnNPEVulKkb5ija7d4jHOKsf5tq0JZu3yzP', '_0Sb0jSn74vlKCTBycSpeKCKh8YVnIEDot37X0YY8eiqItyMOkMMnEHcDx87GiyxSyRglhdcD2PfetzhD4OQv', 'oaGsaY395ldYCvAX6WxuCpu4ToG9fV2z5tOYwsJcZ5WUXesjqC4oPF69K1QpSsQ7gFX5LmiVjo2HXeH06dJ3', 'Jvg1iNjm2BnGEK9IIpgoplw6Fr0GV7T4vOumLInDXwY0x4C7t6WTPgLEDEOjf44CUQacC30IEtGAWjL1KcxM', 'erIkWKvNLiY2o8ryEih0Eq4ui5nGIqCHNiSsMAnAy9xaqzkqpDDH8VaOOFprVmT3M2Ikaye65nLjquYxw1E0', 'XZN7O3p3PknQ8oiGMcm2nUKm2u4J2dqNsvpWsGAEBCnitAPO84VpGDc6njiiTqqghHeXC3ltqdDBds0326Am', 'GanNgRzx9YmKSxobPaRmKvYnZEBvFAUCoPdDSV29IjNGNpAsix8wOUqtZnIRoKjLONyRAl2amIDRhhSMEsvR', 'aSPD3e3gL7inuMeKBXU5aaNxfyuloxHqiCgBrqZNzpio6yary8g4U7qoSVAKB9M5aK8JZ4JL7frwEPIWLNii', 'tMNw0i1eU1cZcutvPHlHjmT4OmNObT1BsuhC6uw8Dnbb4boPq9pTjoXX239rQ1OxsNBiYEUDmDjXfN7SxgnS'
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, kaHZoyXSlsqJiGMDmYfIITVF1t.cs	High entropy of concatenated method names: '_6Uc2JxshDBPfgjJCqPzKspkSU6', '_0EOkSBhN5BPczbdrIiryIEVhy9Jcydn0pQbJMd8zvSPb', 'xq6aEromiLWyTaoNny5Z75jxKNwfdMWW98IhSvJ6oZpR', 'U9ZFrYbS9G7idln1Gk7gDwUXZHcoxvNGRUMapKTfcdMn', 'ywQd4pM6VBs57Lkeaqj7cUzstOyB2LDnY1mqhMKk3XiZ'
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, MA7oxPPspVKDSv5kbor4FnogXhSLqN9jk8XGyoEg4DmabG3T3zwnypMQ3ZJUTHsOLdOneQe3sw7pXikdZGn4uDbXtV5HzjkClf7.cs	High entropy of concatenated method names: 'bCUGVYnUqZyhFAZbEOF8KW3BuhcghQFp4XbpthrY6K0XxuF4hMaEIWAIpnB3sTgPgCko4dcZKitOlvJ4V9gmqXXdcZBfSDK9PWi', 'gDbp8urZptnAbj0zWQ7gFA2VSwEQMOJWyzCYgjq8ln8fED06jOLIa7FsNFZl81vOShWbUSbuI29QzqPYJpDv', 'l2qBqfPnflox0oUMwDgwc6T2D0lpuAvDPkD4apKf5Wd14y3XcjfkBS1Ndh3Gc8tw5VLgrW3tjRK8zSoKU0aU', 'hoypSSF61Ev12VdcpSWsuCsz8EiMN0p8VwXX510nTgecdRq3auorXQHedcwtI5XSdv3Jd1tDQQJqUMUluGmb', 'YV1XISLVVJ5Y0mBVcHk1dNPhFHKtppPBBjKUhzkde4VTAu2v4uTmDptxzRPlgs8IOiTvVMXi4VuQJk2v9LPM', 'Uo8HKkXeQThRMnP47TFhsmst4pNfLPDeHcfjtIgOLBoBIOlIOPHVs8TPXtX8A6Po5jCiQgFkesG3YNZjzcF7', 'XbuhqAjsSjImWGTWc0QyDqw4o38ZrGLkTeO7gQZHxpjqTP2daTBnRUPSuLKXqlSvS3PhLJwzRrIQQzIUfZs9', 'HCdwGWSVOU9ZMemoUSROkkB37ldP2pm0vIb58nnbPUZ5niX0gO6PXVkJ3d6wXEGpbO7ygUwE4Y4divvJYUCm', 'UmQJWM9T5XTdAv5EWIqg0EbL73yYEejk7kvUSMPBkUrj5MBOxAgEkqWEnW47gLT9HaKc0isLagCWLN4qPZj6', 'ijmQHVULTzVwclrwpq3xcMYgi1lhxhpu2IixdEaz11jtj8gwM8u23SVGpFCmLZxJ53H9WIkqaguItBf4PvKG'
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, LQsPA89PDgnCWG85KTzaHUxHxV.cs	High entropy of concatenated method names: '_4csOR5COJp8Nw3svOgBiOEei9M', 'oveHTjECO0IF9XGehFIVHW7lat', 'yRio6ujIz4vsYwBFUmeCDplhI8', '_2lHxdw84riTaEpvOtTBEqGkKfx', 'vGXLg0twHPePs16E9gmC5qtgJi', 'amALwgZEgu6vjk9VJ0l2nLE3Ld', 'rSUlQxAaBUIsMYMhkDoSbV6fZj', 'wJ3YLoJiM8fEsrTjaaxtEvrjUC', 'cjkSPRge0PhwjImVXL1VszhHEk', 'caCxIgsVfZKzYuJ3bbMJuPWieY'
Source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, xtLYoziFoUXIYcdlBH3lx0uJoM.cs	High entropy of concatenated method names: 'DyiS7GCf6yJBfx6mBb9DkUiW0c', 'fiQpyAo0IBbeBuurlZXXD0ovlh', '_8WbDzYCEqnK691DDZQiYMS38tS', 'uxjvrYaAM1okWt3r2WV930uiBi', '_5tnbXy7KCwX4Q0gToPZK5Hx9h9', 'kFc8o3QG5lEqswQDaulholu0z4', 'nDwUZxUoLoII7NnxtAegToyTjy', 'fWo08S8ROrOcbRLfn78U2ZYTED', 'TJbvllUdEJV2xqcRQt0BGAMsWD', 'bjftBidTyaRZhAraXSu114o6Sd'
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw.cs	High entropy of concatenated method names: 'nzpq34I2Owdcl9fMv5UC2J5bWAhYRAKaulM2epxdlOUgYAwStJcbsQF2LV7', '_3TV7y1L0UdqugSHqWSFDQgjIB1RLAMta0zbdfnGtgjiEucMaYzlPshW9VtV', 'pjvrCbuiTImLYchYZBIntOVyvPn3ZfSMtWVvNsM0Nvur9iH1fX2B8axAglC', 'jI7KmqV1ayX8qwmay9TzwN1cwR8kqb0h8EMRQLIOnFHgagzy7qGeZFVymwQ'
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, 8vDNxxr6KA56TLeIORtyRLSVXe.cs	High entropy of concatenated method names: '_00wnbuD6N1v3u4tAFw3wul2CM0', 'fbuqWesh3CVNj2RtuGY4FmHJps', 'HFqUUv7DJAEEhvrSsywavqaOIT', 'lO3fdbWbA8cdJSM60XZlTyTo1nRw6RJ0TkcvaWTmeXkk', 'o454lDfZaM893ftJX7v3O4qrjBaqZgXKn8MLidOK6Wep', 'dGQ7XoqybmSzxfRt5TDkZgPg2kC5INkjb6ybBBTnIQBQ', 'qnxpDMttXO5Q6RWMOugTF1OB5xiLTvjjuAAVGH4HMLQO', 'HeZsr9e5BNhQhw2tx7EzDGOu3oFSOtiNHoENJsbWOQXf', 'DJjUyYbm7hNYuN3aTC7191TEVjaM3TCFuJXKVoTOyfXP', 'gZOiEnnJ6n7BiHg1PhnYUfFDonaGra3pPadwz8Md8Lwa'
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, TvXNMPQzFStCY57ElDLFZF5wAWyu0HVKP74m0eYWEhLZU5ek0outej2CSyzPAywwqGzOP32wGaNx3OfXdD6rsa5uWywfJM4PgHN.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'cqdgMqYlqVr2WPbYU5d9YHP80OHFw99M9Y6CT3Cr4bu1pDH343obGJOq7xC', 'g5ZfxcIQ2yYANiEqDIDYC5MiH24kf8WoOop4sg9QRmMmIwIekfETxLRXPUs', '_26HTuFzrNZYByDsAEiZbqNFA59SdHCtVcYm4RrYlYDtfKTpyB7EqJpy61DM', 'Hta5nog2yoVHh9zNcyUS7cXHn92CKJeikSJ96C9reTxLwGxghqe54UiXCun'
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, JJqNIbmAEnE7SiPqGMTQm6czGZ9oDVL8xeYwvixsqiqWp3UZE3bbHqW0DPuSoU7Yz04fIfeMVsV3xLKVxXwRTrLXVvtHRM473Hj.cs	High entropy of concatenated method names: '_0wZ0aYgmMl7kCbvj6Ou4SqrdhKMFXGYofIhw64PZvBBBcVwz8edGsmoVjHZbxfJWPFhXcFK7G5Pkh3B9nMhjygTmnsyHZe5BwKO', 'wKAxAa74PvSccIjVWKrzIU9aAbAaHgp2F7R6H71jGdpLfaJQlfMmCgmIYeOq3bhY2kwGWp326CXODtRaQ1K7UejHfChjJCsd4w6', 'mblvCI5AALNqM17akKxCiwWFqw4LHtX9ugJUzGVJ5hX19rmDg285YT5yERlcJs18nWe8lJA3wuvI431UqKVZVz65vnGkNFR36WN', '_7CaW1EWN4UJVbiroC1AJiLX9lGWRa1euvVKutGGoR8xtke3Xu7QmRXrUL6xaZijXX9TQVdzIzydglyCWCssa48rnFFFPU2xct98', 'GywKF26peTAjyqmA0CwBA9qjJy4zhnHgjQ3LQ24bOXCR5e8HHJQUHzAMBVF6ruq9Qx8IW2od06bo2WNzKmI5vXL99DfhdVs0lR0', 'wJj4dvHtMignilEHYXN1NqGKGCvTZPsAQfYt5ZUtqcHgRruffEstHQHFzzP', 'z8wKUA2RKriNaMffEKpb4ppJCmTntUt8oajciBxfzbgAWeF0darr6JKmGCE', 'gDKN5mrHJddJ7SGyk37vE8BX8FDQO4LE9MUKXE6gr3ZBhTUKPL1dpb7nZJU', 'q59SA0UWlBieLpkTGLZQ2MuXoOR0y6UAwZUuPLi7j5XLYpj5l0PTYnG4bR2', '_5HnHp0XZFWIe58Rxw2X8ec6Ak3NpUsaEP4gwO8SsoiNMr9hESe9256VyQLT'
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, 0jpphwwqZqta9yNAU1rmvPgO8j.cs	High entropy of concatenated method names: '_1Rspokhmbe63QRMYYW7YaeFX0v', 'yq2uAsopTtMnLlhOp3DDOI5x0D3nFRlhWfKcOXT4v4gy', 'P6kUAuGkBsoDc6hkTCoEjAFeZebruUYkj9lWD5A2Wa30', '_5fL5nT5bzWd4k9YU5fI6Mpi6WWp4SBBmZ5CDOZK7cqqb', 'OZMMPGeVcmQdHwJF9epKtonlDSwhlOm5WEq7HAmYKxkl'
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	High entropy of concatenated method names: 'LdFLkiKlLrIfANYkDqDQXycHmXxIRUaNL4TkP4RHu7gZe8lku41k0ght9Et3VdaNL2d3xxicXkR3nKgFLeTJ', 'HFKY311DFA0CknBmafbCyAhvOzvwUW3ViyV49tKstRpT8xAE2GnNPEVulKkb5ija7d4jHOKsf5tq0JZu3yzP', '_0Sb0jSn74vlKCTBycSpeKCKh8YVnIEDot37X0YY8eiqItyMOkMMnEHcDx87GiyxSyRglhdcD2PfetzhD4OQv', 'oaGsaY395ldYCvAX6WxuCpu4ToG9fV2z5tOYwsJcZ5WUXesjqC4oPF69K1QpSsQ7gFX5LmiVjo2HXeH06dJ3', 'Jvg1iNjm2BnGEK9IIpgoplw6Fr0GV7T4vOumLInDXwY0x4C7t6WTPgLEDEOjf44CUQacC30IEtGAWjL1KcxM', 'erIkWKvNLiY2o8ryEih0Eq4ui5nGIqCHNiSsMAnAy9xaqzkqpDDH8VaOOFprVmT3M2Ikaye65nLjquYxw1E0', 'XZN7O3p3PknQ8oiGMcm2nUKm2u4J2dqNsvpWsGAEBCnitAPO84VpGDc6njiiTqqghHeXC3ltqdDBds0326Am', 'GanNgRzx9YmKSxobPaRmKvYnZEBvFAUCoPdDSV29IjNGNpAsix8wOUqtZnIRoKjLONyRAl2amIDRhhSMEsvR', 'aSPD3e3gL7inuMeKBXU5aaNxfyuloxHqiCgBrqZNzpio6yary8g4U7qoSVAKB9M5aK8JZ4JL7frwEPIWLNii', 'tMNw0i1eU1cZcutvPHlHjmT4OmNObT1BsuhC6uw8Dnbb4boPq9pTjoXX239rQ1OxsNBiYEUDmDjXfN7SxgnS'
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, kaHZoyXSlsqJiGMDmYfIITVF1t.cs	High entropy of concatenated method names: '_6Uc2JxshDBPfgjJCqPzKspkSU6', '_0EOkSBhN5BPczbdrIiryIEVhy9Jcydn0pQbJMd8zvSPb', 'xq6aEromiLWyTaoNny5Z75jxKNwfdMWW98IhSvJ6oZpR', 'U9ZFrYbS9G7idln1Gk7gDwUXZHcoxvNGRUMapKTfcdMn', 'ywQd4pM6VBs57Lkeaqj7cUzstOyB2LDnY1mqhMKk3XiZ'
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, MA7oxPPspVKDSv5kbor4FnogXhSLqN9jk8XGyoEg4DmabG3T3zwnypMQ3ZJUTHsOLdOneQe3sw7pXikdZGn4uDbXtV5HzjkClf7.cs	High entropy of concatenated method names: 'bCUGVYnUqZyhFAZbEOF8KW3BuhcghQFp4XbpthrY6K0XxuF4hMaEIWAIpnB3sTgPgCko4dcZKitOlvJ4V9gmqXXdcZBfSDK9PWi', 'gDbp8urZptnAbj0zWQ7gFA2VSwEQMOJWyzCYgjq8ln8fED06jOLIa7FsNFZl81vOShWbUSbuI29QzqPYJpDv', 'l2qBqfPnflox0oUMwDgwc6T2D0lpuAvDPkD4apKf5Wd14y3XcjfkBS1Ndh3Gc8tw5VLgrW3tjRK8zSoKU0aU', 'hoypSSF61Ev12VdcpSWsuCsz8EiMN0p8VwXX510nTgecdRq3auorXQHedcwtI5XSdv3Jd1tDQQJqUMUluGmb', 'YV1XISLVVJ5Y0mBVcHk1dNPhFHKtppPBBjKUhzkde4VTAu2v4uTmDptxzRPlgs8IOiTvVMXi4VuQJk2v9LPM', 'Uo8HKkXeQThRMnP47TFhsmst4pNfLPDeHcfjtIgOLBoBIOlIOPHVs8TPXtX8A6Po5jCiQgFkesG3YNZjzcF7', 'XbuhqAjsSjImWGTWc0QyDqw4o38ZrGLkTeO7gQZHxpjqTP2daTBnRUPSuLKXqlSvS3PhLJwzRrIQQzIUfZs9', 'HCdwGWSVOU9ZMemoUSROkkB37ldP2pm0vIb58nnbPUZ5niX0gO6PXVkJ3d6wXEGpbO7ygUwE4Y4divvJYUCm', 'UmQJWM9T5XTdAv5EWIqg0EbL73yYEejk7kvUSMPBkUrj5MBOxAgEkqWEnW47gLT9HaKc0isLagCWLN4qPZj6', 'ijmQHVULTzVwclrwpq3xcMYgi1lhxhpu2IixdEaz11jtj8gwM8u23SVGpFCmLZxJ53H9WIkqaguItBf4PvKG'
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, LQsPA89PDgnCWG85KTzaHUxHxV.cs	High entropy of concatenated method names: '_4csOR5COJp8Nw3svOgBiOEei9M', 'oveHTjECO0IF9XGehFIVHW7lat', 'yRio6ujIz4vsYwBFUmeCDplhI8', '_2lHxdw84riTaEpvOtTBEqGkKfx', 'vGXLg0twHPePs16E9gmC5qtgJi', 'amALwgZEgu6vjk9VJ0l2nLE3Ld', 'rSUlQxAaBUIsMYMhkDoSbV6fZj', 'wJ3YLoJiM8fEsrTjaaxtEvrjUC', 'cjkSPRge0PhwjImVXL1VszhHEk', 'caCxIgsVfZKzYuJ3bbMJuPWieY'
Source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, xtLYoziFoUXIYcdlBH3lx0uJoM.cs	High entropy of concatenated method names: 'DyiS7GCf6yJBfx6mBb9DkUiW0c', 'fiQpyAo0IBbeBuurlZXXD0ovlh', '_8WbDzYCEqnK691DDZQiYMS38tS', 'uxjvrYaAM1okWt3r2WV930uiBi', '_5tnbXy7KCwX4Q0gToPZK5Hx9h9', 'kFc8o3QG5lEqswQDaulholu0z4', 'nDwUZxUoLoII7NnxtAegToyTjy', 'fWo08S8ROrOcbRLfn78U2ZYTED', 'TJbvllUdEJV2xqcRQt0BGAMsWD', 'bjftBidTyaRZhAraXSu114o6Sd'

Source: C:\Users\user\Desktop\r10072024085940.scr.exe

File created: C:\Users\user\AppData\Roaming\XClient.exe

Jump to dropped file

Source: C:\Users\user\Desktop\r10072024085940.scr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\Desktop\r10072024085940.scr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: r10072024085940.scr.exe PID: 5040, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\r10072024085940.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Memory allocated: 2820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Memory allocated: 2A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Memory allocated: 2840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Memory allocated: 9070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Memory allocated: 7320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Memory allocated: A170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Memory allocated: B170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Memory allocated: 10A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Memory allocated: 2E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Memory allocated: 2C70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Thread delayed: delay time: 239875	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Thread delayed: delay time: 239750	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Thread delayed: delay time: 239641	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Thread delayed: delay time: 239531	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Thread delayed: delay time: 239422	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Thread delayed: delay time: 239312	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Thread delayed: delay time: 239167	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Window / User API: threadDelayed 783	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Window / User API: threadDelayed 396	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Window / User API: threadDelayed 9257	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Window / User API: threadDelayed 593	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6974	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2725	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6640	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2988	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7806	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1984	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8059	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1650	Jump to behavior

Source: C:\Users\user\Desktop\r10072024085940.scr.exe TID: 1472	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe TID: 1472	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe TID: 1472	Thread sleep time: -239875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe TID: 1472	Thread sleep time: -239750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe TID: 1472	Thread sleep time: -239641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe TID: 1472	Thread sleep time: -239531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe TID: 1472	Thread sleep time: -239422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe TID: 1472	Thread sleep time: -239312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe TID: 1472	Thread sleep time: -239167s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe TID: 7116	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe TID: 6708	Thread sleep count: 9257 > 30	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe TID: 6708	Thread sleep count: 593 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1176	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 876	Thread sleep count: 6640 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6596	Thread sleep count: 2988 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3084	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6996	Thread sleep count: 7806 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6996	Thread sleep count: 1984 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2132	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5532	Thread sleep count: 8059 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5532	Thread sleep count: 1650 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5688	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\r10072024085940.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Thread delayed: delay time: 239875	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Thread delayed: delay time: 239750	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Thread delayed: delay time: 239641	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Thread delayed: delay time: 239531	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Thread delayed: delay time: 239422	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Thread delayed: delay time: 239312	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Thread delayed: delay time: 239167	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: r10072024085940.scr.exe, 00000003.00000002.4600814597.0000000001179000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$

Source: C:\Users\user\Desktop\r10072024085940.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\r10072024085940.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\r10072024085940.scr.exe'
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\r10072024085940.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\r10072024085940.scr.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\r10072024085940.scr.exe'

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\r10072024085940.scr.exe

Memory written: C:\Users\user\Desktop\r10072024085940.scr.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process created: C:\Users\user\Desktop\r10072024085940.scr.exe "C:\Users\user\Desktop\r10072024085940.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\r10072024085940.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'r10072024085940.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Queries volume information: C:\Users\user\Desktop\r10072024085940.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Queries volume information: C:\Users\user\Desktop\r10072024085940.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\r10072024085940.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: r10072024085940.scr.exe, 00000003.00000002.4624257728.0000000006390000.00000004.00000020.00020000.00000000.sdmp, r10072024085940.scr.exe, 00000003.00000002.4600814597.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, r10072024085940.scr.exe, 00000003.00000002.4600814597.0000000001141000.00000004.00000020.00020000.00000000.sdmp, r10072024085940.scr.exe, 00000003.00000002.4624257728.00000000063A9000.00000004.00000020.00020000.00000000.sdmp, r10072024085940.scr.exe, 00000003.00000002.4600814597.0000000001128000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\r10072024085940.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r10072024085940.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 1.2.r10072024085940.scr.exe.9040000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.r10072024085940.scr.exe.9040000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.r10072024085940.scr.exe.2a4f0c4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.r10072024085940.scr.exe.2a4f0c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2151669243.0000000009040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2148203556.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 3.2.r10072024085940.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4597735932.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2148203556.0000000002A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: r10072024085940.scr.exe PID: 5040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: r10072024085940.scr.exe PID: 4364, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 1.2.r10072024085940.scr.exe.9040000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.r10072024085940.scr.exe.9040000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.r10072024085940.scr.exe.2a4f0c4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.r10072024085940.scr.exe.2a4f0c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2151669243.0000000009040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2148203556.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 3.2.r10072024085940.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.r10072024085940.scr.exe.2a8cb9c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.r10072024085940.scr.exe.2a9ee8c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4597735932.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2148203556.0000000002A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: r10072024085940.scr.exe PID: 5040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: r10072024085940.scr.exe PID: 4364, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	2 Registry Run Keys / Startup Folder	111 Process Injection	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
r10072024085940.scr.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DarkStealerLoader
r10072024085940.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\XClient.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XClient.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DarkStealerLoader

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
http://tempuri.org/DataSet1.xsd	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://www.microsoft.co0	0%	Avira URL Cloud	safe
104.250.180.178	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
104.250.180.178	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.2203786870.0000000005538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2241264306.00000000057A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2291307877.0000000005FB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2353334687.0000000005DE9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.micro	powershell.exe, 0000000E.00000002.2325415061.00000000032E9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000E.00000002.2329810672.0000000004ED6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000004.00000002.2198283869.0000000004626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228813077.0000000004897000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2273572627.00000000050A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2329810672.0000000004ED6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000004.00000002.2198283869.00000000044D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228813077.0000000004741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2273572627.0000000004F51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2329810672.0000000004D81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000E.00000002.2329810672.0000000004ED6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.co0	powershell.exe, 0000000E.00000002.2370487996.0000000008843000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000004.00000002.2198283869.0000000004626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228813077.0000000004897000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2273572627.00000000050A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2329810672.0000000004ED6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/DataSet1.xsd	r10072024085940.scr.exe, XClient.exe.3.dr	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 0000000E.00000002.2353334687.0000000005DE9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.2203786870.0000000005538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2241264306.00000000057A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2291307877.0000000005FB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2353334687.0000000005DE9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.co	powershell.exe, 00000009.00000002.2304106697.00000000089C2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 0000000E.00000002.2353334687.0000000005DE9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000E.00000002.2353334687.0000000005DE9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	r10072024085940.scr.exe, 00000001.00000002.2148203556.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, r10072024085940.scr.exe, 00000003.00000002.4606757606.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2198283869.00000000044D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2228813077.0000000004741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2273572627.0000000004F51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2329810672.0000000004D81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000E.00000002.2329810672.0000000004ED6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.250.180.178	unknown	United States		9009	M247GB	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1480135
Start date and time:	2024-07-24 15:40:59 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	r10072024085940.scr.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@15/20@0/1
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 350 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 5392 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: r10072024085940.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
09:41:50	API Interceptor	7944836x Sleep call for process: r10072024085940.scr.exe modified
09:41:55	API Interceptor	42x Sleep call for process: powershell.exe modified
15:42:20	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.250.180.178	OCEBL_INV_594040769403_59403014770400_19072024_144337.pdf.scr.exe	Get hash	malicious	Remcos	Browse
	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Get hash	malicious	DarkTortilla, XWorm	Browse
	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	LMSIN2407028 - PO# 4500577338, by 1x40' HQ .pdf.scr.exe	Get hash	malicious	PureLog Stealer, Remcos	Browse
	rSO0105-PI-514124SO0105,702(CFS-CY)FIRSYD.scr.exe	Get hash	malicious	XWorm	Browse
	DELAY NOTICE - ONE_FORTUNE - 001W (MD22425W).scr.exe	Get hash	malicious	XWorm	Browse
	ISF 10+2 Form+VGM - MX-M354N_20240709_134303.scr.exe	Get hash	malicious	Remcos	Browse
	.pdf.scr.exe	Get hash	malicious	Remcos	Browse
	.pdf.scr.exe	Get hash	malicious	XWorm	Browse
	ISF - SO.4985 KEL-RIO GRANPE HBL#KELRIG2406221.scr.exe	Get hash	malicious	DarkTortilla, XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	u26bBpzXS5.exe	Get hash	malicious	DanaBot	Browse	172.86.76.246
	u26bBpzXS5.exe	Get hash	malicious	DanaBot	Browse	172.86.76.246
	M7RrbN4DTk.exe	Get hash	malicious	Remcos, DBatLoader	Browse	194.187.251.115
	S004232824113048.xls	Get hash	malicious	Remcos, DBatLoader	Browse	194.187.251.115
	83M0VAEEuh.exe	Get hash	malicious	WhiteSnake Stealer	Browse	195.206.105.227
	L Catterton Open Benefits Enrollment.pdf	Get hash	malicious	HTMLPhisher	Browse	91.202.233.193
	94.156.8.9-skid.arm7-2024-07-23T17_40_10.elf	Get hash	malicious	Mirai, Moobot	Browse	198.100.166.140
	BJu5gH74uD.elf	Get hash	malicious	Unknown	Browse	45.86.28.68
	OCcyyxs6dW.elf	Get hash	malicious	Unknown	Browse	38.203.241.126
	0003945 RFQ Cylinder Block PO list and detailed Drawing gpj.exe	Get hash	malicious	Remcos	Browse	194.187.251.115

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.379607286348624
Encrypted:	false
SSDEEP:	48:+WSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMuge//MvUyus:+LHxv2IfLZ2KRH6Oug8s
MD5:	1C26CDD17E89F1E8300E89EEE8EEFC2D
SHA1:	03A2E216CE9941AD56032B7E1883EA3D3BCA63AF
SHA-256:	DCD9F3E47B73F46A53F447008A4D6076AB8ABB0CA3E1B77B6DAB0CCCAA2A7B60
SHA-512:	2B3C58443A237C61330EB334004DBDE1ED291CE575548BDDCEA9199D8BCD6BB03530CB1A7CD21986F3C74E569107EBEFFBE348C7659D3EDD8D4241A25485B43F
Malicious:	false
Reputation:	low
Preview:	@...e...............................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\r10072024085940.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.598349098128234
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsra:EFYJKDoWra
MD5:	2C11513C4FAB02AEDEE23EC05A2EB3CC
SHA1:	59177C177B2546FBD8EC7688BAD19D08D32640DE
SHA-256:	BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
SHA-512:	08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....### explorer ###..[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1mcbxpec.fms.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2g0af0uo.c4b.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bur112n4.vuu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_darftneo.tma.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dfyfk3ya.dqh.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g2ide0yr.khe.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gvdupxdf.out.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ia1mhcba.m00.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kue1o3yy.lqi.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_om4vysac.n30.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_soyoeknt.bj2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w5mzxnxo.szq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wlgi3ebw.pka.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnxuzmjh.qb0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x01r3um3.uls.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xhr21zmx.aig.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Download File

Process:	C:\Users\user\Desktop\r10072024085940.scr.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Jul 24 12:42:15 2024, mtime=Wed Jul 24 12:42:15 2024, atime=Wed Jul 24 12:42:15 2024, length=626688, window=hide
Category:	dropped
Size (bytes):	767
Entropy (8bit):	5.070618270484669
Encrypted:	false
SSDEEP:	12:85r24uxypnu8ChMlrAlXIsY//PMIQJLhpjAs+HkBCgymV:85XugDvl8lXU8I2hNAsFAFm
MD5:	86548E13621D96FD6AB7317999A51D65
SHA1:	8B0060D4725DBEBAAD3E6502F9115780C50DD597
SHA-256:	0A5B714B1FDA6510188FFD9531673D339AE1BC8F931B27A9EA513519B83876BF
SHA-512:	6DD779B5926BF1DAFF2C67FCA6FAAED0B4176D1254B5385984C1498CA2C1D42056C704B8A6D03352206071AFC8B29DBEFC15800388E375A537509979A3743589
Malicious:	false
Preview:	L..................F.... .../..K..../..K..../..K............................v.:..DG..Yr?.D..U..k0.&...&.......$..S......7....@.K........t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.X7m...........................^.A.p.p.D.a.t.a...B.V.1......X5m..Roaming.@......EW<2.X5m..../.......................v.R.o.a.m.i.n.g.....b.2......XHm .XClient.exe.H.......XHm.XHm............................?.X.C.l.i.e.n.t...e.x.e.......\...............-.......[..................C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......745773...........hT..CrF.f4... .'...I...-...-$..hT..CrF.f4... .'...I...-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\XClient.exe

Download File

Process:	C:\Users\user\Desktop\r10072024085940.scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	626688
Entropy (8bit):	7.819321960581988
Encrypted:	false
SSDEEP:	12288:Yu+2iNxAypLcLJ1Peq5gQLnmLmOdfOsojj9fw4OEB:Yu+1bAypcVxROdfyjNwE
MD5:	618CD424097ED299FF5869779F36054A
SHA1:	0B125DF7FA521A8000D22481E7FA3384818F43C1
SHA-256:	89DC59A7A775DFE1F77A49A7E7C964FFC70AE523D209EA78D7854410FE476B90
SHA-512:	E1C36CCA36235F2047DEE03711BAD742AF086602A765D04B0AF61CC673EF21AF185A502BB198CEE6A8D7D7834D34E2CB3A1B4A88AB0C184FFF878393577B06E5
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...23...............0.............B.... ........@.. ....................................@....................................O....................................x..p............................................ ............... ..H............text...x.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H............u......0...,5..`C...........................................0..L.........}.....(.......(......(............s......(.....o......( ....o!.....(".....0..K.........}........(#........($.....,5...(............s......(.....o......(.....o!....8.....r...p.X...(%...o&...tX.......('..........9.....s.........s(...s)...o.......o+...(,.......o-...(........o/...(0.......o1...(2.......o3...(4.......o5...(6.........(7.....(......+....s(...s)...(*........(8...........s......(..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.819321960581988
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	r10072024085940.scr.exe
File size:	626'688 bytes
MD5:	618cd424097ed299ff5869779f36054a
SHA1:	0b125df7fa521a8000d22481e7fa3384818f43c1
SHA256:	89dc59a7a775dfe1f77a49a7e7c964ffc70ae523d209ea78d7854410fe476b90
SHA512:	e1c36cca36235f2047dee03711bad742af086602a765d04b0af61cc673ef21af185a502bb198cee6a8d7d7834d34e2cb3a1b4a88ab0c184fff878393577b06e5
SSDEEP:	12288:Yu+2iNxAypLcLJ1Peq5gQLnmLmOdfOsojj9fw4OEB:Yu+1bAypcVxROdfyjNwE
TLSH:	32D4F18273F99F41E1BE5BF56831545417B1BD1AA9A0DA2C8ED170FF4872B408F227A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...23................0.............B.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x49a342
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x81C33332 [Mon Dec 27 09:04:50 2038 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
inc edi
add byte ptr [edi+00h], al
inc edx
add byte ptr [eax+eax], dh
inc ecx
add byte ptr [eax], bh
add byte ptr [eax+eax], dh
inc esi
add byte ptr [edi], dh
add byte ptr [5A003300h], dh
add byte ptr [ecx], bh
add byte ptr [eax], bh
add byte ptr [eax+eax], dh
aaa
add byte ptr [34005A00h], dh
add byte ptr [ecx+00h], bl
push esp
add byte ptr [eax+eax+00h], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9a2f0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9c000	0x6b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9788c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x98378	0x98400	15c319e1b8890c4fd28277dd72c10b06	False	0.8862601344417077	data	7.830777991010836	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x9c000	0x6b8	0x800	023018055695271b9ee091c9b50e4c8c	False	0.365234375	data	3.646057913830941	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9e000	0xc	0x200	173be35c3065f2e91f0ce47df8def41f	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x9c090	0x428	data			0.412593984962406
RT_MANIFEST	0x9c4c8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-24T15:42:54.092872+0200	TCP	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	49726	7061	192.168.2.6	104.250.180.178
2024-07-24T15:44:41.561420+0200	TCP	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	49736	7061	192.168.2.6	104.250.180.178
2024-07-24T15:42:28.902236+0200	TCP	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	49722	7061	192.168.2.6	104.250.180.178

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 15:42:17.231678009 CEST	49722	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:42:17.272099972 CEST	7061	49722	104.250.180.178	192.168.2.6
Jul 24, 2024 15:42:17.274108887 CEST	49722	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:42:17.402048111 CEST	49722	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:42:17.407285929 CEST	7061	49722	104.250.180.178	192.168.2.6
Jul 24, 2024 15:42:28.902235985 CEST	49722	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:42:28.908160925 CEST	7061	49722	104.250.180.178	192.168.2.6
Jul 24, 2024 15:42:38.723896980 CEST	7061	49722	104.250.180.178	192.168.2.6
Jul 24, 2024 15:42:38.724026918 CEST	49722	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:42:39.233200073 CEST	49722	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:42:39.234891891 CEST	49726	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:42:39.240556955 CEST	7061	49722	104.250.180.178	192.168.2.6
Jul 24, 2024 15:42:39.243539095 CEST	7061	49726	104.250.180.178	192.168.2.6
Jul 24, 2024 15:42:39.243686914 CEST	49726	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:42:39.292650938 CEST	49726	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:42:39.307796955 CEST	7061	49726	104.250.180.178	192.168.2.6
Jul 24, 2024 15:42:54.092871904 CEST	49726	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:42:54.326565981 CEST	49726	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:42:54.638999939 CEST	49726	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:42:55.209506989 CEST	7061	49726	104.250.180.178	192.168.2.6
Jul 24, 2024 15:42:55.209517956 CEST	7061	49726	104.250.180.178	192.168.2.6
Jul 24, 2024 15:42:55.209528923 CEST	7061	49726	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:00.653326988 CEST	7061	49726	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:00.653531075 CEST	49726	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:03.326685905 CEST	49726	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:03.328526020 CEST	49729	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:03.350771904 CEST	7061	49726	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:03.350800991 CEST	7061	49729	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:03.350981951 CEST	49729	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:03.392111063 CEST	49729	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:03.397001982 CEST	7061	49729	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:16.608140945 CEST	49729	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:16.613337994 CEST	7061	49729	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:24.374886036 CEST	49729	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:24.381047010 CEST	7061	49729	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:24.390678883 CEST	49729	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:24.396378040 CEST	7061	49729	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:24.405395031 CEST	49729	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:24.414001942 CEST	7061	49729	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:24.421456099 CEST	49729	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:24.426377058 CEST	7061	49729	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:24.577259064 CEST	49729	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:24.582200050 CEST	7061	49729	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:24.593027115 CEST	49729	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:24.599244118 CEST	7061	49729	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:24.777863026 CEST	7061	49729	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:24.778014898 CEST	49729	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:29.593794107 CEST	49729	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:29.596301079 CEST	49731	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:29.598784924 CEST	7061	49729	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:29.601227045 CEST	7061	49731	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:29.601656914 CEST	49731	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:29.748029947 CEST	49731	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:29.753106117 CEST	7061	49731	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:33.984868050 CEST	49731	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:33.990863085 CEST	7061	49731	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:40.983155966 CEST	49731	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:40.988296032 CEST	7061	49731	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:41.077027082 CEST	49731	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:41.132416010 CEST	7061	49731	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:46.155052900 CEST	49731	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:46.161423922 CEST	7061	49731	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:46.174232006 CEST	49731	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:46.179768085 CEST	7061	49731	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:46.233151913 CEST	49731	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:46.238919020 CEST	7061	49731	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:50.311640978 CEST	49731	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:50.623445988 CEST	49731	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:50.699179888 CEST	7061	49731	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:50.699204922 CEST	7061	49731	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:50.987639904 CEST	7061	49731	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:50.987719059 CEST	49731	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:51.264499903 CEST	49731	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:51.269470930 CEST	7061	49731	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:51.269560099 CEST	49733	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:51.274493933 CEST	7061	49733	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:51.274895906 CEST	49733	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:51.381007910 CEST	49733	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:51.387542963 CEST	7061	49733	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:56.576833010 CEST	49733	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:56.889102936 CEST	49733	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:43:56.937645912 CEST	7061	49733	104.250.180.178	192.168.2.6
Jul 24, 2024 15:43:56.937746048 CEST	7061	49733	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:02.155107975 CEST	49733	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:02.159960032 CEST	7061	49733	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:07.280512094 CEST	49733	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:07.285506010 CEST	7061	49733	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:07.311355114 CEST	49733	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:07.323340893 CEST	7061	49733	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:07.327174902 CEST	49733	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:07.332036018 CEST	7061	49733	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:07.467854023 CEST	49733	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:07.473283052 CEST	7061	49733	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:07.639524937 CEST	49733	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:07.644541979 CEST	7061	49733	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:12.665096045 CEST	7061	49733	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:12.665780067 CEST	49733	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:12.665848970 CEST	49733	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:12.667694092 CEST	49735	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:12.671813011 CEST	7061	49733	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:12.672689915 CEST	7061	49735	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:12.672820091 CEST	49735	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:12.772542000 CEST	49735	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:12.777596951 CEST	7061	49735	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:16.327575922 CEST	49735	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:16.629061937 CEST	7061	49735	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:22.280498981 CEST	49735	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:22.285717010 CEST	7061	49735	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:28.014513016 CEST	49735	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:28.019381046 CEST	7061	49735	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:34.161458015 CEST	7061	49735	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:34.161576986 CEST	49735	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:38.172430992 CEST	49735	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:38.174165010 CEST	49736	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:38.177426100 CEST	7061	49735	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:38.180166006 CEST	7061	49736	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:38.180304050 CEST	49736	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:38.224411964 CEST	49736	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:38.229589939 CEST	7061	49736	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:38.233124971 CEST	49736	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:38.238811970 CEST	7061	49736	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:38.437782049 CEST	49736	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:38.445209026 CEST	7061	49736	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:41.561419964 CEST	49736	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:41.566503048 CEST	7061	49736	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:43.780227900 CEST	49736	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:43.785387993 CEST	7061	49736	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:48.608577013 CEST	49736	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:48.613676071 CEST	7061	49736	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:48.670926094 CEST	49736	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:48.675934076 CEST	7061	49736	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:48.686492920 CEST	49736	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:48.691737890 CEST	7061	49736	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:57.092828035 CEST	49736	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:57.097795010 CEST	7061	49736	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:59.030210018 CEST	49736	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:59.039546013 CEST	7061	49736	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:59.045839071 CEST	49736	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:59.054208040 CEST	7061	49736	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:59.155200005 CEST	49736	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:44:59.161108971 CEST	7061	49736	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:59.565824032 CEST	7061	49736	104.250.180.178	192.168.2.6
Jul 24, 2024 15:44:59.570261955 CEST	49736	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:04.264318943 CEST	49736	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:04.269526958 CEST	7061	49736	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:04.269581079 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:04.274679899 CEST	7061	49737	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:04.274945021 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:04.378007889 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:04.382957935 CEST	7061	49737	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:04.405071974 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:04.410847902 CEST	7061	49737	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:04.421082020 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:04.426007986 CEST	7061	49737	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:04.545979023 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:04.551182032 CEST	7061	49737	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:04.623946905 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:04.628907919 CEST	7061	49737	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:04.905425072 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:04.951857090 CEST	7061	49737	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:05.123897076 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:05.131357908 CEST	7061	49737	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:09.123979092 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:09.129327059 CEST	7061	49737	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:10.389754057 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:10.395382881 CEST	7061	49737	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:15.516287088 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:15.522716999 CEST	7061	49737	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:19.720432997 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:19.931659937 CEST	7061	49737	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:20.452188969 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:20.458617926 CEST	7061	49737	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:20.858700037 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:20.863776922 CEST	7061	49737	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:20.905443907 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:20.914717913 CEST	7061	49737	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:20.983320951 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:20.994229078 CEST	7061	49737	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:20.999025106 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:21.005738974 CEST	7061	49737	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:21.061559916 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:21.071840048 CEST	7061	49737	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:25.656516075 CEST	7061	49737	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:25.658471107 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:26.094286919 CEST	49739	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:26.094288111 CEST	49737	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:26.103117943 CEST	7061	49737	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:26.103135109 CEST	7061	49739	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:26.106434107 CEST	49739	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:26.210345984 CEST	49739	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:26.217601061 CEST	7061	49739	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:26.436467886 CEST	49739	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:26.441375017 CEST	7061	49739	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:26.452729940 CEST	49739	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:26.482435942 CEST	7061	49739	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:26.499371052 CEST	49739	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:26.505404949 CEST	7061	49739	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:26.514996052 CEST	49739	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:26.535402060 CEST	7061	49739	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:26.655402899 CEST	49739	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:26.675827980 CEST	7061	49739	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:30.967956066 CEST	49739	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:30.972918987 CEST	7061	49739	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:35.530303955 CEST	49739	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:35.541513920 CEST	7061	49739	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:45.045872927 CEST	49739	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:45.057756901 CEST	7061	49739	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:45.561438084 CEST	49739	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:45.567290068 CEST	7061	49739	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:47.389637947 CEST	49739	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:47.394902945 CEST	7061	49739	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:47.709268093 CEST	7061	49739	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:47.709363937 CEST	49739	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:52.468843937 CEST	49739	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:52.470875025 CEST	49740	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:52.473668098 CEST	7061	49739	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:52.475951910 CEST	7061	49740	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:52.476016045 CEST	49740	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:52.521419048 CEST	49740	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:52.527628899 CEST	7061	49740	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:52.545809984 CEST	49740	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:52.550992966 CEST	7061	49740	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:52.639627934 CEST	49740	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:52.644413948 CEST	7061	49740	104.250.180.178	192.168.2.6
Jul 24, 2024 15:45:53.889602900 CEST	49740	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:45:54.098211050 CEST	7061	49740	104.250.180.178	192.168.2.6
Jul 24, 2024 15:46:01.436497927 CEST	49740	7061	192.168.2.6	104.250.180.178
Jul 24, 2024 15:46:01.441845894 CEST	7061	49740	104.250.180.178	192.168.2.6

Target ID:	1
Start time:	09:41:50
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\r10072024085940.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\r10072024085940.scr.exe"
Imagebase:	0x570000
File size:	626'688 bytes
MD5 hash:	618CD424097ED299FF5869779F36054A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2151669243.0000000009040000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.2148203556.0000000002A89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.2148203556.0000000002A89000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2148203556.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:41:51
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\r10072024085940.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\r10072024085940.scr.exe"
Imagebase:	0xa30000
File size:	626'688 bytes
MD5 hash:	618CD424097ED299FF5869779F36054A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.4597735932.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.4597735932.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	09:41:54
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\r10072024085940.scr.exe'
Imagebase:	0x480000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:41:54
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:41:58
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'r10072024085940.scr.exe'
Imagebase:	0x480000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:41:58
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:42:02
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Imagebase:	0x480000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:42:02
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:42:08
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Imagebase:	0x480000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:42:08
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	178
Total number of Limit Nodes:	18

Executed Functions

Function 08E630F8 Relevance: .7, Instructions: 739COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2151550561.0000000008E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e60000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214d94522bdf87bbe7275e39b07f159bb2648edc2bb72b0a3545aa2f1789e92e
Instruction ID: 6552cb0166e41fe17938a027a0e9db8932cca5b1f0dc437dea19cdc1618dad7e
Opcode Fuzzy Hash: 214d94522bdf87bbe7275e39b07f159bb2648edc2bb72b0a3545aa2f1789e92e
Instruction Fuzzy Hash: 23623776A40118DFDB15DF68C984EA9BBB2FF48315F1581A8E509AB366CB31EC52CF40

Function 0282D41A Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0282D49E
GetCurrentThread.KERNEL32 ref: 0282D4DB
GetCurrentProcess.KERNEL32 ref: 0282D518
GetCurrentThreadId.KERNEL32 ref: 0282D571

Memory Dump Source

Source File: 00000001.00000002.2146641149.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2820000_r10072024085940.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 12696b827a5b5efb6a3b2a69e0b81e694367b1ac0c66fe51374717e412726438
Instruction ID: e777d1881c043cb7f97f9724edb0e6ba95287c2418ec0701a3c8b07529ae9393
Opcode Fuzzy Hash: 12696b827a5b5efb6a3b2a69e0b81e694367b1ac0c66fe51374717e412726438
Instruction Fuzzy Hash: 575177B4D00749CFDB54CFA9D648BAEBBF1FF88314F208459D009A7250DB74A988CB61

Function 0282D420 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0282D49E
GetCurrentThread.KERNEL32 ref: 0282D4DB
GetCurrentProcess.KERNEL32 ref: 0282D518
GetCurrentThreadId.KERNEL32 ref: 0282D571

Memory Dump Source

Source File: 00000001.00000002.2146641149.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2820000_r10072024085940.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3bb36bafbf23baf1f8465d58e6476814cfcd3f647f8ccafca3d2c3184246cb19
Instruction ID: 9d6a9421e7681a9321b4d79d5a081cde27e2eb38ecea4e88c5e7f77271023943
Opcode Fuzzy Hash: 3bb36bafbf23baf1f8465d58e6476814cfcd3f647f8ccafca3d2c3184246cb19
Instruction Fuzzy Hash: AB5177B49007498FDB54DFA9D648BAEBFF1FF88314F208459E009A7250DB74A984CB65

Function 073161AD Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073163EE

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 00bdadcee60537644b36fd519673d740402f1ba5ebf8840dca29f3acb1b61ecf
Instruction ID: c086835edb5974796ea2c0375dd85dbbc1b0fa6af46d502ec43611a15a8c8ebc
Opcode Fuzzy Hash: 00bdadcee60537644b36fd519673d740402f1ba5ebf8840dca29f3acb1b61ecf
Instruction Fuzzy Hash: A1A14FB1D00229DFEF14CFA8C8427DDBBB2BF48314F1485A9E809A7250DB759985CF92

Function 073161B8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073163EE

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8395d6b8f81aa9af202575b509495053171cf95accdfcd07042a6b3ee0ccbab0
Instruction ID: 0a9b3c793e67895bedd21db2794f85e9aff5b48d77f0c39f07e44ca6e5cc800b
Opcode Fuzzy Hash: 8395d6b8f81aa9af202575b509495053171cf95accdfcd07042a6b3ee0ccbab0
Instruction Fuzzy Hash: 7B914EB1D00229DFEF24CFA8C8417DDBBB2BF48314F1485A9E809A7250DB759985CF92

Function 0282B1B0 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0282B406

Memory Dump Source

Source File: 00000001.00000002.2146641149.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2820000_r10072024085940.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8c3496bf4f13a09499f02629e554cbe641aea79019101498e1f0074c945057f2
Instruction ID: a6b7c78bf5179d0ada71f4dda2677955bbf401a86760fb657d583658de0e187d
Opcode Fuzzy Hash: 8c3496bf4f13a09499f02629e554cbe641aea79019101498e1f0074c945057f2
Instruction Fuzzy Hash: 47715878A01B158FD724DF69C54475ABBF2FF88308F00892ED54AD7A40DB74E989CB91

Function 028244B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028259C9

Memory Dump Source

Source File: 00000001.00000002.2146641149.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2820000_r10072024085940.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 03bae645ecaa58079efec9ebc2a88022c4c08f23b1ba480c20c72691a708e39d
Instruction ID: d808ab59aa9350f2bff6c50a7ebb171cd7ae0609d12cc387aeaa05fd8bcb8ab0
Opcode Fuzzy Hash: 03bae645ecaa58079efec9ebc2a88022c4c08f23b1ba480c20c72691a708e39d
Instruction Fuzzy Hash: 2D41E374C0072DCBEB24CFA9C94479EBBF5BF88304F60805AD409AB251DB756949CF90

Function 0282590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028259C9

Memory Dump Source

Source File: 00000001.00000002.2146641149.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2820000_r10072024085940.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7d0c0c2679e220f2c65693377ff471670e058d4c5d21cfbc30076b082ec23e0f
Instruction ID: df66bce016d9c48794dd5391e78874de6bbecd7c6408684889bfdd43f29087d5
Opcode Fuzzy Hash: 7d0c0c2679e220f2c65693377ff471670e058d4c5d21cfbc30076b082ec23e0f
Instruction Fuzzy Hash: 6641E0B4C00719CBEF14CFA9C98578DBBB1BF88304F64805AD409AB255DB75698ACF90

Function 07315F28 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07315FC0

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d6877142c245ac95d063d1e1bf25f5ffebf399a6d6142bb7b0747cd5525bb45b
Instruction ID: 234f79d7087d9c1d76dc77531a9d8e11e9a5aa306c47104630d218b74444c308
Opcode Fuzzy Hash: d6877142c245ac95d063d1e1bf25f5ffebf399a6d6142bb7b0747cd5525bb45b
Instruction Fuzzy Hash: 992137B190134ADFDB10CFA9C881BDEBBF5FF88310F10842AE958A7241D7789554CBA5

Function 07A45038 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 07A450D7

Memory Dump Source

Source File: 00000001.00000002.2151274709.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a40000_r10072024085940.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: eb55382e91ab6c9ca8357d29b7e887f7ee9211d5f2841dd8ef7d268fde53719d
Instruction ID: 5eb1e7173384f7af9e42a7292d555e742b4fa838a897fc01ad323386dd6f0c80
Opcode Fuzzy Hash: eb55382e91ab6c9ca8357d29b7e887f7ee9211d5f2841dd8ef7d268fde53719d
Instruction Fuzzy Hash: 0931C4B5D002499FDB10CFAAD884ADEFBF4FF88324F14841AE515A7610D775A954CFA0

Function 07A45040 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 07A450D7

Memory Dump Source

Source File: 00000001.00000002.2151274709.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a40000_r10072024085940.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 09e1578fe20e4835e5dbe5ee73684e0fe5a562db43dc1cbf57cba65ec0dfc9b1
Instruction ID: 528ddee127c0062d5493df524e82edc7da0521a970cbdb6fc15afaec88aa2280
Opcode Fuzzy Hash: 09e1578fe20e4835e5dbe5ee73684e0fe5a562db43dc1cbf57cba65ec0dfc9b1
Instruction Fuzzy Hash: 8021A3B5D003499FDB10CF9AD884A9EFBF5FB88324F24842AE519A7210D775A954CFA0

Function 07315F30 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07315FC0

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6e05338a15c24fa09d52a9a79ef1fc81615053e6ce9783f0ef03f057898c11dd
Instruction ID: 2553205d8cfecefba318fd677f3ac64bd12a0dd38dbe699463ba0479d8b2b077
Opcode Fuzzy Hash: 6e05338a15c24fa09d52a9a79ef1fc81615053e6ce9783f0ef03f057898c11dd
Instruction Fuzzy Hash: 2C2126B5900349DFDB14CFA9C881BDEBBF5FF88310F108429E918A7240D7789950CBA4

Function 07315D90 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07315E16

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6850557bdefd915379a000a84d871b82c2c3bb3022c3504a46218e19d0dc9545
Instruction ID: 26ddfb71aeab70c42ba954303a263e02339eecd89267eb0cf993ee1d9544811b
Opcode Fuzzy Hash: 6850557bdefd915379a000a84d871b82c2c3bb3022c3504a46218e19d0dc9545
Instruction Fuzzy Hash: C62159B1D003498FEB14CFA9C4847EEBFF0AF88310F14842ED458A7240CB789545CBA1

Function 07316019 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073160A0

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 634017a658c252504831637b4aed64f2952c0e4a466ceb7c2f0efc2c6a2d530a
Instruction ID: bb3a8304d7b6da7f74ea24d21b5296d61ade9ccc86b455e4e793600498af122a
Opcode Fuzzy Hash: 634017a658c252504831637b4aed64f2952c0e4a466ceb7c2f0efc2c6a2d530a
Instruction Fuzzy Hash: 722136B18003599FDF10CFAAC881BEEBBF1FF48310F14842AE958A7240D7799500CBA1

Function 07315D98 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07315E16

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 74c057c6edacfceaf7267eeaa0bfe87b7d2f670f7c707c68600f76febe8b382a
Instruction ID: 7f96b860ce9e76b98f3a08263cf6046357858b18c4f19d4b3f4cbd35b54eb569
Opcode Fuzzy Hash: 74c057c6edacfceaf7267eeaa0bfe87b7d2f670f7c707c68600f76febe8b382a
Instruction Fuzzy Hash: 4B214CB1D003099FEB14DFAAC4857EEBBF4EF88314F148429D519A7240DB789554CFA5

Function 07316020 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073160A0

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7cfc9c3e2cb8e31941421e25a52d3a148818e0fb192b4b7ee5862fe7178230ab
Instruction ID: 10aa2a982a7c266ef0bfd81510380b8534462115ef2ae75fbbf4bba7b51e9bfd
Opcode Fuzzy Hash: 7cfc9c3e2cb8e31941421e25a52d3a148818e0fb192b4b7ee5862fe7178230ab
Instruction Fuzzy Hash: D12116B18003599FDB10DFAAC881ADEBBF5FF48310F108429E518A7240D7799510CBA5

Function 0282D668 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0282D6EF

Memory Dump Source

Source File: 00000001.00000002.2146641149.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2820000_r10072024085940.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d91b1fdcdca5f004c17f10b44371ed720eb571c41026a96aaf54846a70beccb1
Instruction ID: 6f92737cbed025ef6a79f1304110268c1faed6d7b4bc834aa998cb9f2eb26a89
Opcode Fuzzy Hash: d91b1fdcdca5f004c17f10b44371ed720eb571c41026a96aaf54846a70beccb1
Instruction Fuzzy Hash: D321E4B59002499FDB10CFAAD984ADEBFF4FB48320F14801AE918A3350D378A954CFA0

Function 0282D661 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0282D6EF

Memory Dump Source

Source File: 00000001.00000002.2146641149.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2820000_r10072024085940.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a4928ae95934e0fb10bdb1556321f904900903773405fcf7c7ca51e2b1db44df
Instruction ID: a23e83ea5efe181b660c6241235dcfe639886266eb7efb1b072cd0bc1027b54e
Opcode Fuzzy Hash: a4928ae95934e0fb10bdb1556321f904900903773405fcf7c7ca51e2b1db44df
Instruction Fuzzy Hash: C021E3B5900219DFDB10CFA9D984ADEBFF4FF48314F24841AE918A3250D378A954CFA0

Function 07315E68 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07315EDE

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7385003f0f85c2f0e90bbcedd16caaa2c00d3c9e5a082c0047f2347a78f5e56b
Instruction ID: 1bd7ab25a88883119962fe37ba2223b19f4fe63b99496970903174796fd149f1
Opcode Fuzzy Hash: 7385003f0f85c2f0e90bbcedd16caaa2c00d3c9e5a082c0047f2347a78f5e56b
Instruction Fuzzy Hash: 73214A7190034A9FDB10DFA9C8447DFBFF5EF88320F14841AE519A7250CB75A550CBA1

Function 0282ABB8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0282B481,00000800,00000000,00000000), ref: 0282B672

Memory Dump Source

Source File: 00000001.00000002.2146641149.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2820000_r10072024085940.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 31c8988c84c065bdc826262e697b44e3bd164da22c54df5284d53456d43879a6
Instruction ID: 4fbae9da8ac2bcd607fec7b45259cf6d4ccb67338b5263dcb27efc75e2b2a2ce
Opcode Fuzzy Hash: 31c8988c84c065bdc826262e697b44e3bd164da22c54df5284d53456d43879a6
Instruction Fuzzy Hash: 6D1114BAD013099FDB10CF9AD444B9EFBF4EF88314F10852AE519A7200C3B5A549CFA4

Function 07315E70 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07315EDE

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ac69ce1a9a7e5b5d0983b96c035642380a221a29e2cdf791ce705150f1a299ba
Instruction ID: 99a81df94c567563013daa3f10fac39d3c64f25bca25baa7acd01eaf82d5fe1e
Opcode Fuzzy Hash: ac69ce1a9a7e5b5d0983b96c035642380a221a29e2cdf791ce705150f1a299ba
Instruction Fuzzy Hash: 541156728003499FDB10CFAAC844BDFBFF5EF88320F208419E519A7250CB75A910CBA0

Function 0282B602 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0282B481,00000800,00000000,00000000), ref: 0282B672

Memory Dump Source

Source File: 00000001.00000002.2146641149.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2820000_r10072024085940.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 10b75806ee1a86e0d122ad73d807f6a6fcd9d7b5018b460c3aa2e3ff69e9519e
Instruction ID: 9b07d001ca80210d26298771a73d4f5bacbe4316f734729347ae7c064bc81362
Opcode Fuzzy Hash: 10b75806ee1a86e0d122ad73d807f6a6fcd9d7b5018b460c3aa2e3ff69e9519e
Instruction Fuzzy Hash: 0F1112BAC00249CFDB10CFAAD584BDEFBF4AF48324F14852AD519A7601C375A549CFA4

Function 07315CE3 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07315D4A

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3b1769df9f73d628ffdfed0bef01f1329eee85622717b7cb6ac4d988881d031e
Instruction ID: a1c522506f98e5fe2facb563483d385f5c81fc0a8d9048a2631b66557276f7d5
Opcode Fuzzy Hash: 3b1769df9f73d628ffdfed0bef01f1329eee85622717b7cb6ac4d988881d031e
Instruction Fuzzy Hash: 561158B19003498FEB24DFAAC84579EFBF4EF88624F24841AD519A7240CB79A900CB95

Function 07315CE8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07315D4A

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5fa02201031773758ea2af5a416702ffd261bc0d7503983675c4a3ca90313291
Instruction ID: 7825931506daf2b1867906a87df6147bfc2df2e153399be63487e52e46c30bb5
Opcode Fuzzy Hash: 5fa02201031773758ea2af5a416702ffd261bc0d7503983675c4a3ca90313291
Instruction Fuzzy Hash: 3A1136B19003498FEB24DFAAC84579EFBF4EF88724F248419D519A7240CB79A940CBA5

Function 0282B3A0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0282B406

Memory Dump Source

Source File: 00000001.00000002.2146641149.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2820000_r10072024085940.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8ddf1dcfb416d85a1a3adb73d6b18826bb35e43eec8c5ac30b1025a46f972c6d
Instruction ID: 88275aa6fa3697006c10191172703efbe74c7966a00e3c7eaa26dba45436ee82
Opcode Fuzzy Hash: 8ddf1dcfb416d85a1a3adb73d6b18826bb35e43eec8c5ac30b1025a46f972c6d
Instruction Fuzzy Hash: 741102B9C003498FDB10CF9AD544B9EFBF4AF88224F10841AD418B7200D375A545CFA1

Function 0731476C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0731869D

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f64878b44f03c3e575b4d6efd78024f1f85f99b77cc6f292af8b960e2b8e5946
Instruction ID: 77eb9743268665702be948c1f7fc216e0935c530c517665b288240640ebe15a4
Opcode Fuzzy Hash: f64878b44f03c3e575b4d6efd78024f1f85f99b77cc6f292af8b960e2b8e5946
Instruction Fuzzy Hash: 7111F5B5800349DFDB10DF9AD544BDEBFF8EB48324F108459E918A7240D3B5A954CFA5

Function 0731863B Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0731869D

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0102a36e7a02f4da5f5b1f42addf643439808597661a729bde9d2903fa8e8ea8
Instruction ID: a46fe62f2afb0c7ecb12947e82e65956296e7d445176518635d2fcaa4b0c82b9
Opcode Fuzzy Hash: 0102a36e7a02f4da5f5b1f42addf643439808597661a729bde9d2903fa8e8ea8
Instruction Fuzzy Hash: 9011F2B58003499FDB10DF9AD985BDEBFF8EB48324F20845AE918A7640C375A944CFA5

Function 00CED36C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2144297983.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ced000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12aa5f1b3820d02b82527a3c7284237ad59f2ef9e45bc9785c9098037b92e2a2
Instruction ID: 47d927db3abb8a7c743f8a1b90e0580a9be3918380a6c76924d93c4524af6fc1
Opcode Fuzzy Hash: 12aa5f1b3820d02b82527a3c7284237ad59f2ef9e45bc9785c9098037b92e2a2
Instruction Fuzzy Hash: E4214675504384EFCB04DF15D5C0B26BBB1FB84314F20C56DE90B4B2A2C37AD846CA62

Function 00CED1B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2144297983.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ced000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac721c1f9a01e72b3a4e08cd1e013b77c592e5189e505cf44041981380c4b6b6
Instruction ID: d572f1fdb364fb649e6deee580468bc4feacd9a463c26592538390a2ef5b040f
Opcode Fuzzy Hash: ac721c1f9a01e72b3a4e08cd1e013b77c592e5189e505cf44041981380c4b6b6
Instruction Fuzzy Hash: 32212675604384EFDB04DF15D5C0B2ABB65FB84324F20C56DEA0A4B292C77ADC46CA61

Function 00CED1AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2144297983.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ced000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: b4cf42d51d4783b4102920dddcaa3c39bff96456eec45952668a38085290f50a
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: C1119D79504284DFCB05CF10D5C4B15BBA1FB84318F24C6A9D95A4B696C33AD94ACBA2

Function 00CED367 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2144297983.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ced000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 7f440081659acf91df082a4e77cf333b2b2f36d27796c26ae3836988d8a2425e
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 66119D76504284DFCB05CF14D5C4B15BBB1FB94318F24C6ADD84A4B696C33AE94ACF62

Function 00CDD781 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2144209275.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_cdd000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 131e16e85da2d69e8af7a3d93206aec2709ac9d680ecc900e030c6f2c6ba08c6
Instruction ID: bae4bc3e2d432f428a6c7db5f17a6423cbac6198246c1e405b45dfdb9228e347
Opcode Fuzzy Hash: 131e16e85da2d69e8af7a3d93206aec2709ac9d680ecc900e030c6f2c6ba08c6
Instruction Fuzzy Hash: D201F771808344DAF7104E26CDC0766BFD8EF41324F29849BEE0A4A38AC6789940C6B1

Function 00CDD780 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2144209275.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_cdd000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c8e34249d7118b661b28efb034b948ed28829a3bf8401301ca1a46e817e360
Instruction ID: 77f52205053ffcb7d4c1db44f22a9d92206008f0928ca6563a35b63b64569e39
Opcode Fuzzy Hash: d1c8e34249d7118b661b28efb034b948ed28829a3bf8401301ca1a46e817e360
Instruction Fuzzy Hash: 9FF0C2724083449AE7108A15D9C4B62FFD8EB40734F18C45AEE090A286C279AD44CAB1

Non-executed Functions

Function 07313010 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 870dff81514f9d22202e69bc84be1113dae3b2e9beccef7b87fe9cf964d6990e
Instruction ID: 54c207542cb473db3c43e36f26449642b4d4461e7b6420fd535bf2344109cdc6
Opcode Fuzzy Hash: 870dff81514f9d22202e69bc84be1113dae3b2e9beccef7b87fe9cf964d6990e
Instruction Fuzzy Hash: 9AE11BB4E00259CFDB14DF99C580AAEFBB2FF89304F248269D409AB355D735A942CF61

Function 07313448 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a314922caf058955a22eff672c7fa0b5979cebc5558316a4d6abdd488c044407
Instruction ID: 36740c976526c6fbcda24a15fcd1b8bf9765729c8fa651f92dac9656b4701713
Opcode Fuzzy Hash: a314922caf058955a22eff672c7fa0b5979cebc5558316a4d6abdd488c044407
Instruction Fuzzy Hash: 1EE12CB4E00259CFDB14DFA9C590AAEFBB2FF49304F248269D409A7355C734A942CF61

Function 07313880 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65c8bf08ee26d481e5d2bb157c8a6f03d2d55049c506638e55d1808825c3794
Instruction ID: 87b8e526b8117fb8ab13d30924d05366ff7ae9a7cc7f187d67d63823c3755501
Opcode Fuzzy Hash: a65c8bf08ee26d481e5d2bb157c8a6f03d2d55049c506638e55d1808825c3794
Instruction Fuzzy Hash: 75E10BB4E00259CFDB14DF99C580AAEFBB2FF89304F248269D419AB355D734A942CF61

Function 07315088 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed8eb7c7bc2a973a7ea71eee9e19c47c25a844b9d88f8fb63b4b2b3169ea8e0
Instruction ID: 1fedcdfef5e5e43338eeecae274f4e5cb9f2129040996658566303d1c971efc3
Opcode Fuzzy Hash: 5ed8eb7c7bc2a973a7ea71eee9e19c47c25a844b9d88f8fb63b4b2b3169ea8e0
Instruction Fuzzy Hash: 56E12CB4E10259CFDB14DFA9C580AAEFBB2FF89304F248169D409AB355D734A942CF61

Function 073154C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23bfc74604a017a3216b3cb913dc9b8d543a5e4892bcdfc59c061cd6c24ec6b3
Instruction ID: 9a21b64b90fa4d1f02ddf0584d320eb785f958c7eb49329226e0c297e1348980
Opcode Fuzzy Hash: 23bfc74604a017a3216b3cb913dc9b8d543a5e4892bcdfc59c061cd6c24ec6b3
Instruction Fuzzy Hash: EDE11AB4E00259CFDB14DF99C580AAEFBB2FF89304F248169D419AB355D734A942CF61

Function 08E6B508 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2151550561.0000000008E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e60000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f708fa5d87ec1ab5f9505aa6b0ae328d155bfe236787092240186a2534cd4c
Instruction ID: ebae48878751c0558242e24b0d247c6c148901bf4b025a707d6304b1ebe7617f
Opcode Fuzzy Hash: 12f708fa5d87ec1ab5f9505aa6b0ae328d155bfe236787092240186a2534cd4c
Instruction Fuzzy Hash: E1D11831E1065ACADB10EB68D9506E9B7B1FFD5300F10D79AE10A37624EFB06AC5CB91

Function 08E6B518 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2151550561.0000000008E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e60000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef15ea72a355863108740c2555d47438d0f0151b7e012e1a8af92307e949b1d
Instruction ID: 0af70687396399c49853e663967b2581eb7c09be6e2a1b17ed6af8f8eda2aeaa
Opcode Fuzzy Hash: 1ef15ea72a355863108740c2555d47438d0f0151b7e012e1a8af92307e949b1d
Instruction Fuzzy Hash: A9D12831E1065ACADB10EB68D9506ADB7B1FFD5300F10D79AE10A37614EFB06AC5CB91

Function 0282DFAC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2146641149.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2820000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc1598c41523d6f7e7ddf0fdb19b87e890af3fc0d5e6edbb04b8aa0a5cf0c9c
Instruction ID: 5d8f4d1203d3b57e178f61331622c6267d3558a67bedb5fe2119638142379c47
Opcode Fuzzy Hash: 6dc1598c41523d6f7e7ddf0fdb19b87e890af3fc0d5e6edbb04b8aa0a5cf0c9c
Instruction Fuzzy Hash: 67A15D3AE00229CFCF15DFA4C9405AEB7B2FF84304B15856AE905EB265DB31E95ACF40

Function 08E62E87 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2151550561.0000000008E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e60000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f46ac2ad0280052d293eb498e0c05f90bb0cd5aae90485a398774973634f7130
Instruction ID: f7f65ae152923c5718387272a8a7a49bce52872ca4aed4beb84f7f065fde2b01
Opcode Fuzzy Hash: f46ac2ad0280052d293eb498e0c05f90bb0cd5aae90485a398774973634f7130
Instruction Fuzzy Hash: 24515271A101458BE748EF3EE8496AA7FE7FBC8304F04C62DD108AB269DF785906CB51

Function 08E62E98 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2151550561.0000000008E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e60000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee422172465eb28df8e799f78f5dba4aec3897b473c47d7e38ce883b8dbbd4e
Instruction ID: f4b17ef31cc2f8ddff17c8aeb96b0d6710b642e042f93a9d6c2cb315f5dd2671
Opcode Fuzzy Hash: 0ee422172465eb28df8e799f78f5dba4aec3897b473c47d7e38ce883b8dbbd4e
Instruction Fuzzy Hash: 05515170A102458BE748EF7EE849AAA7FE7FBC8304F04C52DD10897269DF7819068B51

Function 07313870 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e5004c18077483e034542ccac625f7f19ac8717d653969f461ad236ed3e434
Instruction ID: 81ad2ce235bc2748c1eb67eec62fb696d439895603fcf7346b5f59e9a1646472
Opcode Fuzzy Hash: 77e5004c18077483e034542ccac625f7f19ac8717d653969f461ad236ed3e434
Instruction Fuzzy Hash: CC5120B0E042598FDB18DFA9C5806AEFBF6FF89304F248169D418AB356D7349942CF61

Function 07313439 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00da2998ffa75d75e0c658ba25105fadf41bfc30fe28c9dfa49e899651f72547
Instruction ID: 4c55de3e05c17078482ffd09342c20f46684cb367848422b71f3ceea206ee857
Opcode Fuzzy Hash: 00da2998ffa75d75e0c658ba25105fadf41bfc30fe28c9dfa49e899651f72547
Instruction Fuzzy Hash: D45140B4E042598FDB18CFA9C9505AEFBF2FF89300F248169D408AB356D7349942CFA1

Function 07315078 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509c0d0c6234418f6398aa474736ab8ebfd6221167791803a38691c7b5d12989
Instruction ID: 00d86e65231897fd48df9faf567c6ef57e76e72eee806209fd9ce1c9fef0abd3
Opcode Fuzzy Hash: 509c0d0c6234418f6398aa474736ab8ebfd6221167791803a38691c7b5d12989
Instruction Fuzzy Hash: E5512EB4E102598FDB18CFA9C5805AEFBF6FF89304F248269D418A7356D7349942CFA1

Function 07313003 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2151167827.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7310000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaaa6fcda663fd1cff49e67df80f8b747a87e7e3cb3893d244cbe1bbe0047313
Instruction ID: 9ab11dabb50b79e9bbd5fe0bc9c3a23b660bca2a28e62b4ed8a32ddeabb31fdd
Opcode Fuzzy Hash: aaaa6fcda663fd1cff49e67df80f8b747a87e7e3cb3893d244cbe1bbe0047313
Instruction Fuzzy Hash: 66513DB4E042598FDB18DFA9C9805AEFBF6FF89300F248169D409A7356D7349942CF61

Analysis Process: r10072024085940.scr.exePID: 4364, Parent PID: 5040COMMON

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	147
Total number of Limit Nodes:	12

Executed Functions

Function 06A644F0 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4625106985.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6a60000_r10072024085940.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 29e71a65bdcaecbd47b5aab397ae52ce8d1c2505b071c916915cdcc018b6bfb1
Instruction ID: 6fb54638d4526bad12c55dc53f453f04ec4e0a5d485b386fdb42cea993843466
Opcode Fuzzy Hash: 29e71a65bdcaecbd47b5aab397ae52ce8d1c2505b071c916915cdcc018b6bfb1
Instruction Fuzzy Hash: 00713B70A00B058FD7A4DF6AD54075ABBF1FF88304F00892DE486DBA50DB75E845CB91

Function 06A66672 Relevance: 1.6, APIs: 1, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4625106985.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6a60000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e18fa179b0344a1be8a9cadcf0848b89b8b2c9a30ee5920061a3e85eb770266
Instruction ID: 93af29b8e2e95edbb195982bf2929b967de1617acb466ec2662d7b6e08a1efb6
Opcode Fuzzy Hash: 9e18fa179b0344a1be8a9cadcf0848b89b8b2c9a30ee5920061a3e85eb770266
Instruction Fuzzy Hash: D75110B1C00349AFDB55DFAAC980ACEBFB1BF89300F25911AE418AB220D7709845CF91

Function 06BA1B28 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4625506390.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ba0000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d2f5f4584d7ec39b3af8257aa710c32a529c2f1594a255f602d939547c8968
Instruction ID: d3c081d40707874ffbcd9bc5035f11015675af7c0ddb813f289aed03e633f1d9
Opcode Fuzzy Hash: 77d2f5f4584d7ec39b3af8257aa710c32a529c2f1594a255f602d939547c8968
Instruction Fuzzy Hash: BF412472D0435A8FCB54DFB9D8007AEBBF4EF89210F1486AAD904E7250EB749845CBE0

Function 06A63A6C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06A66802

Memory Dump Source

Source File: 00000003.00000002.4625106985.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6a60000_r10072024085940.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 33e977b8bd5019a8cec1d500a50cdf4914b2a5d6eeb78b6edf60ba29c1f9915e
Instruction ID: 81e7b46da3412e1ed87129f3ded46faf8f546f3db541b4563f6e29f91f969701
Opcode Fuzzy Hash: 33e977b8bd5019a8cec1d500a50cdf4914b2a5d6eeb78b6edf60ba29c1f9915e
Instruction Fuzzy Hash: 2451D3B1D00349DFDB14DFAAC984ADEBFB5BF48310F24912AE819AB210D7749845CF91

Function 06A63BBC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06A68F01

Memory Dump Source

Source File: 00000003.00000002.4625106985.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6a60000_r10072024085940.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 6a3aab2d13d7773c94a4a3201edfd44ca1ca08350b74b71aed031eb9c91078ee
Instruction ID: df7380b824fa31e411e0833c2ab4b874d701239992927c0af4aa0e6f6f46e97d
Opcode Fuzzy Hash: 6a3aab2d13d7773c94a4a3201edfd44ca1ca08350b74b71aed031eb9c91078ee
Instruction Fuzzy Hash: 45414EB4900309CFDB54DF5AC448A9ABBF9FF88314F14C459E519AB321D774A841CFA0

Function 010AB558 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,010AB526,?,?,?,?,?), ref: 010AB5E7

Memory Dump Source

Source File: 00000003.00000002.4600579700.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10a0000_r10072024085940.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 866aa27a4b11b37656171577327ac56815b758273cbb62a440980a5359aafb9f
Instruction ID: f74ea1a734e0165a3b3e36bd76f36a076fea1a0b09155d2dd88ba018be2c6a9e
Opcode Fuzzy Hash: 866aa27a4b11b37656171577327ac56815b758273cbb62a440980a5359aafb9f
Instruction Fuzzy Hash: DE21D4B5900209DFDB10CFAAD984AEEBFF4EB48314F54841AE954A3350D374AA55CFA1

Function 010AAEF4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,010AB526,?,?,?,?,?), ref: 010AB5E7

Memory Dump Source

Source File: 00000003.00000002.4600579700.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10a0000_r10072024085940.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 990b4277503f8da3ec2405b9604c0b0203029d79246a3a050167c74e6f82aeeb
Instruction ID: 122fb41eb406004eeb051cb8380658a3f7da4ec7c0fa9e113e8efadb6f2a6339
Opcode Fuzzy Hash: 990b4277503f8da3ec2405b9604c0b0203029d79246a3a050167c74e6f82aeeb
Instruction Fuzzy Hash: 3421D2B59002099FDB10CFAAD984AEEBBF4EB48320F54841AE954A3250D378A950CFA4

Function 010A61D8 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 010A625B

Memory Dump Source

Source File: 00000003.00000002.4600579700.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10a0000_r10072024085940.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 70cce8548788d86fd69681a13688fd71089f6545961c24f7441cb597bdb5db85
Instruction ID: 9b6702282012177470f0b279fdbceccd2f2a91fbac1d5367e31224f4e85c1b2a
Opcode Fuzzy Hash: 70cce8548788d86fd69681a13688fd71089f6545961c24f7441cb597bdb5db85
Instruction Fuzzy Hash: FA2134B5D002098FDB14CFA9C944BEEBBF4BF88320F14842AD559A7250D779A945CFA1

Function 010A61E0 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 010A625B

Memory Dump Source

Source File: 00000003.00000002.4600579700.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10a0000_r10072024085940.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 6d49d9ad4e760c5a80709ed50271f136bc2cc7648e54ab102d39573de81f507c
Instruction ID: a74a59cea3605eb37356560f6f097afef31bbae86df7acf4cceff95843c68068
Opcode Fuzzy Hash: 6d49d9ad4e760c5a80709ed50271f136bc2cc7648e54ab102d39573de81f507c
Instruction Fuzzy Hash: 0F212771D002098FDB14CFAAC944BDEFBF5BF88320F148429E559A7250D779A940CFA1

Function 06A6A5B0 Relevance: 1.6, APIs: 1, Instructions: 55
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,06A6BB7A,00000000,00000000,03EDF0F8,02E675A0), ref: 06A6BFC8

Memory Dump Source

Source File: 00000003.00000002.4625106985.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6a60000_r10072024085940.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 5090167f72cb5550e462025eb11e71514c55a9db82534cca03b146e29e94a652
Instruction ID: 54ee0de89decdd8944e5d15cba754b61496d36f6925722d225cf22b0058480f8
Opcode Fuzzy Hash: 5090167f72cb5550e462025eb11e71514c55a9db82534cca03b146e29e94a652
Instruction Fuzzy Hash: 5C1117B580424D9FDB10DF9AC944BDEBBF8EF48320F108429E914A3250D378A954CFA5

Function 06A638F8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06A647C1,00000800,00000000,00000000), ref: 06A649D2

Memory Dump Source

Source File: 00000003.00000002.4625106985.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6a60000_r10072024085940.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0d895c14703b4cafd8624cfcf533f667eb15970dcec7d295a88f3d5c7c212445
Instruction ID: fe07525e1a672125f08b5cc4f2561cd6e6a092c739135bbc3a5648fc8998c3b0
Opcode Fuzzy Hash: 0d895c14703b4cafd8624cfcf533f667eb15970dcec7d295a88f3d5c7c212445
Instruction Fuzzy Hash: E01129B6C043098FDB10DF9AD544BDEFBF4EB88314F10841AE515A7200C375A545CFA4

Function 06BA10D8 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06BA1B7A), ref: 06BA1C67

Memory Dump Source

Source File: 00000003.00000002.4625506390.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ba0000_r10072024085940.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 32167802d9967b456662a3a3523c3b629791dfce1e8f75d04e4754e904d37e1b
Instruction ID: 2eb2247176ecc6dc9298fbfe733ef0436871ddbc7ea365eb7c96d359502f9b41
Opcode Fuzzy Hash: 32167802d9967b456662a3a3523c3b629791dfce1e8f75d04e4754e904d37e1b
Instruction Fuzzy Hash: 821136B1C046599FCB50CF9AC544B9EFBF4EF48620F10816AE518A7240E3B8A950CFA1

Function 06A6BF5A Relevance: 1.6, APIs: 1, Instructions: 53
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,06A6BB7A,00000000,00000000,03EDF0F8,02E675A0), ref: 06A6BFC8

Memory Dump Source

Source File: 00000003.00000002.4625106985.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6a60000_r10072024085940.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 880967342f551f308f921bf74bb18563cf7342fe58d08ef828dde69cf32b4508
Instruction ID: 6a6a01faf3965887a44e026575b97b7a821658a2a700553f208cc7012d52942e
Opcode Fuzzy Hash: 880967342f551f308f921bf74bb18563cf7342fe58d08ef828dde69cf32b4508
Instruction Fuzzy Hash: 441112B6C00209DFDB10CF9AC944BDEBBF4EB48320F10842AE958A3250C378A654CFA5

Function 06A64961 Relevance: 1.6, APIs: 1, Instructions: 52
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06A647C1,00000800,00000000,00000000), ref: 06A649D2

Memory Dump Source

Source File: 00000003.00000002.4625106985.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6a60000_r10072024085940.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a05c6e122bc0bf263febaa0fe9e5e2a5d2b8a12d2fb84692b47b05ddabc4b6a0
Instruction ID: 72ccb4ed2b669df872588bf931efb58cac0e812bcda0ea7ee44af2b60259c489
Opcode Fuzzy Hash: a05c6e122bc0bf263febaa0fe9e5e2a5d2b8a12d2fb84692b47b05ddabc4b6a0
Instruction Fuzzy Hash: AE11F3B6D002498FDB20CF9AD644ADFFBF5EB88324F14841AE559A7200C7B9A545CFA0

Function 06A638B0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,06A6450C), ref: 06A64746

Memory Dump Source

Source File: 00000003.00000002.4625106985.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6a60000_r10072024085940.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 71534e5cacb82cac18fe033ee6d06ff8934888ef58afdf83e3998a5a533e9b3f
Instruction ID: ff462a51f5e9a01f25961b1ab25f62e77a9b3f95e2a10aff49c875bf275bf105
Opcode Fuzzy Hash: 71534e5cacb82cac18fe033ee6d06ff8934888ef58afdf83e3998a5a533e9b3f
Instruction Fuzzy Hash: E41134B5C003498FCB10DF9AC444B9EFBF4EB89320F11841AE918B7200D379A545CFA5

Function 0105D0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4599266056.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_105d000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8384450ae69271b279395fd1c62bd982c4fb7dafe6b2b1b468efd95485f6ab6b
Instruction ID: 2f2c671beef80502fe1064302ef0f2fb2739e736d58a6c75e3b2632f15cd255e
Opcode Fuzzy Hash: 8384450ae69271b279395fd1c62bd982c4fb7dafe6b2b1b468efd95485f6ab6b
Instruction Fuzzy Hash: CD212275504204EFDB85DF94D9C0B2BBBA1FB88314F20C5AEDD4A4B252C77AD846CB61

Function 0105D01C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4599266056.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_105d000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a707b937700c2b64273addff48503fa418eef1eb2c2ccd12293a3fe437292c6b
Instruction ID: e0cd17766305a17d51e3c87e6617a4e6cbe36e4ff01cd522fbc90456e82156d4
Opcode Fuzzy Hash: a707b937700c2b64273addff48503fa418eef1eb2c2ccd12293a3fe437292c6b
Instruction Fuzzy Hash: 37210071604300DFDB54DF64C580B2ABBA5EB84354F20C6AEED894B252C376C846CB62

Function 0105D006 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4599266056.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_105d000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbb8fc0d18f7425a81a52b837011f0f30b83f8d8aa86df4d86338406fddaddf
Instruction ID: 542aac6a7b98935646c80b316a2146657ae47d0b7a1f71c21e9ad8d133dc05e8
Opcode Fuzzy Hash: dfbb8fc0d18f7425a81a52b837011f0f30b83f8d8aa86df4d86338406fddaddf
Instruction Fuzzy Hash: 002193755093808FDB57CF24C990715BFB1EB45214F28C5EBD8898B6A3C33AD84ACB62

Function 0105D0F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4599266056.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_105d000_r10072024085940.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: f7d8685e71a352b99f0417209db2de5fe59ae9fb7353ce1d98a5865c96bf9d0d
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 9511DD75504284DFDB46CF54D9C4B16BFB2FB84314F24C6AADC494B266C33AD44ACBA1

Analysis Process: powershell.exePID: 2496, Parent PID: 4364COMMON

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 040BB490 Relevance: 2.8, Strings: 2, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{Yn^, xrefs: 040BB6F0, 040BB6F5
Yn^, xrefs: 040BB557

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID: {Yn^$Yn^
API String ID: 0-3084620983
Opcode ID: fb7fb471f890cfa73ff83121947808003ebe3c63081e94756154313b7a444282
Instruction ID: c61a3ce7608465b1638b8b4c6088e8042eeb2813c7e1a4b4c3311c53e7f459ed
Opcode Fuzzy Hash: fb7fb471f890cfa73ff83121947808003ebe3c63081e94756154313b7a444282
Instruction Fuzzy Hash: 2E915071F117599BEB19DBB58810AAE7BB3EFC4700B40C91DD506AB380DF74AA058BC9

Function 06F42308 Relevance: 12.8, Strings: 9, Instructions: 1557COMMON

Download Yara Rule

Strings

#{k, xrefs: 06F42BA7
p5{k, xrefs: 06F4344F
piSk, xrefs: 06F423A0
|,Uk, xrefs: 06F425DB
piSk, xrefs: 06F423B0
piSk, xrefs: 06F42582
${k, xrefs: 06F42EBF
piSk, xrefs: 06F42363
piSk, xrefs: 06F42416

Memory Dump Source

Source File: 00000004.00000002.2207498234.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f40000_powershell.jbxd

Similarity

API ID:
String ID: p5{k$piSk$piSk$piSk$piSk$piSk$|,Uk$#{k$${k
API String ID: 0-2230282645
Opcode ID: c8dbe74d3694ace821de81e5f3d644417a76c8d96a9d2601dba050b9c4ff6461
Instruction ID: 3b18f6cd614db9a441c94e53061cbac09ac8ada94b34de541a071ae33d04eadd
Opcode Fuzzy Hash: c8dbe74d3694ace821de81e5f3d644417a76c8d96a9d2601dba050b9c4ff6461
Instruction Fuzzy Hash: C0B25832F04205DFDB65AB7988017AABFE1AFC5210F1484BAE505DBB52DF31CA45C7A2

Function 080B6820 Relevance: 1.6, APIs: 1, Instructions: 52
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(?,00000007), ref: 080B688A

Memory Dump Source

Source File: 00000004.00000002.2210058139.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_80b0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 4e781fa179dd538a71c0f309302248d7833b175421a24d0fdf784c986fcb0d57
Instruction ID: 89c8948d9545af62c0aa554585ebbe7124ff0bd5f5877e12176d5d7d61479e06
Opcode Fuzzy Hash: 4e781fa179dd538a71c0f309302248d7833b175421a24d0fdf784c986fcb0d57
Instruction Fuzzy Hash: B51134B59006098FCB20CF9AD884BDEFBF4AB48224F14851AD518A7750D7B5A944CFA5

Function 080B6828 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(?,00000007), ref: 080B688A

Memory Dump Source

Source File: 00000004.00000002.2210058139.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_80b0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: a20f89619c49dccfd1cb82a3970617110e0b8f0fc1156fd70918d14e16188e65
Instruction ID: 015b3ff9f6d2a2eac9406d529725c160751ca847fd8dd0f17db4b66526739226
Opcode Fuzzy Hash: a20f89619c49dccfd1cb82a3970617110e0b8f0fc1156fd70918d14e16188e65
Instruction Fuzzy Hash: 661125B19002098FCB10CF9AC884BDEFBF8AF48324F24841AD518A3310D7B5A944CFA5

Function 040BE5B9 Relevance: 1.4, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

piSk, xrefs: 040BE667

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID: piSk
API String ID: 0-1183529320
Opcode ID: 5b8602147c9a5a248d20f29da8d08d662a4eabaae7311b0938c566f565464efd
Instruction ID: d04ba1c2742a8b20a63e59f8522dc175fe5a43b1f33482f15f3850eb7ed723dd
Opcode Fuzzy Hash: 5b8602147c9a5a248d20f29da8d08d662a4eabaae7311b0938c566f565464efd
Instruction Fuzzy Hash: 95416671E0020AAFCB15EF78D894ADDBBF2EF89304F1485ADD445AB390DB34A905CB95

Function 040BE610 Relevance: 1.4, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

piSk, xrefs: 040BE667

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID: piSk
API String ID: 0-1183529320
Opcode ID: 2c9b5eb8f514e2624ea21b4bff14b1621c818392e37788c02570a1f93cece079
Instruction ID: 39b3747a9d63b0dfbaf9bcf63d725e2957aca8dae8a9fc6640ea49038ecc4574
Opcode Fuzzy Hash: 2c9b5eb8f514e2624ea21b4bff14b1621c818392e37788c02570a1f93cece079
Instruction Fuzzy Hash: 6D418871A0020AAFCB15DF68D494ADEBBF2AF89304F148568D446AB391DB34AD05CB91

Function 040BE640 Relevance: 1.3, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

piSk, xrefs: 040BE667

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID: piSk
API String ID: 0-1183529320
Opcode ID: d3fb013a8cddae4426f062f20dee544777541bbe95e2e98bb44161e3e13284f0
Instruction ID: 5a279e7b07dc87f026b17cdedf006afb5002f908386e7f55644c58f2ba328f17
Opcode Fuzzy Hash: d3fb013a8cddae4426f062f20dee544777541bbe95e2e98bb44161e3e13284f0
Instruction Fuzzy Hash: C3314631A0020ADFCB14EF69D594A9EBBF2FF88304F108528D416AB390DB34AD05CBD4

Function 040BDCD9 Relevance: 1.3, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+/n^, xrefs: 040BDCBE

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID: +/n^
API String ID: 0-2444456302
Opcode ID: 05ffac7f5a9a04a4350dba075da163c0844bf8b6cac7adc5d0400cff2d4d2b62
Instruction ID: 3516fce3c564438b0732a20df4623d527a9d361c5fa49f18cbe27bdcfa6bb73f
Opcode Fuzzy Hash: 05ffac7f5a9a04a4350dba075da163c0844bf8b6cac7adc5d0400cff2d4d2b62
Instruction Fuzzy Hash: 0111D635B001049BCB16DB68E8145EDFBE6DFC8221B14846ED496E7351DE75AC028BE9

Function 040BDC88 Relevance: 1.3, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+/n^, xrefs: 040BDCBE

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID: +/n^
API String ID: 0-2444456302
Opcode ID: 82ffb303696b51f17cb02923a2ab3851a3a0349f71a1bda8abc5b0b3f916618b
Instruction ID: 40e390441b4fb95226e1ab36ae5c76623410f7ca91ba7a76ae0c5f9043bc3d34
Opcode Fuzzy Hash: 82ffb303696b51f17cb02923a2ab3851a3a0349f71a1bda8abc5b0b3f916618b
Instruction Fuzzy Hash: B1F027717152146B87166B5DE8108EFBBEEDEC6271300406BE1C9DB300EE69A90447FA

Function 040BDC98 Relevance: 1.3, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+/n^, xrefs: 040BDCBE

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID: +/n^
API String ID: 0-2444456302
Opcode ID: 2dcd08363f88b7d61b59cc869c2449630b597a4cd18fdcd07957fa8b9746ffe3
Instruction ID: 11efd41df4185c18a4c8a38d6867106c2e4407a78ba07244558167622e1d2027
Opcode Fuzzy Hash: 2dcd08363f88b7d61b59cc869c2449630b597a4cd18fdcd07957fa8b9746ffe3
Instruction Fuzzy Hash: 75E0C231700615578216A72EE8108DFBBEBDFC4671310802EE149D7340EEA8EC0147E9

Function 06F43CE8 Relevance: .6, Instructions: 584
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2207498234.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca626d88bd95f5eebc9addc862ca73930def1c37b1f3e7e2ada7735e0a88a4e4
Instruction ID: a45162d9ae22b2ad752ab2fe50873a74d0a92a474a004d2e63639a15222a0379
Opcode Fuzzy Hash: ca626d88bd95f5eebc9addc862ca73930def1c37b1f3e7e2ada7735e0a88a4e4
Instruction Fuzzy Hash: 8E125832F00215CFDB65AB69891076ABFE2DFC1610F14846BD505EBB92DB32CC45C7A2

Function 040BE7B8 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750b403832dc36b669980005e4574c9a5ffc2a5d84c0b10dd1a9db976445000a
Instruction ID: 159bf1c6c3d8909be9cee8da39d7ca2847eee572517d0e2cf62799f7951d8567
Opcode Fuzzy Hash: 750b403832dc36b669980005e4574c9a5ffc2a5d84c0b10dd1a9db976445000a
Instruction Fuzzy Hash: 67915870B10214CFCB54DF78C594AAEBBE6AF88710B14806AE946EB351EF74AC01CBD5

Function 040B29F0 Relevance: .2, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f042046f1ddfe9b8366b0b15bb20c222b171c80ec597848b756d988156edc5a
Instruction ID: 1908b9526f199459c7fc9890f41046e79c0451a6d125e8d13fefdda8e2f0d4fe
Opcode Fuzzy Hash: 8f042046f1ddfe9b8366b0b15bb20c222b171c80ec597848b756d988156edc5a
Instruction Fuzzy Hash: C591AA74A00209CFCB05CF58C498AAEFBB1FF89310B2486A9D955AB364C735FC41CBA4

Function 040B7740 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea1ff62158359058e919e95833537dae8e5737eff1a0510f6c655e301049528
Instruction ID: f060617e7193b1da0b69cd326c477e85eb829f6d2e36b95342a38d224e6a6e9b
Opcode Fuzzy Hash: fea1ff62158359058e919e95833537dae8e5737eff1a0510f6c655e301049528
Instruction Fuzzy Hash: 6951D1303042059FD705DBB9D854AAE77E6FFC8314B1584AAD989DB392EB31EC01CBA0

Function 040BBAC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f725c133fc41125d41582514db49e543caf34da36b3629486d7e4c98ab809135
Instruction ID: 00051bd5df13ebf462f259569959a56a709b38fa4026088d94214dc3e66ef9e1
Opcode Fuzzy Hash: f725c133fc41125d41582514db49e543caf34da36b3629486d7e4c98ab809135
Instruction Fuzzy Hash: EB612271E00248DFDB55DFA9C584BCDBBF1EF88310F24816AE818AB254EB70AD41CB94

Function 040BBAB0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b96e516922823da3409e5a1c508017f0a63e0a8d61cd6be8762acb5b9af35359
Instruction ID: 9571a3fec071f0fef8ac77d972e3cc450d2e2c4362a6d4a748be6d6bb7df0ccc
Opcode Fuzzy Hash: b96e516922823da3409e5a1c508017f0a63e0a8d61cd6be8762acb5b9af35359
Instruction Fuzzy Hash: B8514371E00248DFDB55CFA9C484BCDBBF2EF88310F14806AE819AB354EB70A941CB95

Function 040BE419 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c87f0995aaa5db45d2f052976fcb4203ed0824b7c4b596e110bdf4d42d1a3c
Instruction ID: 64f515ee48b19a7ea60b9d3414cf03fc6b649ea51f0c7286352990da90280764
Opcode Fuzzy Hash: e8c87f0995aaa5db45d2f052976fcb4203ed0824b7c4b596e110bdf4d42d1a3c
Instruction Fuzzy Hash: C4515EB4700205CFDB14EF6CC4849AABBE6EF99310B5484A9E649DF391EB34EC018BD1

Function 06F43CCC Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207498234.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb50bf4dde87dd38e34b746f237cee36fff75470457a5efcb23f5a7c37579203
Instruction ID: 978e1a5a4e4ffac92c399f1ebec5f5b535d4a11886233cec930683e2f1f90b90
Opcode Fuzzy Hash: cb50bf4dde87dd38e34b746f237cee36fff75470457a5efcb23f5a7c37579203
Instruction Fuzzy Hash: C3414B32E01302CFDB65AB2A8641766BFB39FC1650B1448A5E8009FB92C731DC49C7A2

Function 040BE428 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a96b4db2d46794dd071ccb7df8807d9e8db6b6381dfd0d611c66868378beefba
Instruction ID: 6882d0e9e49c1400787e66531d4c8a84e86e682734502650bd44a1296861114f
Opcode Fuzzy Hash: a96b4db2d46794dd071ccb7df8807d9e8db6b6381dfd0d611c66868378beefba
Instruction Fuzzy Hash: B8413CB4B00205CFDB14EF6CC5949AABBE6EFC8304B5484A9E649DB355EB34ED018BD1

Function 040B6FE0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc2ee27f12e071a771214363ace8b13e43cc3d64d04bc6d4552dcb9f95f9530
Instruction ID: 1c8159d72aebd1fd6600d3951331feba388bf6960af5972cd32085c82fad85af
Opcode Fuzzy Hash: 3dc2ee27f12e071a771214363ace8b13e43cc3d64d04bc6d4552dcb9f95f9530
Instruction Fuzzy Hash: 72412B34B14605CFDB159FA8C4A8AAEBBF1AF89314F144099E542AB391DB31ED01CB65

Function 040B2B00 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba8f36078cd26cb57fb38b5033184bed2888a0486d0c9ebe88dbf0997891ac1
Instruction ID: 2460094e3915ca50280f5663e879ab789e838c6283897f6dd1827336d84389ce
Opcode Fuzzy Hash: aba8f36078cd26cb57fb38b5033184bed2888a0486d0c9ebe88dbf0997891ac1
Instruction Fuzzy Hash: 64411474A00609CFCB06CF59C5989AEFBB1FF48310B2186A9D955AB364C736FC51CBA4

Function 040BC388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ea2ef5d72de886c38878932fa6d2888d6fd37b45d998168d1c969fc762290a
Instruction ID: ef253ca6c84b7a0f09cd5868610414b10d73337c244874bb8959f224c8731ef5
Opcode Fuzzy Hash: b2ea2ef5d72de886c38878932fa6d2888d6fd37b45d998168d1c969fc762290a
Instruction Fuzzy Hash: A5316D313006019FE709DB78D854B9ABBA2EBC4714F048669D60ADB390DFB5A905CBD5

Function 040B6FD1 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a525a09a03d31e0f6d16cc15a9a9a9638897d9c4adebbd1c0529c3bdee41a40
Instruction ID: 26df1bd333b3da294d62aaea042acf1176f0d3fd56921a649fe2660cbbfc30c3
Opcode Fuzzy Hash: 2a525a09a03d31e0f6d16cc15a9a9a9638897d9c4adebbd1c0529c3bdee41a40
Instruction Fuzzy Hash: 62310734A10605CFCB14DFA9C4A8AAABBF1EF89314F154069E842BB351DB31ED01DBA5

Function 040BAE60 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f83f2b34d20c396b19c75e8f5ca0f0200760a73a64d365e694105a42f22f97
Instruction ID: 32097cad973e717a441eb6e187e77feb89758652b45d09b1d29858e37c143092
Opcode Fuzzy Hash: 67f83f2b34d20c396b19c75e8f5ca0f0200760a73a64d365e694105a42f22f97
Instruction Fuzzy Hash: 4C3146B0B002099BDB44DFA9D494BEEBBF6EF88314F108029E545FB350EA749C418FA5

Function 040BDFC0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61327cd03b1d32d9bdaf147a0076457b049cbd11e31f68404020f335e02c0c17
Instruction ID: 483d9cb161bc3125d1549b17d27535fd2e81fb603db207e6f8a3b671c57ce17d
Opcode Fuzzy Hash: 61327cd03b1d32d9bdaf147a0076457b049cbd11e31f68404020f335e02c0c17
Instruction Fuzzy Hash: 51315670A002099FCB04DF69D4A8A9EBBF2FF88314F148169D446EB390DB75A881CB94

Function 040BAE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8e493a98d1bc6f2a59127afd8d27068aae41ad938a875996350673f92741cc
Instruction ID: 97ddbbd2deeeb6a019950af54a549022b12e8c7092b3edfa74ff886a448742ae
Opcode Fuzzy Hash: aa8e493a98d1bc6f2a59127afd8d27068aae41ad938a875996350673f92741cc
Instruction Fuzzy Hash: 49313670B002099BDB44DFA9C494BEEBAF6AF88314F108029E405EB350EA74AC419FA5

Function 040BAD28 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d28fb9bcaebfe244a20625c5ee45db2bc3ea8b38cd3d86ddad475b5be3f42bd1
Instruction ID: 24a7064402b56b7363c3e8b9dd86538a42d55d04cb71a5414159cb2b17a0fc2b
Opcode Fuzzy Hash: d28fb9bcaebfe244a20625c5ee45db2bc3ea8b38cd3d86ddad475b5be3f42bd1
Instruction Fuzzy Hash: 053184B4F002499FDB04DBB4D854AEE7BB3EFC4300F1084A9D115AB394DA74AD418FA4

Function 040BAF98 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b4c3ae1bf15fd6ac3ce41acaeebfb33d20cb4d5ba4544b41c527be7a7c1973
Instruction ID: e19a1d55abd77b576a503222ef51cc0ab32c4e3e92ca5ac71d34fe9c30e3cb60
Opcode Fuzzy Hash: d6b4c3ae1bf15fd6ac3ce41acaeebfb33d20cb4d5ba4544b41c527be7a7c1973
Instruction Fuzzy Hash: 5321AE71A042598FCB14DFAED4407DEBBF5EB89320F14846AD148E7340CA75A905CBE5

Function 040BAD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3c5feaac4d16f93e7ce5f527b417dd85852c0ce66b0cff2926a5a29803e8bd2
Instruction ID: 3ed9c8b19c98c73c95b612551840f6138ee642c00c9e70c5d13a59b52bd2df37
Opcode Fuzzy Hash: c3c5feaac4d16f93e7ce5f527b417dd85852c0ce66b0cff2926a5a29803e8bd2
Instruction Fuzzy Hash: 353150B4E002099FEB04EBA4D894AEE77B3EFC4300F108469D615AB394DB75AD018FA4

Function 040BDFD0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 127f1da034f77b6fa744b0cb9d61afd73473016ff1d2a11b712e04d61e72eed0
Instruction ID: 5efab6cb1516ff8c5b16d3bdd5630aed9079eb18fe332f4be565affbf0d625ea
Opcode Fuzzy Hash: 127f1da034f77b6fa744b0cb9d61afd73473016ff1d2a11b712e04d61e72eed0
Instruction Fuzzy Hash: E1312770A102099FCB14DF69D4A8A9EBBF2BF88314F148569D406EB390DF75AC81CB94

Function 0290F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2196661513.000000000290D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0290D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_290d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8df42e086639213983e6c8e07fca8b4522c33e8d37e6c839915e0992d5500e2
Instruction ID: 58d78bb544c61f807aac6942f4cf212690071574290114138014a70793970919
Opcode Fuzzy Hash: a8df42e086639213983e6c8e07fca8b4522c33e8d37e6c839915e0992d5500e2
Instruction Fuzzy Hash: 43210276504304EFDB15CF10D9C4B26BBA6FB88314F24C5ADED0D0A696CB3AC556CBA1

Function 0290F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2196661513.000000000290D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0290D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_290d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a31d4cd86ba75d438940cd73531e3a3c8c51ce4a9bf2c97a50d4c2d8af7468
Instruction ID: 22bad8698df79178a64ba168a2e80060fe00af31f4d48a1fb3dfb543bccc38d7
Opcode Fuzzy Hash: 88a31d4cd86ba75d438940cd73531e3a3c8c51ce4a9bf2c97a50d4c2d8af7468
Instruction Fuzzy Hash: E6216775504208DFDB24CF10C9C0F26BB75FB84314F20C96DD90A4B682CB7AD446CA61

Function 040B93B6 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d96dfbbf531abee405acb2b8973187eb29919c70b66922052aedbd0fa58846
Instruction ID: 0d5d1201a3b8dc50f656df8ef4fa44cafab79aa46d154c79a1f5f6db6a934c80
Opcode Fuzzy Hash: 45d96dfbbf531abee405acb2b8973187eb29919c70b66922052aedbd0fa58846
Instruction Fuzzy Hash: 3A21D1B1A057808EEB60CF79C4483D9BFE2FF8A314F28809EC59D5B245C7706046CB56

Function 040BAD56 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f62672e8d263fd105e6995602e8967c2b072eb6927b4018975156e2154895678
Instruction ID: 051b3674c4ac2abce562f095e59d8f8ec26af79d9eab467b9fada5cd71bfabba
Opcode Fuzzy Hash: f62672e8d263fd105e6995602e8967c2b072eb6927b4018975156e2154895678
Instruction Fuzzy Hash: D92141B4E012499FDB04EFA4D894AEE7BB2EFC4300F1184A9D515AB395DB34AD018F54

Function 040BAD76 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76501a9f8bd488288ae1f0fe7a8a37d41c569d1beec46fba9e91bacff229830b
Instruction ID: 4286924ed2da291ed9ce6d0765d9a857024518ed747f74cb277514bc252a1b83
Opcode Fuzzy Hash: 76501a9f8bd488288ae1f0fe7a8a37d41c569d1beec46fba9e91bacff229830b
Instruction Fuzzy Hash: A0212FB4E012499FDB44DFA4C894AAEBBB2EFC8300F1184A9D515AB391DB34AD408F54

Function 040B767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc3a0dcacefb6fd6bb13d053ece8a49c9e202f67f82c98c772cc61b782799986
Instruction ID: 352f388c0bf328e2a4c48075f32755ed8a80a5586612e6ec551e9e7ea8c9b375
Opcode Fuzzy Hash: bc3a0dcacefb6fd6bb13d053ece8a49c9e202f67f82c98c772cc61b782799986
Instruction Fuzzy Hash: 4A112B79B001188FCB44DBA8E850ADEB7F6EBCC321B1440A5EA09EB351DB30EC018B90

Function 040BE318 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07411661f5d7839bea235d910f1e474b58c86d36fe5edb956f7254069157817
Instruction ID: 8357e8d6eff480079ef9a3713aff4c9e12838850523526ce68feb1c81ebf694a
Opcode Fuzzy Hash: f07411661f5d7839bea235d910f1e474b58c86d36fe5edb956f7254069157817
Instruction Fuzzy Hash: FF119AB18053499FDB10CF59C508BDEBFF4AF49710F14806AD498A7241D739A540CBA6

Function 040B2C5C Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cfec1a97cf5d7435ae4d68463673b3147bde4db203d6c361f29c2e1a2644644
Instruction ID: 2cc8e4ce8bc79e8b8dce726f069f1053cb0d5a41b6dcef75dd269debbac3b361
Opcode Fuzzy Hash: 4cfec1a97cf5d7435ae4d68463673b3147bde4db203d6c361f29c2e1a2644644
Instruction Fuzzy Hash: FD11B4309093909FC703CF68C8649E9BFB0EF06314F1541CAC091AB1A2C636AC45CBA8

Function 0290F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2196661513.000000000290D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0290D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_290d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
Instruction ID: 3cdac2b7d8cb89114ff6541602f0f77754b1dc9c665f86f9c623d3475eaccdc9
Opcode Fuzzy Hash: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
Instruction Fuzzy Hash: AA21AC76504244DFCB16CF10D9C4B16BF72FB88314F28C5A9DC094A6A6C33AD56ACB91

Function 040B9426 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936c1f528d306c6dbc93f4c9c6f4a6292fb9d9a023a94fdd49c3734022d6e155
Instruction ID: 0d008b2e6cfc503f2ded9c16116f73accb1824cd4331d51df30945f5888c546f
Opcode Fuzzy Hash: 936c1f528d306c6dbc93f4c9c6f4a6292fb9d9a023a94fdd49c3734022d6e155
Instruction Fuzzy Hash: B9213BB1A057448EEBA0CF6AC0883DABBE2FB88314F28C45EC59DA7245D77464858B55

Function 040B79C3 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b00fadbf9b7984233d1448b304b725b12d1427182a25afbd10dd0bf997c633
Instruction ID: 56cdb0c25f6420dd1fbb471a42ed49431e279365727efe6e5567693e6b807c4c
Opcode Fuzzy Hash: 03b00fadbf9b7984233d1448b304b725b12d1427182a25afbd10dd0bf997c633
Instruction Fuzzy Hash: 5001D4327043089FD751CB79E850AAFBBE9EB89225700056EE549D7740DA31AD0087E5

Function 0290F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2196661513.000000000290D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0290D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_290d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1baa4135a3ffa84b7eafa0616a1ffb5636ea4d9d3a95b2124a7f7c9932413226
Instruction ID: fb46f38d31f310b6574ae7d64817a54b77d6103ab7c57faf7bdd079809efac40
Opcode Fuzzy Hash: 1baa4135a3ffa84b7eafa0616a1ffb5636ea4d9d3a95b2124a7f7c9932413226
Instruction Fuzzy Hash: 8B11D076504284CFCB11CF10D5C0B15BF71FB44318F28C6A9D8094BA96C33AD54ACF51

Function 040BE774 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1b0673c9c556b96c34ed5643a833be3ba9ddfaf867d65edc71718ac934a6f55
Instruction ID: 1537cbf56a6d981c7cc6a029b16b406d1f95f66779079b83637cf5cd9bf24cae
Opcode Fuzzy Hash: b1b0673c9c556b96c34ed5643a833be3ba9ddfaf867d65edc71718ac934a6f55
Instruction Fuzzy Hash: 3C012BA290D3C56FDB124638CC627C5BFB5DF57524F0902DBD5C0EB293D2095506C391

Function 040BE328 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b433a458367d8a4f3b556bdd7bec47efe2f4ff35979c640fe3c91f2b28d31441
Instruction ID: 7f72a3dea7406ef41420302179c95bff6a8afa69a7e35a8b00bbd21f8159e70f
Opcode Fuzzy Hash: b433a458367d8a4f3b556bdd7bec47efe2f4ff35979c640fe3c91f2b28d31441
Instruction Fuzzy Hash: 62116AB1900349CFDB20CF9AC508BDEBBF4EB48720F24806DD588A7241D779A580CBA5

Function 040BBCE0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc314b277e80840b315b496ebc11c6eea465f9959e9ed72f86aee177470d7ae
Instruction ID: 1a5c3309462cb789c306eec02154d2673236d7d225f7b7ba8fbacb11cc578957
Opcode Fuzzy Hash: fbc314b277e80840b315b496ebc11c6eea465f9959e9ed72f86aee177470d7ae
Instruction Fuzzy Hash: 0A01D2306083449FD714DB79C494BAA7FF5AF45610F1484EED08AC76A2DB34F845C740

Function 040BE2A0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a4459472a98984348cd2894d3d56aef779cf8325795c584f4e665e31f50932
Instruction ID: a07e75502a8e7c97d1ce10895f2e9b435d1f30a966bfc6c35f6671cb2fe7b091
Opcode Fuzzy Hash: f6a4459472a98984348cd2894d3d56aef779cf8325795c584f4e665e31f50932
Instruction Fuzzy Hash: 0B111B34204754CFC768DF75D09089AB7F6EF8931536089ADD48A87BA1CB32F845CB90

Function 040BADB6 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b6e3f3de5ac1424ab4c9ca9a50e2ff9d8bef71810b8e4ea4021d866bd14af5
Instruction ID: ab92fc8d22a386a68e24f19fa919b4da805e6ad7692dd2e716e4bedeb217398f
Opcode Fuzzy Hash: 28b6e3f3de5ac1424ab4c9ca9a50e2ff9d8bef71810b8e4ea4021d866bd14af5
Instruction Fuzzy Hash: C91118B8E002499FDB44DFA4C8949AEBBB2FF88200B1584A9D515BB351DB34AD00CF95

Function 040BDE98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbde361f10910ad100bbe6816e04295a706a59a38322796196c60c77e6c11007
Instruction ID: eebd8e9182742456329d6908677e1c576547f486e6e45e42cc421b401e40522b
Opcode Fuzzy Hash: dbde361f10910ad100bbe6816e04295a706a59a38322796196c60c77e6c11007
Instruction Fuzzy Hash: 2E014C36B002149FCB119B75E858AAEBBF5FB88215B14406AE51A93341DB36A911CB91

Function 040BBF10 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c52da3ae08b8f1d291e014c4eefdb6220fe3e20e7480ac864adf7ebf4b7ee2ae
Instruction ID: 4ee85981eee1a2933f02343c4ea7e761caa38d3f325746f6ac656fb61781a1a9
Opcode Fuzzy Hash: c52da3ae08b8f1d291e014c4eefdb6220fe3e20e7480ac864adf7ebf4b7ee2ae
Instruction Fuzzy Hash: EBF0A4713093556FD7018B6A9C54AA7BFEDEF8A620715407BFC84C7362DA75CD0487A0

Function 0290D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2196661513.000000000290D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0290D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_290d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a28443c73eeade1a0885738ebf8e741e28ebfa2d9021e9808cbba1b6b8b5c98f
Instruction ID: b05180f3d374f479522715e354f27e8ab39ff21dc5d017e5d17a2d25be3a8b2d
Opcode Fuzzy Hash: a28443c73eeade1a0885738ebf8e741e28ebfa2d9021e9808cbba1b6b8b5c98f
Instruction Fuzzy Hash: 8601F2724053489EE7204EA5C9C0F66BFACDF81724F08C41AEE4C4A2C2CBB89941C6B1

Function 0290D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2196661513.000000000290D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0290D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_290d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f6a5bafa01cc3b4276234eef2ab331cfa028e33f4c8768eeb81a01bebeeda8
Instruction ID: 472548cc2829b1f3835c3efccc4b2bdfaa3f79fff769cadcc48aa3e8e90a5946
Opcode Fuzzy Hash: a8f6a5bafa01cc3b4276234eef2ab331cfa028e33f4c8768eeb81a01bebeeda8
Instruction Fuzzy Hash: 67015E7240E3C49FE7128B258894B52BFB8DF43224F1D80CBD9888F1E3C2695849C772

Function 040B7958 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99163e66e23ed7e674a5732caf83bb4abfb3408bdd6647463b127f6e070b8e21
Instruction ID: ae6a2901a9f0486a60ed799e2a682eb6a3bbcb86c6227b836a3366cf4eb29801
Opcode Fuzzy Hash: 99163e66e23ed7e674a5732caf83bb4abfb3408bdd6647463b127f6e070b8e21
Instruction Fuzzy Hash: 39F022B1305304AFD3114B6AE8809AFBBE9EF88230700056AE649C3740EF346C8187B0

Function 040B90D8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69b5d05c9663ce487a6e469137b012008e328e36d2652e8d51e7275d7b358f6
Instruction ID: 3f6a6b37e2f7d8c405a0d0d5bd26dcdbfcd45c9c86006ecc33f9974560a38327
Opcode Fuzzy Hash: f69b5d05c9663ce487a6e469137b012008e328e36d2652e8d51e7275d7b358f6
Instruction Fuzzy Hash: C3F0F6B66052486FE3016F38C0147EB7BAAEFC1718F14809EC5995B391CE3A2805CBE1

Function 0290D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2196661513.000000000290D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0290D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_290d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b754f87f01a314a7a94308bbe550144880ed58aff42279a123f7141b468eed82
Instruction ID: 7f1859878954fffc4e3ab1de3f1da1fd6aaca8b86bc5b9fa5593d70292b5759c
Opcode Fuzzy Hash: b754f87f01a314a7a94308bbe550144880ed58aff42279a123f7141b468eed82
Instruction Fuzzy Hash: 18F0F976600604AF97208F0AD985C23FBADEBD4670719C55AE94A8BA55C771EC41CAB0

Function 040BDE38 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89381055fd83ca91063edb68c4e9218489f335e55e9cd37afb1d143b6bd4112
Instruction ID: 121dcea9f6ce5f9fdfc2e7cf2685b0407a2c6d418e105145e3260e4822724b55
Opcode Fuzzy Hash: a89381055fd83ca91063edb68c4e9218489f335e55e9cd37afb1d143b6bd4112
Instruction Fuzzy Hash: EAF082357042408FC3109F2DD894CB6BBF99FCA71431900DAE284DB772DA65EC11CB95

Function 0290D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2196661513.000000000290D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0290D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_290d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 255ba489fd7b4d89be6b4dea4cf5a833a22f6e722f139b18a9116f17eeeffb4b
Instruction ID: 7b0deb971ae09833779549fbb6b0de19bb6d298a53159d67086e413373db6852
Opcode Fuzzy Hash: 255ba489fd7b4d89be6b4dea4cf5a833a22f6e722f139b18a9116f17eeeffb4b
Instruction Fuzzy Hash: F4F04975100A80AFD321CF06C984D23BBB9EB89620B298489A85A8B752C730FC42CB60

Function 040B7968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb9130fe990b81b01a8788a7a9fe27b11234e8bb947f7afb09e06092f052776
Instruction ID: 3d175171c063f9636488b06240adc144c09eb951aa782ea29293f8dbaf86a239
Opcode Fuzzy Hash: 6cb9130fe990b81b01a8788a7a9fe27b11234e8bb947f7afb09e06092f052776
Instruction Fuzzy Hash: 50F0A7717003189FD7549B79E8849AFBBE9EBC8275B00052DE24AD3740DF71AC0187E4

Function 040B7697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ece5b0e17fcb825011311da44fd8187687cb1e473571afac17d62e7d70c91e9
Instruction ID: d3bd72f98808b8088e2e035b17339dd74fca0f290abfc97d2bdbc3f288e71adb
Opcode Fuzzy Hash: 8ece5b0e17fcb825011311da44fd8187687cb1e473571afac17d62e7d70c91e9
Instruction Fuzzy Hash: F6F0A0797001188FCB40EBBCD840ADABBE2EBCC3517154195E649DB311DB30EC018BD1

Function 040B90E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5fa8318ca0f04c68fa4551541a493ce74a1ca2b93c57316419d2ba5eeb18042
Instruction ID: 7ff6d67f93551aac81cb586881433ff4bf909c6cf232b678a355de2959c40f19
Opcode Fuzzy Hash: c5fa8318ca0f04c68fa4551541a493ce74a1ca2b93c57316419d2ba5eeb18042
Instruction Fuzzy Hash: 85F027B26041085BF304AB78C0587EB7796DBC0728F10C16AC91A5B384CE392C01CBE1

Function 040B94D6 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e16018519b7bdb0c172668411561eb3e72717225f63bc3944bd0605feb8196d1
Instruction ID: 617baa48a20fe5514dbbd0c25a46332af4da5c7dffd3e8c30e03e05bd314f14b
Opcode Fuzzy Hash: e16018519b7bdb0c172668411561eb3e72717225f63bc3944bd0605feb8196d1
Instruction Fuzzy Hash: 65F049B19003048EDB50DFA9D4883CDFBE1AF98324F28C04AD54CA7241C7796084CB65

Function 040BDE48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ea04b433d260c1fe23cad1b03025d6e1cb3e13a8665a93e24f670554097dd2
Instruction ID: 5dcd40c36ae645abf644bb9ed39386fdc96a8e6aff00042a24600bc6f42c9b2d
Opcode Fuzzy Hash: 49ea04b433d260c1fe23cad1b03025d6e1cb3e13a8665a93e24f670554097dd2
Instruction Fuzzy Hash: B6E0E5353001108F8310AB5DD898CA6B7FAEFCEB6571900AAE689DB721DA61EC01DB94

Function 040BE92E Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32ef2d50cbd5cc1d8af8b67a3fb8a6d18d51ea0aedafc4af4bb22cd0a8cf029
Instruction ID: 1d332c390918e5f95fa4d13a6174f18051cbe7b5f06087a084061c2700cabe9a
Opcode Fuzzy Hash: e32ef2d50cbd5cc1d8af8b67a3fb8a6d18d51ea0aedafc4af4bb22cd0a8cf029
Instruction Fuzzy Hash: F7F06D39A02114EFCB04CB98E586D9EFBB2FB88311B158155F905A7351CB31AD01CB94

Function 040B896A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc48665fb623e42b6b4c9892b6172ae15a7da429cf51f1c8c90b788df2c458c
Instruction ID: f2c0bc9eaab0a79fc5bc5040a8a4dd90025bb45c1f7900a11477639d7b21fae9
Opcode Fuzzy Hash: 1bc48665fb623e42b6b4c9892b6172ae15a7da429cf51f1c8c90b788df2c458c
Instruction Fuzzy Hash: 7DF08C7670A3915BCB0A2B70D8183EE3F62AFC6629B05009AD5498B281CE69080583A9

Function 040B9158 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348b2977f7f12885b9bacfc6314e190e9f9423ede52f93e79fb4627e11395fdc
Instruction ID: 8ae9bc4059d9779291afb51476ef286c07a26469a178c13d560d58e930f5ea64
Opcode Fuzzy Hash: 348b2977f7f12885b9bacfc6314e190e9f9423ede52f93e79fb4627e11395fdc
Instruction Fuzzy Hash: 04F05EB09063404FD7609B78C4A83DA7BE2EB45300F04449DD589DB281CB7828818B90

Function 040BAF88 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20d1d4721171048a5689d4cc57d0b39498ce9b72d818b4e3638781d313b3169
Instruction ID: 1f32c39b0c6fdaa75cf3e734c2376ae70d9ea49c0a708f70654b215e51db02f6
Opcode Fuzzy Hash: b20d1d4721171048a5689d4cc57d0b39498ce9b72d818b4e3638781d313b3169
Instruction Fuzzy Hash: 6CE026623083D2278B16906DE8200E6AFBB8AC762430980BBF0C4DF342DC0A980643E4

Function 040BEB06 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7687eae8f19060dee5eed7a3289198ecf78092515e8134d9a63888d337af565
Instruction ID: b658d8b1445a7aec73032eb3a8c6f223f7f752021b66bfb60e8d51ffe9a82782
Opcode Fuzzy Hash: c7687eae8f19060dee5eed7a3289198ecf78092515e8134d9a63888d337af565
Instruction Fuzzy Hash: 32E08C22B011148B9B105ABDAA955EEA3EBABC86507281026E547D3340DE30A80383C9

Function 040B9549 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 622f10f7348ec4200ec1fd97e230d12890304b3012c5624b3819aa3d39965e2f
Instruction ID: 75d30fa69b84dcf58a7ecd150ae3f1b1465ef46777785eccb072690a998db6b9
Opcode Fuzzy Hash: 622f10f7348ec4200ec1fd97e230d12890304b3012c5624b3819aa3d39965e2f
Instruction Fuzzy Hash: 1AD017A3B41129276A94B1BE58906FB9ACF8AC54AC70580769B89E7351EC54EC0283F9

Function 040B8978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c801ec3c9689df5d19e7a7866d81e13da62920d50c6082a1f529e02c75c1a1a0
Instruction ID: 331265049783684186053f5ab8bf41bdf8a06dbabfda3b17d78d2c6781d2e31c
Opcode Fuzzy Hash: c801ec3c9689df5d19e7a7866d81e13da62920d50c6082a1f529e02c75c1a1a0
Instruction Fuzzy Hash: FDE0DF313052144BCB092774E81C3EF7A56ABC8728F00002AD60A83380CF78180183E9

Function 040B9550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299b7b23b9f5880dfc899a0f3f6ddedae196177e1536419f014b0b439d8a7d9f
Instruction ID: d51cd5b5a259035c17c8fb2817779510b2e099d42eab2ee660d633ce2cbd21f6
Opcode Fuzzy Hash: 299b7b23b9f5880dfc899a0f3f6ddedae196177e1536419f014b0b439d8a7d9f
Instruction Fuzzy Hash: FCD05EB3741129276A9471FE18406FB96CF8BC54AC70580769A89E3251EC40EC0383F9

Function 040BDCE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: a785d87e081e8490c9f2106888adb60ecf56dca8255895ca79f402ff1834cb2f
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 4FE08631B10014978B089A59D8104EDF7AADFCC220F04807ED95AA7340DA32691586E5

Function 040B8739 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9611c63fb2582be4e114cf2b48e4a112ea57893134fd783779e1bbce2ebbf1c
Instruction ID: 32e91f078475fd56d93d9ce3f5f06129644941f9a9de6a127403ab9a5eaca552
Opcode Fuzzy Hash: d9611c63fb2582be4e114cf2b48e4a112ea57893134fd783779e1bbce2ebbf1c
Instruction Fuzzy Hash: 29E08679C052099BCB09FFB4E41A5FE7F74FA14305F4041ADDA8693290EA3A194ACFC1

Function 040B9168 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a9098a0aec855fb54a412d40283f7686f28c03aaa7e8cbda81ab6ee7d1b482e
Instruction ID: 27a0de64d1bad08b4de0c7fd1f65d8d29733b8b992dc16d7d333ce80d8c1e777
Opcode Fuzzy Hash: 6a9098a0aec855fb54a412d40283f7686f28c03aaa7e8cbda81ab6ee7d1b482e
Instruction Fuzzy Hash: 3FE0E5B09023049BD7A4AF79D89C79A7AE6FB84310F004869E65ED7380DB3868808B90

Function 040BF460 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b0a1b9c83a5a07ff97db2d77c3cf9d79a7dd13c9927cdea9d28bd18a66341b1
Instruction ID: 50b23a2b3f32267658f1a7cfded5384ec59125cf1f9684b733639053706cd282
Opcode Fuzzy Hash: 2b0a1b9c83a5a07ff97db2d77c3cf9d79a7dd13c9927cdea9d28bd18a66341b1
Instruction Fuzzy Hash: 39E01270D4014B9E8784DF78894029DFBF0AF44254B10869AD819E7251E7729552CB94

Function 040B8800 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26d215cde4fe040088c68843124f3d611d97af09e8b6853d6f46b7681e7d9f50
Instruction ID: 852b0348c6b0b4a30ae1961726c5b5a26ea1e5050719e7fff7f19425c6d0d974
Opcode Fuzzy Hash: 26d215cde4fe040088c68843124f3d611d97af09e8b6853d6f46b7681e7d9f50
Instruction Fuzzy Hash: 27E08671E0928B9BCB08EFB4D5866EEBFF1AB45209F004059DD45A7740DA355841DB81

Function 040BF470 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 4546eca4b76f37f3161a133424cb7f37a0c123ebc30c3250328076b19b5c4c47
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 6AD06270D042099F8784DFADC94156DFBF4EB48200F5085AA8919E7301F7315612CBD5

Function 040B7933 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15f6a4570966fc62e6be5313dc8883688c44e1e57a382d0cdaf5ada59fae7736
Instruction ID: c82bc9168fd03f6f69c554c968ce27f4222028f06f18a21b9b95742bc78ed612
Opcode Fuzzy Hash: 15f6a4570966fc62e6be5313dc8883688c44e1e57a382d0cdaf5ada59fae7736
Instruction Fuzzy Hash: 00D0223004E3C88FC3020B30A8300E07F38EF8231434200CBF4898B6A3CE2AAA84C7A5

Function 040B8748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca82b5ad02590091cbf06dc4574eded0f10b9743f73b41284ee321044f8a91e
Instruction ID: 7706164c8cbebf81f300717e342929a3f7dbd27b789e91f58b3d04fcbb12f3b9
Opcode Fuzzy Hash: 0ca82b5ad02590091cbf06dc4574eded0f10b9743f73b41284ee321044f8a91e
Instruction Fuzzy Hash: F0D01779C052098BCB08BBA4E81B9FDBB34FA40301F4041A9D90753190EA362A4ACEC6

Function 040B8810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f918852ed70dc2e11ff67eb1cf395bd6de6301322c6a356f8a86c7b963bed291
Instruction ID: fa24ed25491d5614883ad1e8172c8d9c330a57bb34850855456b241db146b612
Opcode Fuzzy Hash: f918852ed70dc2e11ff67eb1cf395bd6de6301322c6a356f8a86c7b963bed291
Instruction Fuzzy Hash: E3D01275A0920A9BCB08EF64D4465AEBBB4A744200F004155DD4593350EA306C01CBD1

Function 040BEA57 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f719c6915bb5d2998f617e752e4ab49719f067f9b14d1c4219132d70e418ee3
Instruction ID: cc1e1f5a485321b825e5c86531380bfef8ea06e44082968f617f9dd16014e4f5
Opcode Fuzzy Hash: 8f719c6915bb5d2998f617e752e4ab49719f067f9b14d1c4219132d70e418ee3
Instruction Fuzzy Hash: 19D09239B40218CFDB04CB98E896ADDF371FF84325F1080A5E519A7351CB32A912CB80

Function 040B7EA0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de99235f656c3f90fd1d4519d34ba4a9cb74978aa94c7ab3cd6ac2f08f7b892
Instruction ID: 4e2869ebb017eb5131a18afa56004987b14127ecbfd7cfffd13c429cad84b658
Opcode Fuzzy Hash: 9de99235f656c3f90fd1d4519d34ba4a9cb74978aa94c7ab3cd6ac2f08f7b892
Instruction Fuzzy Hash: 1CC08C2060D2808EEF025B338C7A002BFB0BE4331431602C3CE50C3032EE248925C341

Function 040B918E Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b6e2091db18d9284eb907091ddeb368febd8bd13c74d7fd737f2cb8a0a8ecf7
Instruction ID: 3c8eafb43492f81b9d7eabe96f7ba4cd85415c06eb57f8ab882aebcdd429947b
Opcode Fuzzy Hash: 1b6e2091db18d9284eb907091ddeb368febd8bd13c74d7fd737f2cb8a0a8ecf7
Instruction Fuzzy Hash: BFD092B16057008FD720DF68E4983D6BBE0FB48310F00056EE59EC7252D7796980CB50

Function 040B7940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2197483706.00000000040B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44be9449d198ca871a262c32778ae9e500f8d7cd1ce394bd6eed3aa4c6dd1905
Instruction ID: d0b92b07923ce2f5bdc1c2fb27ffd34dc754f826d44e4bdc35987fb3127eb0be
Opcode Fuzzy Hash: 44be9449d198ca871a262c32778ae9e500f8d7cd1ce394bd6eed3aa4c6dd1905
Instruction Fuzzy Hash: 2BB0923018534C8FC2486F75E805814732DAB8021538004A8E90E0A3A28E7AE884CB44

Analysis Process: powershell.exePID: 6980, Parent PID: 4364COMMON

Execution Graph

Execution Coverage:	7.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 02CFB490 Relevance: 4.0, Strings: 3, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[$p^, xrefs: 02CFB529
kU$p^, xrefs: 02CFB770, 02CFB775
{U$p^, xrefs: 02CFB738, 02CFB73D

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID: kU$p^${U$p^$[$p^
API String ID: 0-773913269
Opcode ID: 2769764a34de33d8e93be94290596a77cd9662191f728eac775cc9e76e79ef04
Instruction ID: c1ab55a44e5a7a3791de955e0778cdb1b227e6b1437c2b2f3959ae455c473f99
Opcode Fuzzy Hash: 2769764a34de33d8e93be94290596a77cd9662191f728eac775cc9e76e79ef04
Instruction Fuzzy Hash: 88917A70F016A69BDB59EBB589106AFBBB3EFC4700B40891DD606AB340DF346E058BD5

Function 02CFB4A0 Relevance: 4.0, Strings: 3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[$p^, xrefs: 02CFB529
kU$p^, xrefs: 02CFB770, 02CFB775
{U$p^, xrefs: 02CFB738, 02CFB73D

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID: kU$p^${U$p^$[$p^
API String ID: 0-773913269
Opcode ID: 3ecbef8e3ef33e4a0e6aca0edfc228144023ede071025dbcee8539d025c2eb42
Instruction ID: 8350d196de6dbaa282ff945a1b0ac87196e6d47b3184acdb6ecaa9cc59625fbf
Opcode Fuzzy Hash: 3ecbef8e3ef33e4a0e6aca0edfc228144023ede071025dbcee8539d025c2eb42
Instruction Fuzzy Hash: 73918C70F0166A9BDB59EBB589006AFBBB3EFC4700B40891DD606AB340DF346E058BD5

Function 07512308 Relevance: 8.1, Strings: 6, Instructions: 646COMMON

Download Yara Rule

Strings

piSk, xrefs: 07512416
piSk, xrefs: 07512363
|,Uk, xrefs: 075125DB
piSk, xrefs: 075123B0
piSk, xrefs: 07512582
piSk, xrefs: 075123A0

Memory Dump Source

Source File: 00000007.00000002.2248492755.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7510000_powershell.jbxd

Similarity

API ID:
String ID: piSk$piSk$piSk$piSk$piSk$|,Uk
API String ID: 0-4001022099
Opcode ID: 72034e2e0df4484ec47bbb74d3c8e38492f8fd672545ec3917f8307d67dba626
Instruction ID: 70f6e150cf0e18566b8a195cae372781dd5c55fe746da62e323cc923fb322884
Opcode Fuzzy Hash: 72034e2e0df4484ec47bbb74d3c8e38492f8fd672545ec3917f8307d67dba626
Instruction Fuzzy Hash: 8C2226B1B0024ADFEB248BA8C4507EABBE1BFC5212F14847BD504DB651DB71CC45CBA2

Function 0870715A Relevance: 1.6, APIs: 1, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 087071C2

Memory Dump Source

Source File: 00000007.00000002.2252620618.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8700000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: f99783799112b0c8868e4526052ebaa115675e2d9f59789dc3afda8689eef8b8
Instruction ID: 86b538a5aaec8204f78371f0ae6af29b9d59ea64ccb5401ae7fdb5a8061427ca
Opcode Fuzzy Hash: f99783799112b0c8868e4526052ebaa115675e2d9f59789dc3afda8689eef8b8
Instruction Fuzzy Hash: D31132B5900249CFCB10CFAED884B9EBFF4AF88320F24845AD419A7250C7B4A844CFA1

Function 08707160 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 087071C2

Memory Dump Source

Source File: 00000007.00000002.2252620618.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8700000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 71499ab296d4d3b56cce7fb7ff96462e096a14e42260265952fe835e7d1aca21
Instruction ID: c3235fa84e996c0f9603f4ca418151bb0f9f08d2e64ac5e8971a2564bf8b0a01
Opcode Fuzzy Hash: 71499ab296d4d3b56cce7fb7ff96462e096a14e42260265952fe835e7d1aca21
Instruction Fuzzy Hash: C21122B1900249CFCB10CF9EC984B9EFBF8EB88320F24841AD518A7350C7B4A944CFA1

Function 02CFDC90 Relevance: 1.3, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.$p^, xrefs: 02CFDCC6

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID: .$p^
API String ID: 0-3576396415
Opcode ID: 630bfa8f4a73f7070507d1418c19dc57340c64bcb887362a179dfa24ee388d70
Instruction ID: 072548946df598d72f2d8c40e9fc93e13262c1b3cf160f4720e04828ad093133
Opcode Fuzzy Hash: 630bfa8f4a73f7070507d1418c19dc57340c64bcb887362a179dfa24ee388d70
Instruction Fuzzy Hash: E3F05932704684AFC796D35DA8208EB7FAADEC727130400EBD24BCB301EA206801C7F1

Function 02CFDCA0 Relevance: 1.3, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.$p^, xrefs: 02CFDCC6

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID: .$p^
API String ID: 0-3576396415
Opcode ID: f900a99cef463bea58a05da7de08357ca09b6f0e089c8b474814bbecb8d15715
Instruction ID: 4c9a32f9ecd1fcd58b06f81c481adb32762f81824989b2123ad4958b588ab5e8
Opcode Fuzzy Hash: f900a99cef463bea58a05da7de08357ca09b6f0e089c8b474814bbecb8d15715
Instruction Fuzzy Hash: 94E0C231700B10578666A71EA80085F7BDFDEC5671310442EE11AC7304DFA4ED0187D5

Function 07513D9D Relevance: .3, Instructions: 251
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2248492755.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7510000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec030973866b25a4ad6b458cd7e559aa45433037d3ede9be91b160440d685ff
Instruction ID: d7654a081e07b21e2c5eb6a1f12f9626afc1fc5e40b251ac657f196446912dd2
Opcode Fuzzy Hash: cec030973866b25a4ad6b458cd7e559aa45433037d3ede9be91b160440d685ff
Instruction Fuzzy Hash: CC815BF1700342DFEB258B7485217EABBA2BFC1651B0489ABD9009F792DB71DC45C7A2

Function 02CF29F0 Relevance: .2, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d7da0f1c3e7cc89335d10bc1dd4042ffed022495d654fc157a0a1d86ba5e6f
Instruction ID: 87e41cf10f60c97e17a2051879fc3527a7794d243a5425450722614fd41293a1
Opcode Fuzzy Hash: 46d7da0f1c3e7cc89335d10bc1dd4042ffed022495d654fc157a0a1d86ba5e6f
Instruction Fuzzy Hash: 3C919B74A00609CFCB55CF59C494AAEFBB1FF88310B248669DA15AB365C735FC42CBA0

Function 02CF7728 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2251f018b9e7f8ed19f3f6b0afd13bc75130ecf1cf0fe3a43c9354023802089
Instruction ID: 9edfe9d353e1d18ab7e615880bc68fe5ceea03e2e0c2f1eb989e22965d0b660f
Opcode Fuzzy Hash: c2251f018b9e7f8ed19f3f6b0afd13bc75130ecf1cf0fe3a43c9354023802089
Instruction Fuzzy Hash: DF51D0347042048FD785DB69D844A7ABBE6FFC9314F1584AAD609DB352EB31DC06CBA0

Function 02CFBAD0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48b6f3d11b0230a98f12763042dc789e4867076c34603c0c30708a1e34b6740
Instruction ID: c86f9f1748fccfd2da3dfd555ff3d2a7f4ff79b5b7b0c228c56e0daf83314ace
Opcode Fuzzy Hash: f48b6f3d11b0230a98f12763042dc789e4867076c34603c0c30708a1e34b6740
Instruction Fuzzy Hash: C7610771E00248DFCB94DFA9D584A9DBBF2FF88314F24816AE909AB250DB709D41CB50

Function 02CFBAC0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cbfdead6a015d36c1e60d6ff3cad9d25d74b5d0b11db41a7b554889174acf7
Instruction ID: ce02d14095928425b438fa83d724f05e171f0e43602e9def41960cdd5e7e0dd8
Opcode Fuzzy Hash: 30cbfdead6a015d36c1e60d6ff3cad9d25d74b5d0b11db41a7b554889174acf7
Instruction Fuzzy Hash: 5F512571E00248DFCB94CFA9D584A9EBBF2FF88314F14816AE909AB351EB709D45CB50

Function 02CF6FC8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 499031dad3ce716b7d7204cb9a854b95131e9e6b6dde6315a48a46f7e41ba898
Instruction ID: b325e8ce232eb525de8f9fec890aecab1c57b05fbfaa2105521df4a71d5f8ff4
Opcode Fuzzy Hash: 499031dad3ce716b7d7204cb9a854b95131e9e6b6dde6315a48a46f7e41ba898
Instruction Fuzzy Hash: C7413A34B042048FDB58DF64C554AAEBBF2EF8E315F1444A9E502AB391DB35DD05CBA0

Function 02CF2B00 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78fc0dd86164121f976accb3165e3587c26e6bcd5c6d61fb7432a321fd8375d
Instruction ID: aacb992e4b336a52b2d0c2741f348fafe45f428c0a76ab66dfdbbc2374adf502
Opcode Fuzzy Hash: b78fc0dd86164121f976accb3165e3587c26e6bcd5c6d61fb7432a321fd8375d
Instruction Fuzzy Hash: 97415974A00605DFCB45CF59C598AAEFBB1FF48310B118169DA15AB364C732FD51CBA1

Function 02CF6FA0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9937f5b10b6d8cd7dea7c1763d25c0e638a0e8e32668447cc5713cbcf9790b63
Instruction ID: 7313200aeed9476e255534e8058221039742016c99a337151063aaa266eb49bb
Opcode Fuzzy Hash: 9937f5b10b6d8cd7dea7c1763d25c0e638a0e8e32668447cc5713cbcf9790b63
Instruction Fuzzy Hash: 6A419034A042448FDB45CF68C558AAEBFF1EF8E211F2840A9D942EB752DB31DD45CB61

Function 02CFC398 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46525b4400afa07de315b02c05efa80afc29b8c93878d1eaa9dc1b3651ad7e1
Instruction ID: 550136409c1b63dad6770e108e25235e22fb804ee65cee891dded20f7f9c9d1c
Opcode Fuzzy Hash: d46525b4400afa07de315b02c05efa80afc29b8c93878d1eaa9dc1b3651ad7e1
Instruction Fuzzy Hash: 0F31A031300601DFD759DB78E854BAABBA6EFC4311F00866DD60ACB3A1DFB1A955CB90

Function 02CFAE70 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd251ed2af46908059dd244ae265cabbcb9c8234b1d483135696ab07151fa90e
Instruction ID: 9191a2070d0c2d78fba2925fdfe2e03ab145c90390f322e2d026e9a61e337b5e
Opcode Fuzzy Hash: fd251ed2af46908059dd244ae265cabbcb9c8234b1d483135696ab07151fa90e
Instruction Fuzzy Hash: FA318D70E002099FDB85DBA9D490BAEBBF6EFC9310F148069E606EB351EB749C418B51

Function 02CFE051 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ccf15feb418aa3e08f35ff84933e42b2287a0f013cbe3ccb3179c8f77dfbd48
Instruction ID: 061cf90c2a3b82df3b530bc55e9e332e6324168ec1c097db41396500e2c50143
Opcode Fuzzy Hash: 7ccf15feb418aa3e08f35ff84933e42b2287a0f013cbe3ccb3179c8f77dfbd48
Instruction Fuzzy Hash: 02314C30A002048FDB58DF69D498AAEBBF2FF89714F14456DD406EB361DB74AC45CB90

Function 02CFAE80 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7edc37f1f71b2f512c52f61fc05984e8c5f964f146650226e4cf52b1611662f
Instruction ID: f00a07dc831cecd9b8e26f89395a0983ea0452dfecce42c56bfa12b3e4dfa46a
Opcode Fuzzy Hash: d7edc37f1f71b2f512c52f61fc05984e8c5f964f146650226e4cf52b1611662f
Instruction Fuzzy Hash: CD315070E002099FDB94DFA9D4947AEBBF6EFC9300F118029E606EB350EB749C418B54

Function 02CFAD38 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3baccd0649a8429f8c675f23b245ca4a92b9428fa9c94bbe6591f7722f6f0d39
Instruction ID: dc92ccbf95e45eba566977ea0e628d98719b4897861c05080b1bfed3ba532e42
Opcode Fuzzy Hash: 3baccd0649a8429f8c675f23b245ca4a92b9428fa9c94bbe6591f7722f6f0d39
Instruction Fuzzy Hash: 1A318CB4A002859FDB45EBA4D854AAEBFB3EFC5300F2084A9D105AB395CE789D01CF61

Function 02CFAFA8 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712c3db6295ec739b97ba19341b3d3f61895e581e73c698e741ea69d18445ed1
Instruction ID: 1cd735109397457ed90c1d79b93d1897ba95adf804a3485299fe99a6b575a0d0
Opcode Fuzzy Hash: 712c3db6295ec739b97ba19341b3d3f61895e581e73c698e741ea69d18445ed1
Instruction Fuzzy Hash: B8219C75A042498FCB54DFAED440B9EBBF6EBC8320F14846AD119E7340CB74A9058BA5

Function 02CFE060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94422509b6e427bb01938992a322a3b55e0a4a5771e917977f7d139c2c60bf9
Instruction ID: 816a0d5aba122298c5851c5b590a64e9d03dbf0fef6d629d1f6abcd89b4d56f7
Opcode Fuzzy Hash: b94422509b6e427bb01938992a322a3b55e0a4a5771e917977f7d139c2c60bf9
Instruction Fuzzy Hash: C3313870A002048FCB58DF69D498A9EBBF2FF88714F14856DD406EB3A1DB70AC45CB90

Function 02CFAD48 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0793a9e3fad14ba2e79be766fe07c737f656bcd4faf46fb83d463ce4ffca71ec
Instruction ID: 5946f2dcecd29b2bf40f3a979f8fa7ad4380c5e63e883e4a35522bcea56d9c92
Opcode Fuzzy Hash: 0793a9e3fad14ba2e79be766fe07c737f656bcd4faf46fb83d463ce4ffca71ec
Instruction Fuzzy Hash: F53121B4A002459FDB44EB64D854AAFBBB7EFC4300F109469D615AB394DF359D01CF90

Function 02CF93F8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 649aad84acf92124b8c2c4489d91741f40e5c01d2642217066d6cc90157abb9b
Instruction ID: 61120559819db39db95ee34e2e8e6170d93ce8237af0af0400cc2fb6cdd8ac7e
Opcode Fuzzy Hash: 649aad84acf92124b8c2c4489d91741f40e5c01d2642217066d6cc90157abb9b
Instruction Fuzzy Hash: 4E3189B49057448FDBA0CF6AC18878AFFF2EF88320F28C05ED9499B216D7746481CB65

Function 02C4F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2226774418.0000000002C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b864804ec953d7697478cf9cca35b7c6670c7c9ee8cd096a399e3f34ed784de
Instruction ID: 1734e1c6c32dec72bc3d7a2dbb5d60eb48fed46a0af2094f01066d5f5e62919c
Opcode Fuzzy Hash: 7b864804ec953d7697478cf9cca35b7c6670c7c9ee8cd096a399e3f34ed784de
Instruction Fuzzy Hash: 2621E076604200EFDB05DF10D9C0B27BFA5FB88314F64C5ADE9090A656CB3AD456CBA1

Function 02C4F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2226774418.0000000002C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b482023e28ddde32f21c91fe7ac9fbda8cf9499469990a288321e4fdcb493ce
Instruction ID: 549961c35240f437d3ee5b51da72e32191e6ef2fdf6e148f476935a9818162fb
Opcode Fuzzy Hash: 5b482023e28ddde32f21c91fe7ac9fbda8cf9499469990a288321e4fdcb493ce
Instruction Fuzzy Hash: 3C213475504240EFDB14DF24D9C0B27BFA5FBD4324F20C56DD90A4B652CB7AE446CAA1

Function 02CF9408 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb0415bcec1ff24c139a3e9a56ed1cd87c1d5924dbb6c1092126ee3f82e9e70
Instruction ID: 0bcf2456d1798552c6fbfd5121a3cb23b46f981188083934bf49979e35703301
Opcode Fuzzy Hash: 8cb0415bcec1ff24c139a3e9a56ed1cd87c1d5924dbb6c1092126ee3f82e9e70
Instruction Fuzzy Hash: 7A2188B09017448EEBA0CF6AC08878AFFF2EF88324F28C01ED90D97205DB746480CB61

Function 02C4F4CC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2226774418.0000000002C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384a7f9de9845f44d81f157188d08ce66234f9fe5d38891e1e9143e6f5175e0f
Instruction ID: 753287a8ddc237672529ebb0db87103bf71a56dc75875d0b7f480f603f723136
Opcode Fuzzy Hash: 384a7f9de9845f44d81f157188d08ce66234f9fe5d38891e1e9143e6f5175e0f
Instruction Fuzzy Hash: 112127B1604244DFDB24DF14D5C0B27BBA5FB84718F20C56DD9094B641CB7AD546CA61

Function 02CF7664 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38d2b4e816dfcd02ff5663f50dddf541ebe74623726da141f17fefd90464a0b3
Instruction ID: cd69c5ffd27e711c9398ea92de718ace8180a1ca80883b898ff7961754b18463
Opcode Fuzzy Hash: 38d2b4e816dfcd02ff5663f50dddf541ebe74623726da141f17fefd90464a0b3
Instruction Fuzzy Hash: 5E111935B00118CFDB44DBA8D840ADEBBF6EBCC315B1440A5EA09DB321DB30DD169B90

Function 075128E8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2248492755.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7510000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9172ebc629194746f26239c2c776c2ad2bd936e99dc2e997861db0cabd2b7fe0
Instruction ID: da7aa1acdb492c5ebdb19c02234f153f8647e18b4e9f0a10aa95eafdc9e3fdde
Opcode Fuzzy Hash: 9172ebc629194746f26239c2c776c2ad2bd936e99dc2e997861db0cabd2b7fe0
Instruction Fuzzy Hash: 5111C4B1B1020ADFEB20CF5DC981BEAB7F5FB85222F048067D9088B211D771D880CBA1

Function 02C4F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2226774418.0000000002C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
Instruction ID: 9f29ef2dc6755d44c3e2d75de6ecffc4b4482020f09a9788aa86e0c286677472
Opcode Fuzzy Hash: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
Instruction Fuzzy Hash: A8218C76504240DFCB06CF10D9C4B16BF72FB88314F24C5ADE9494A666C73AD56ACB91

Function 02CFDF21 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f76299de4a2ed084e31354b2a3b096c0bd1eae542be524646aff36cbc09fb7e4
Instruction ID: ed9fe9a6d69da2a22206bb3254a8250404921462c3d84a25e3be298d308e2113
Opcode Fuzzy Hash: f76299de4a2ed084e31354b2a3b096c0bd1eae542be524646aff36cbc09fb7e4
Instruction Fuzzy Hash: 081151302097408FC765CF34C49089ABBF2EF8631532485ADD08A8BB61C732E845CF40

Function 02C4F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2226774418.0000000002C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1baa4135a3ffa84b7eafa0616a1ffb5636ea4d9d3a95b2124a7f7c9932413226
Instruction ID: 4a37e42b0770e8c497b178a4c62bb4af2a8acb4cabcb0cf968ef4535eac723bc
Opcode Fuzzy Hash: 1baa4135a3ffa84b7eafa0616a1ffb5636ea4d9d3a95b2124a7f7c9932413226
Instruction Fuzzy Hash: DD11D075504280CFCB15CF10D5C0B16BF71FB84318F24C6ADD8094BA56C33AE54ACBA1

Function 02CFBCF0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbaff9bb81cad37651280eff676ce1bb82ef4df66a5663d85869799864a0e68e
Instruction ID: 5c2c9485f52155217beba25f46c1f8505c5f2b370c31654a76e757bb19075de9
Opcode Fuzzy Hash: bbaff9bb81cad37651280eff676ce1bb82ef4df66a5663d85869799864a0e68e
Instruction Fuzzy Hash: 2111D6316083409FD768CB75D494AAA7FF5EF8A210F1484EDD18AC76A2DB30EC41C701

Function 02C4F4C7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2226774418.0000000002C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e937d2f642825418ee9ae18dedb5dcdd39905f3497500ca018ffbd85fd39bc
Instruction ID: 3abd57455d1bd4931a8c5a0eef33c6d56db1764ff7d260a66e2b95075609ae89
Opcode Fuzzy Hash: 54e937d2f642825418ee9ae18dedb5dcdd39905f3497500ca018ffbd85fd39bc
Instruction Fuzzy Hash: B011E0B5504284CFDB25DF14D5C4B2ABBB1FB84318F24C6ADC8494BA52C33AD54ACB92

Function 02CFDCE1 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45849916bf483aaf570a957b24a3d4b178bac4b8d1302b70a17e4f68e39456cd
Instruction ID: 31380b0dc73cf3f7357f63d120d4106aa0000137f00d761e59c744b23f246561
Opcode Fuzzy Hash: 45849916bf483aaf570a957b24a3d4b178bac4b8d1302b70a17e4f68e39456cd
Instruction Fuzzy Hash: DC110872A041849FCB95D778D8548BD7FB1AFDA210B1844EED5439B352DA315811CBA1

Function 02CFDEA0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f81c4f644444e9ef678d6013b7975180a2cdd1dd86cd009e803702cb24740f
Instruction ID: a52d1d4add0c9a29ab32fd8e3f311504b8fc867876930ce106ecc2439990f1e5
Opcode Fuzzy Hash: 12f81c4f644444e9ef678d6013b7975180a2cdd1dd86cd009e803702cb24740f
Instruction Fuzzy Hash: 3B018036B002149FCB219B74E808AAEBBF5FF88215F04446DE90A93242DB319951CB90

Function 02CFDF30 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f5485cfc4637eeba772eb0845c8bb0b0b9ebd20a01500aa8e8a0cf0248e047
Instruction ID: 70129e21804200ca1242990f7767dd3a0a1975208397f3f0aa9e4eb276ce76aa
Opcode Fuzzy Hash: b8f5485cfc4637eeba772eb0845c8bb0b0b9ebd20a01500aa8e8a0cf0248e047
Instruction Fuzzy Hash: EC111B35204754CFC768DF35D08089AB7F6EF8931932089ADD48A87BA0CB32F845CB50

Function 02C4D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2226774418.0000000002C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 318a61124a5ac175a7e62e2224b93bc7e1f6d7106bdae9788c5b6291d8767345
Instruction ID: c290e9f46bacda09791794b6a244a9829cb8bc6e7e8045fcc596bb9d1d0f8ec3
Opcode Fuzzy Hash: 318a61124a5ac175a7e62e2224b93bc7e1f6d7106bdae9788c5b6291d8767345
Instruction Fuzzy Hash: DD01126140E3C09FE7128B258994752BFB4DF43224F1DC1DBD9898F1A3C6695949C7B2

Function 02C4D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2226774418.0000000002C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e2f46e81fb50a22816b51a0b98fd379d991b82121ca6afdbbb28c524e79021
Instruction ID: 5314b25abd06415340e664a61f4c3adfb79bc3a7d932140f4d42e67497ff0fc6
Opcode Fuzzy Hash: 86e2f46e81fb50a22816b51a0b98fd379d991b82121ca6afdbbb28c524e79021
Instruction Fuzzy Hash: 0201F271405340DAE720AA26C980B67BF98DF81324F08C01AED0A4B242CFB8A941CAF1

Function 02CFBF20 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7124b8dabfda13b361c9d91582dfc9028f0cc4c0e81e837cbaa57c6b4f101226
Instruction ID: 1a4442770154781ba2d99ea7368858209cbf071dd0938877456e4d18b611550c
Opcode Fuzzy Hash: 7124b8dabfda13b361c9d91582dfc9028f0cc4c0e81e837cbaa57c6b4f101226
Instruction Fuzzy Hash: 2EF0F4313083A05FD7008BA99C50D7B7FE9EF8A22170440ABF840C7362CA70CD04C760

Function 02CF7940 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0826d117e82a9211f69ca011dd3582d36ccf66bc18e083f7380fd597849d1eeb
Instruction ID: 2a7209187a73276a42127da0e7a1fc0839fdfd2a03b19bd822af90e069e50b11
Opcode Fuzzy Hash: 0826d117e82a9211f69ca011dd3582d36ccf66bc18e083f7380fd597849d1eeb
Instruction Fuzzy Hash: BAF046357093809FC7118769E88096FBFF5EFCA26171006AED14AD7652CF245C4AC7B1

Function 02CF90E0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5569e6dca10118f5cfa687563eb285ccd88dab437b2da7824b7bfce60666ba
Instruction ID: 5cde299b98cc1acdee5de7858d810ecf82696001e5d4ea311f84d55725823aed
Opcode Fuzzy Hash: ac5569e6dca10118f5cfa687563eb285ccd88dab437b2da7824b7bfce60666ba
Instruction Fuzzy Hash: F90122316042809FD3559B78D4247EB7FA2EFC6314F64809EC4464B392CF396806DBA0

Function 02C4D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2226774418.0000000002C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90d8cd6f3b716c180d807505d01b3a4846dd59d088d016b3338af4d36854048
Instruction ID: 961832b859f440345ca9ef3718cb451fb61b3dbd81d15e0c4ad1b573949ff376
Opcode Fuzzy Hash: c90d8cd6f3b716c180d807505d01b3a4846dd59d088d016b3338af4d36854048
Instruction Fuzzy Hash: 83F0F976200604AF9720DF0AD985C23FBADEBD4770719C55AE84A8B611CA71EC41CEA0

Function 02CFDE40 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02297f82c61623ea2be2177e860f74cdd246ab6f2ed1a796ce00d94e83cdb396
Instruction ID: 4d25dcb728d7ae1cdb33fa19d9164b1649d6c26c8fae19d8ab7f7d000e85d5df
Opcode Fuzzy Hash: 02297f82c61623ea2be2177e860f74cdd246ab6f2ed1a796ce00d94e83cdb396
Instruction Fuzzy Hash: ACF082353042808FC3118B2DD4A49A6BBFA9FCF61531900EAE585CB332DA61DC02CB90

Function 02CF9160 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d8af4578e7ccae2e15ed3e2c165cd77fc099b053cdea4adb745d96561a7a59f
Instruction ID: 9b73006f6543dd76450c8f6515365a49251285648c2ab8f8994e0b4b723cf7f2
Opcode Fuzzy Hash: 9d8af4578e7ccae2e15ed3e2c165cd77fc099b053cdea4adb745d96561a7a59f
Instruction Fuzzy Hash: 98F030319093409FD765DB78D8A87AABFE1EF45310F0444ADD14AC7252DB342985CB50

Function 02CF7950 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 746037ba635b1ea35b3e17e383ab6ef0ecbe57ed376894d29d6636612d8f849a
Instruction ID: 248c167eeebc4e5e263ed51e500dad83f37c4e3206d5744ff3192c462943e49b
Opcode Fuzzy Hash: 746037ba635b1ea35b3e17e383ab6ef0ecbe57ed376894d29d6636612d8f849a
Instruction Fuzzy Hash: E5F0A7317006149FD7549759D884A6FB7EAFBC8365B40052DE20AD3340DF71AD0587A0

Function 02C4D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2226774418.0000000002C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6707807eb5c1e10824aff69105311a9a7f90e2b24161b28eab4055df153a9fc7
Instruction ID: f5dc060de9b7a4a9cf809228cdec5985c854f54606d3a01737978393911625d2
Opcode Fuzzy Hash: 6707807eb5c1e10824aff69105311a9a7f90e2b24161b28eab4055df153a9fc7
Instruction Fuzzy Hash: 0FF04975100A40AFD321CF06C984D23BBB9EBC5620B198489E84A8B712CA70FC02CF60

Function 02CF90F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f635d2b04b3820d7cac1449ebae1f5db843f7195d1cc25ab19e74dc1b728c27d
Instruction ID: 2b02761571e68599b0dd35fafb53d56193ae57f97df686fad9db94b06bc05fd6
Opcode Fuzzy Hash: f635d2b04b3820d7cac1449ebae1f5db843f7195d1cc25ab19e74dc1b728c27d
Instruction Fuzzy Hash: 8BF027757002045BE354AB64D0087EF7BA6DFC0314F60816EC50A57385CF392C42CBE0

Function 02CF767F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede6e30bd9047c47041159fbf458a93e8c99fc5caec2a32fb774a9db5e11da42
Instruction ID: 1fa5b3bb81a04e5e4382cc397b8e43853d5a0b87c3462c71c2921c9382999806
Opcode Fuzzy Hash: ede6e30bd9047c47041159fbf458a93e8c99fc5caec2a32fb774a9db5e11da42
Instruction Fuzzy Hash: 78F0A0357005188FDB40DBACD840A9ABBA2EBCC395B15419AEA09CB321DF30CC0A4B90

Function 02CF896A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623b423195440d24eb0a3cfc0d06faf2b4fa9efbb1c2a00f0808cf308216e4c3
Instruction ID: 648f66847adb1cd8a14f86147068e8dc5b980f0b014cf60f420c180b0027c9b7
Opcode Fuzzy Hash: 623b423195440d24eb0a3cfc0d06faf2b4fa9efbb1c2a00f0808cf308216e4c3
Instruction Fuzzy Hash: 62F082353092815FCB0BAB74A458AAD7FA2EFC6721B09009ED5068B253CF780855DB95

Function 02CF9549 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c111c37dcb4cf76a2b6ddd359069f1284f5f65caaed380062998c3541d0e2e7
Instruction ID: ec09d4f114651fadd743c3b18b226678a5588da4f5ff4248bb1f74119d7645cc
Opcode Fuzzy Hash: 0c111c37dcb4cf76a2b6ddd359069f1284f5f65caaed380062998c3541d0e2e7
Instruction Fuzzy Hash: 06E0D8227051145F8ED452B988203B77A9F8FCB5707094376DB15DB2C1ED10CC0653A1

Function 02CFDE50 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce02050893d2ec5707dffe83c54c5f0e83d80a372c9ed96abdcc730d4150a6d
Instruction ID: 52be5587bda36b2763698ea2fc775d68224bebf7fe3519e969d5c4e4c28b7b69
Opcode Fuzzy Hash: 7ce02050893d2ec5707dffe83c54c5f0e83d80a372c9ed96abdcc730d4150a6d
Instruction Fuzzy Hash: A2E012353001108FC3509B1DD494D66B7FAEFDE75575500A9E645DB331DB61DC01CB90

Function 02CFAF98 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e82a29ec8f17bbfb8f49f9f24c16a3dc25bb641f662f9f6b6c0f79262b2b52
Instruction ID: 16cac33d1f12f33dc4c0839ba51f6dafa88d571fa53a0b750dd1648f6df43fe4
Opcode Fuzzy Hash: c1e82a29ec8f17bbfb8f49f9f24c16a3dc25bb641f662f9f6b6c0f79262b2b52
Instruction Fuzzy Hash: 96E092227083951BC7568269A860462BFB79BC756030D44FBE145CF252E91199028360

Function 02CF9170 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101c9737a112e5164cf095753b910aaa9af20a3bc56d3e8c911fb58bc500e7bf
Instruction ID: 42804f50ef3f8adf036cd0aaacb31e4d73c9022da516bb5f749340d7f0ff0124
Opcode Fuzzy Hash: 101c9737a112e5164cf095753b910aaa9af20a3bc56d3e8c911fb58bc500e7bf
Instruction Fuzzy Hash: BEF0ED70A013045BD7A4DBB9D89C79FBBE5EB44320F50446DE65ED7240DB396980CB90

Function 02CF8978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aeb62e28440d4488c2d76f2e951f427fe11ae92652116cd57bf7a481142e226
Instruction ID: c2c6ddb4945f362b6358dc636ad088e3a3d256595770e2e601727d88aa825699
Opcode Fuzzy Hash: 2aeb62e28440d4488c2d76f2e951f427fe11ae92652116cd57bf7a481142e226
Instruction Fuzzy Hash: 18E0263130425467CB097774A40CAAEBA57EFC8B20F04002ED60783342CF780C6197D9

Function 02CF9558 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94cd89d3a8a3c069cd764237ad59d076cf467fcc9f9c0b0b2c3f00ee51fabfa9
Instruction ID: de674ce2cadce0fdd95537713557c2b630620c18059be7109b4c6ebd222c35d3
Opcode Fuzzy Hash: 94cd89d3a8a3c069cd764237ad59d076cf467fcc9f9c0b0b2c3f00ee51fabfa9
Instruction Fuzzy Hash: 0FD05E527021251B4DD860AA99007BBA5CFCEC55A1705133ADB09EB281EE50CC0613F1

Function 02CFDCF0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 033925b9f6298af499c2d5eda073e2865f5eb9f6c52b70d41c511643c3d1e762
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: C3E08631B0005497CB48969AD4544E9FBA5DBCC220F14847EDA0AA7340EA325916C6E1

Function 02CF8739 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e97cc7863938749eeeed4eaea580a1e32c979a805b380d7f0c76cfa0eae6932
Instruction ID: b8233fe34adc899fc06488e25b63702dd40d60e8bba2130281645346b68afb66
Opcode Fuzzy Hash: 8e97cc7863938749eeeed4eaea580a1e32c979a805b380d7f0c76cfa0eae6932
Instruction Fuzzy Hash: 97E01A31804149DFCB19EBA4D86A8BEBF30FF06301B0402ADD95787292EB311A96CBC0

Function 02CFF860 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955de0b2ae5c5a1f8181f450b0909d9a189db1fd6bdbf5fac431c68327627b5d
Instruction ID: c4b353c01b2ad53b1cb88ee06361e50d2e4245a398dea8d7af6b6320f6934de8
Opcode Fuzzy Hash: 955de0b2ae5c5a1f8181f450b0909d9a189db1fd6bdbf5fac431c68327627b5d
Instruction Fuzzy Hash: EEE01270D442499F8B80EFBCD4415AAFFF09F49210F2485AED948EB202E6318551CFD1

Function 02CF8800 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0404f1582b3713c7331f678c6e27ce47182a5d1854b224259a773f8d2e7aebb
Instruction ID: 3f45ec595015f73ea6e09c95823e528279da702621a226db99bf9bc1e41bb6d1
Opcode Fuzzy Hash: d0404f1582b3713c7331f678c6e27ce47182a5d1854b224259a773f8d2e7aebb
Instruction Fuzzy Hash: 02E09A3490824A9FCB58CF64D4858ADBFB0EF0A201B0842ACDD869B312E7311854DF80

Function 02CFF870 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 70b83b4b5f4748d778ff960498a7c7dd5f63ba0b0465d2e1a82dc9131533793b
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: DBD067B0D042099F8780EFADC9415AEFBF4EF49200F6085AEC919E7341E7329A12CBD1

Function 02CF8748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506d6dab0f1082d21310511ac63e2642da182e64b7dbee54c3d8c50e0efb4e8f
Instruction ID: 82302c6f07fe3ef0003a139cfe282455f94b6e416582568e3fd86e97064496a7
Opcode Fuzzy Hash: 506d6dab0f1082d21310511ac63e2642da182e64b7dbee54c3d8c50e0efb4e8f
Instruction Fuzzy Hash: FCD067319041099BCB58ABA5E85A4BDFB74FE14301F40426DEA1B52191EB321AAACAC5

Function 02CF8810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6794d00fe68330f3473a0d10de4f2f5e99f1f722dbecf7ab8a220f714b51fe5
Instruction ID: cf2e0d2a71cf557a7a63b4e070b964ba82ef8a1b015aa4adbbace236e72b6c9d
Opcode Fuzzy Hash: f6794d00fe68330f3473a0d10de4f2f5e99f1f722dbecf7ab8a220f714b51fe5
Instruction Fuzzy Hash: F5D0123490420A9F8754DF64D44686DBBB4EB44300F004159DD0A93345EA305951CFC1

Function 02CF791A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43fd382215b761511f6fd72defc88e7cef99bf4a1661f3f3d5a34f9e17de3508
Instruction ID: 4a624faa712b970f31bc45da9a420472b139ef658025e23a249ea498affa25b0
Opcode Fuzzy Hash: 43fd382215b761511f6fd72defc88e7cef99bf4a1661f3f3d5a34f9e17de3508
Instruction Fuzzy Hash: D2D0C93814E3C49FC7278F78A4958183F34AE0326576904DED8C69F5B3C9668489CB07

Function 02CF7E90 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41210310d03d3be8e3cb22f15987faf9790e790cfe01aac5037e89c9ff11ed75
Instruction ID: 1edccb81922c9a5dd943f8a57f18951f972d510bacd1516e70ad06be0a21a8ed
Opcode Fuzzy Hash: 41210310d03d3be8e3cb22f15987faf9790e790cfe01aac5037e89c9ff11ed75
Instruction Fuzzy Hash: A6C08C2401E3C01EEF03933A889E1027FB10E8302930A41CAC4C2DE867C818880BC703

Function 02CF7928 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2227137576.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d3d164ec21fc27093364611dd207d0fb384dc9779b9bcfcce4e51863300f7d
Instruction ID: 61464e5456659d55089e485fd684c4df0f81114fb5517947b7c6640806d3d527
Opcode Fuzzy Hash: 15d3d164ec21fc27093364611dd207d0fb384dc9779b9bcfcce4e51863300f7d
Instruction Fuzzy Hash: 98B09230185748CFC2486F75A884815732DBB402197C004A8E80E0A2A28E76E888CA44

Analysis Process: powershell.exePID: 6920, Parent PID: 4364COMMON

Execution Graph

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 04EAB490 Relevance: 2.8, Strings: 2, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{Yn^, xrefs: 04EAB6F0, 04EAB6F5
Yn^, xrefs: 04EAB557

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID: {Yn^$Yn^
API String ID: 0-851193633
Opcode ID: 42b91d16c9ac9da681a7c22959f9ba160ae86ef0568c8be06ec1351f25711606
Instruction ID: c1442159f5ca02a1088b3c63fe5523e43760e7622a98b9781325e1f049b29913
Opcode Fuzzy Hash: 42b91d16c9ac9da681a7c22959f9ba160ae86ef0568c8be06ec1351f25711606
Instruction Fuzzy Hash: 03917F74E017559FEB19EFB588016AEBBE2EFC4B00B40892ED106AF384DF7469118BD5

Function 07B82308 Relevance: 8.1, Strings: 6, Instructions: 642COMMON

Download Yara Rule

Strings

piSk, xrefs: 07B823A0
piSk, xrefs: 07B82582
|,Uk, xrefs: 07B825DB
piSk, xrefs: 07B82416
piSk, xrefs: 07B823B0
piSk, xrefs: 07B82363

Memory Dump Source

Source File: 00000009.00000002.2300106352.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b80000_powershell.jbxd

Similarity

API ID:
String ID: piSk$piSk$piSk$piSk$piSk$|,Uk
API String ID: 0-4001022099
Opcode ID: fc0d4f2492959feca80b8c37c18fedf286b133e6a677275f3543560a07846e04
Instruction ID: 0cfe12285fb90416f4a2e8f1501a3c5503d46562fa5ce4612d3aad111b37a98d
Opcode Fuzzy Hash: fc0d4f2492959feca80b8c37c18fedf286b133e6a677275f3543560a07846e04
Instruction Fuzzy Hash: DB2214B1B00206DFEB64ABA8C4547EABBE1FFC5210F0485BAD905DB351DB31C945CBA2

Function 08E86421 Relevance: 1.6, APIs: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(EFD80893), ref: 08E8648A

Memory Dump Source

Source File: 00000009.00000002.2306401066.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e80000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 52cd66789a190669ab6c7f75cd15e088c18f1fefad13288933ca31d6a96a0158
Instruction ID: 7a718917cac574d62ae1617fc3535dbad0d5a02abf202eb159101e2427978a22
Opcode Fuzzy Hash: 52cd66789a190669ab6c7f75cd15e088c18f1fefad13288933ca31d6a96a0158
Instruction Fuzzy Hash: 961113B59002498FDB10DFAAD884B9EFFF4AF88324F24841AD519A7350C7B4A944CFA1

Function 08E86428 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(EFD80893), ref: 08E8648A

Memory Dump Source

Source File: 00000009.00000002.2306401066.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e80000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: ea54eb2a584fd1e0e7e80b3a890f1f638e7b7ac0813619899114412a171b00d1
Instruction ID: 4463145d732144c0b676a68f40c9fc36bcd862b7a8015954bd8f8346cc604cbe
Opcode Fuzzy Hash: ea54eb2a584fd1e0e7e80b3a890f1f638e7b7ac0813619899114412a171b00d1
Instruction Fuzzy Hash: B511F2B5900609CFDB10DF9AD984B9EFBF8AB88324F24841AD519A7310D7B4A944CFA5

Function 04EAE610 Relevance: 1.4, Strings: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

piSk, xrefs: 04EAE667

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID: piSk
API String ID: 0-1183529320
Opcode ID: fd76f85416cc9a651b66375328c0a2f5a4b8193260e15654a140f25d980c2189
Instruction ID: fcb87701e707472a83418fd6a3f1641fc9dee628564785aace82a001db739ebf
Opcode Fuzzy Hash: fd76f85416cc9a651b66375328c0a2f5a4b8193260e15654a140f25d980c2189
Instruction Fuzzy Hash: F7417B34A052499FDB19DF78D894A9EBFF2EF89304F1485ADD406AB391CB30AD05CB91

Function 04EAE640 Relevance: 1.3, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

piSk, xrefs: 04EAE667

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID: piSk
API String ID: 0-1183529320
Opcode ID: 3815f7dca05b4ddc46e5f668b03956c3dc0928417ed57b165e190397c1c9fd7f
Instruction ID: 380f65d05c3cc931c64825af18c591b1de959cdd983dd86a81cb74fdd36d54b0
Opcode Fuzzy Hash: 3815f7dca05b4ddc46e5f668b03956c3dc0928417ed57b165e190397c1c9fd7f
Instruction Fuzzy Hash: 81315A34A01205CFDB18EF69D994A9EBBF2FF88300F10852CD416AB384DB34AD05CB90

Function 04EADC88 Relevance: 1.3, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+/n^, xrefs: 04EADCBE

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID: +/n^
API String ID: 0-2038921070
Opcode ID: ce09d07aaf18d085d44edd6a8f278fba6a3f6b8f4b9ced9790eaab3d16bd3010
Instruction ID: 684c84aa3a08be7f097c9112e4b49e957019328a62f4e8e2c3791de33d20dab8
Opcode Fuzzy Hash: ce09d07aaf18d085d44edd6a8f278fba6a3f6b8f4b9ced9790eaab3d16bd3010
Instruction Fuzzy Hash: 1EF0A0352097916FC31B972DA810C9F7FE69EC216031501AEE046CF653CA54D80A87E6

Function 04EADC98 Relevance: 1.3, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+/n^, xrefs: 04EADCBE

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID: +/n^
API String ID: 0-2038921070
Opcode ID: b499499342a99c799105bdf460a335ac443a4405baed90c0e03030e5d1bb6607
Instruction ID: c0ebf3d83f94eacae91649e652557ef23864ca370d4434c8f8002156c9d4a547
Opcode Fuzzy Hash: b499499342a99c799105bdf460a335ac443a4405baed90c0e03030e5d1bb6607
Instruction Fuzzy Hash: 9AE08C35700614579229AA5EA80085F7A9BDFC4A71350402EE11A8B704DEA4E80147D5

Function 07B83CE8 Relevance: .6, Instructions: 573
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2300106352.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07854cc54fdf0d39ab5b857ba898d0c22c0e019260e94cf9681fc7f710a21782
Instruction ID: 5b049f9c5313db2dbb03dc5ce359fa4d2f435253b10efedbeae8001f63b7710a
Opcode Fuzzy Hash: 07854cc54fdf0d39ab5b857ba898d0c22c0e019260e94cf9681fc7f710a21782
Instruction Fuzzy Hash: 701225F1B00256CFEB65AF68C81076ABBE2DFC1610F1484ABD505DB791DB32D845C7A2

Function 04EAE7B8 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e11cd99701207e50c949e12f68e11113ba53fcba28083f6d352349e16e13a7ce
Instruction ID: 575685543edb645b2cde6d595aab1bb454bac016f52350198a3d3835564d8a55
Opcode Fuzzy Hash: e11cd99701207e50c949e12f68e11113ba53fcba28083f6d352349e16e13a7ce
Instruction Fuzzy Hash: 5D914A30B50218CFCB24DF6CD59456EBBE6AF88714B18946AE906EB355EF70EC01CB91

Function 04EA29F0 Relevance: .2, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68562e5e4256d72d0f3a191753d252ac14187c37bd9e9318fcc81ae90af2ba1a
Instruction ID: 66e8ce85b598eb929a0800463e1bf9549a62748977dd4043ffb471df4aeec05f
Opcode Fuzzy Hash: 68562e5e4256d72d0f3a191753d252ac14187c37bd9e9318fcc81ae90af2ba1a
Instruction Fuzzy Hash: F591BC74A00205CFCB15CF58C494AAEFBB1FF88310B2486A9DA55AB365C735FC91CBA0

Function 04EABAC0 Relevance: .2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126994998033e4a24473cdb16220dd37953cd27b722afcd4cf2cfb2ebd9b1271
Instruction ID: e85589a54cc927c002eb31e8065f7a9cd65d54f18429fa90c793804e822a2c31
Opcode Fuzzy Hash: 126994998033e4a24473cdb16220dd37953cd27b722afcd4cf2cfb2ebd9b1271
Instruction Fuzzy Hash: 61612371E00248CFDB14DFA9D584A9DBBF1EF88314F24816AE919AB254EB70AC55CB60

Function 04EA7740 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a3481df484ac7751c3deaadeea802032b2b9a25ed91c1b5a9bab065d322ce6
Instruction ID: d2f29bde29d58d415fa9219459621390b6a7f6d6db381702003c77505fcc311b
Opcode Fuzzy Hash: f0a3481df484ac7751c3deaadeea802032b2b9a25ed91c1b5a9bab065d322ce6
Instruction Fuzzy Hash: DF51CE353002159FD704DBA9D844A6ABBE6EFC8215F14946AE509CF351EB31FC12CBA1

Function 04EABAB0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d1d2c41c2d2c34886b01ee1ff1066b242fc6e8ae34b488cbf36b423a1a0ef4
Instruction ID: d9c7b8c0b2fa2f592471dfe7ff49e9cdd0b75868b786cfa2d012a744bb03e750
Opcode Fuzzy Hash: 36d1d2c41c2d2c34886b01ee1ff1066b242fc6e8ae34b488cbf36b423a1a0ef4
Instruction Fuzzy Hash: A4514571E00248CFDB14DFA9D484A8DBFF2FF88310F14816AE919AB365EB70A855CB50

Function 04EAE419 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f37e660dc121351503f7ab4efb8f23ec4c97eee5c8d553751427f657d9773f0
Instruction ID: 9187b587df9cc74430842aba3bf5e40f81a3b24eea8c335aa342c1ca9093cbd6
Opcode Fuzzy Hash: 1f37e660dc121351503f7ab4efb8f23ec4c97eee5c8d553751427f657d9773f0
Instruction Fuzzy Hash: BF517C34B00205CFDB14EF6CD484A6ABBE6EFC8314B458169E509CF356EB34EC118B91

Function 04EAE428 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df315d3ae2b349f8a103e8f88842e474050081c085d1171fcfaf1b98f300eb4
Instruction ID: ac9f951b2039eb195445dcc96c362991198082cd258a45a28c40c4a38660224e
Opcode Fuzzy Hash: 7df315d3ae2b349f8a103e8f88842e474050081c085d1171fcfaf1b98f300eb4
Instruction Fuzzy Hash: EB414638B00205CFDB14EF6CC594A6ABBE6EFC8314B558569E609DF355EB34EC018BA1

Function 07B83CCC Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2300106352.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39dfdf3540fd5d0f250fe3ab12178d4515e98c53a1acf64ba2462dce607b12c4
Instruction ID: 378466c8af54234c16acaa0967dab7fe9eee52055fca08b18dda31b37e842166
Opcode Fuzzy Hash: 39dfdf3540fd5d0f250fe3ab12178d4515e98c53a1acf64ba2462dce607b12c4
Instruction Fuzzy Hash: 064115F1A00202DFEBA5AF58C65076E7BE2DFC4A00B1844D6D900AF351D735ED44CBA1

Function 04EA6FE0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e340a02f3a9cc954138ad6043dc106c19339141030672dc6e793ac93ab0d46b
Instruction ID: d6eac59df2c5ba914aabb8f418e5aab30ee47d0291f341b156c47405e2b70cf5
Opcode Fuzzy Hash: 6e340a02f3a9cc954138ad6043dc106c19339141030672dc6e793ac93ab0d46b
Instruction Fuzzy Hash: 65416C34B042048FDB18DFA4C4A8AAEBBF1EF8D715F1450A9E402AB391CB71ED01CB61

Function 04EA2B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0e5feffc55117f5be940a9494ec6b26e022f80568d490e2c464bc2a50980e4
Instruction ID: ef2a3ef8dca978d0e1169286abd4870c73cfdbea9402639c7fc16442e80268f9
Opcode Fuzzy Hash: 0c0e5feffc55117f5be940a9494ec6b26e022f80568d490e2c464bc2a50980e4
Instruction Fuzzy Hash: 8D416C74A00205DFCB05CF59C5989AEFBB1FF48310B118599DA16AB364C732FC91CBA0

Function 04EAC388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da428eeb1373da985c5db27a2b1450016d917beb005476b1b2f5d05c82f75c6a
Instruction ID: 94e9f183c566556054506c69093291eddd13c617b4142f1386d6057ae6335117
Opcode Fuzzy Hash: da428eeb1373da985c5db27a2b1450016d917beb005476b1b2f5d05c82f75c6a
Instruction Fuzzy Hash: A131AD353002019FE719EB68D840BAABBA2EFC4214F00867DD20ACB365DFB1A805CB91

Function 04EA6FD1 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69a9335ee3384adbebac7a79ad0b84ee5c77718685051d4c62e57840effbec4
Instruction ID: 5519def2ebbd6a13f0f9f67d2d761d982da15571e6b88af1c63ceb8342faf20a
Opcode Fuzzy Hash: f69a9335ee3384adbebac7a79ad0b84ee5c77718685051d4c62e57840effbec4
Instruction Fuzzy Hash: 31311835A002058FDB14CFA9C498AAEBBF1AF8D315F1490A8E846EF351DB71ED11DB61

Function 04EAAE60 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35339e45678007ebc70684507d5abe32f3a5e4a544974e702fbee67c31030e3
Instruction ID: 2654593c0c064e0c5b17e5f2f71e2a3ec4a124d02360b1357145e7dca6c9fd06
Opcode Fuzzy Hash: b35339e45678007ebc70684507d5abe32f3a5e4a544974e702fbee67c31030e3
Instruction Fuzzy Hash: AC316B74E002099FDB19DFB9D494BAEBBF6AF88304F149079E501EB355EA74AC41CB50

Function 04EAAE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f657909d789dcd94dd3d7d2d2e614676d7a7c7e009d7e58bf9e8566daf611813
Instruction ID: 8c2c77d8f872d558e13df0fd34fb33d07628b1368754917d2697c1d5c0ac5193
Opcode Fuzzy Hash: f657909d789dcd94dd3d7d2d2e614676d7a7c7e009d7e58bf9e8566daf611813
Instruction Fuzzy Hash: 4E314F74E002099FDB18DFA9D4947AEBAF6EF88304F109079E505EB354EA74AC41CB91

Function 04EADFC0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1582034badf99aecfab92450da9a77e1dcb53b02bde5fecdc1e65d2dc148a33
Instruction ID: 7937d3d7bff0064be8f63cace986da92656b3f77e4e0c84b8d738fbc6a90a50f
Opcode Fuzzy Hash: f1582034badf99aecfab92450da9a77e1dcb53b02bde5fecdc1e65d2dc148a33
Instruction Fuzzy Hash: 5C314D74A002049FCB18EFA9D498A9EBBF2BF88614F04456DD406EF395DB71AD45CB90

Function 04EAAD28 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b17ee6deb424afa3a0e4c3c3bf9b066701092f62c533e7b1d5842a6374994b
Instruction ID: 1c7cb4ee1081abd889bb5b6a326b7538b4464e53c37113282097a1a129cca24d
Opcode Fuzzy Hash: 74b17ee6deb424afa3a0e4c3c3bf9b066701092f62c533e7b1d5842a6374994b
Instruction Fuzzy Hash: 433161B8A002499FEB44EFA4D894AEEBBB2EF84700F15847DD615AF395CA749D01CF50

Function 04EAAF98 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c878cf46309b7829c49efe172de09fdc059fcb05f79a71327d9b2408c518bdb
Instruction ID: 28da2415e36789c8c36bef26f0fbe195cd11c1e13ed08896eccd005b7d619a42
Opcode Fuzzy Hash: 0c878cf46309b7829c49efe172de09fdc059fcb05f79a71327d9b2408c518bdb
Instruction Fuzzy Hash: 8C219C75A043588FDB14DFAED440B9FBBF5EB88220F14846AD118AB340CB75A905CBA5

Function 04EAAD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a730f865907ba0d7246a43046374ee53751caeec3cb7183f23f2f82adf1d83
Instruction ID: c90b71026f6b4d9e503baca7bf607a5f15b30a40facb029d0f9952dc44703124
Opcode Fuzzy Hash: 79a730f865907ba0d7246a43046374ee53751caeec3cb7183f23f2f82adf1d83
Instruction Fuzzy Hash: 793164B8A002099FEB44EFA5D854AEEB7B2EF84700F118479D215AF394DF75AD018F94

Function 04EADFD0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e895e3c852b1eaf41d3bdb1ef012f7c18915654f416984acb23eab9d02a724
Instruction ID: ecef3a3dd00b3fe814941884524343433a7d423ca384e19d0838bf9f963ffefe
Opcode Fuzzy Hash: 45e895e3c852b1eaf41d3bdb1ef012f7c18915654f416984acb23eab9d02a724
Instruction Fuzzy Hash: E3314874A002088FCB18EFA9D498A9EBBF2FF88714F04456DD406EB394DB75AC41CB90

Function 07B82700 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2300106352.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da1ab743588af0facfc2b33ba8c0ec862b558baebdb92e411b17fde23721a26
Instruction ID: 283f49f6f2fe4dc8ca3e5165fa554847afef3654600e6d7b5e4b7269b63ca201
Opcode Fuzzy Hash: 2da1ab743588af0facfc2b33ba8c0ec862b558baebdb92e411b17fde23721a26
Instruction Fuzzy Hash: 25217AF9A00206DFFFA0AE5AC548BA577E0FF85661F0481A6E9088B250C334DD84CBA1

Function 0344F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2271057784.000000000344D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0344D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_344d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d98202f254e2550bbdd0589445a2e95b3db1d24967d41d8850b0ca8c6dd3495
Instruction ID: c5c0531ca5c16e2928893d0623fb930314dd06a1eedc371f0365d86509ce3821
Opcode Fuzzy Hash: 9d98202f254e2550bbdd0589445a2e95b3db1d24967d41d8850b0ca8c6dd3495
Instruction Fuzzy Hash: 3121F776508300EFEB05DF50E9C0B26BB65FB98314F24C5AEE9090E356CB36D45ACBA1

Function 04EA93F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a9a588a3240cadcf80440a4570f48dc6e5b16af22d844faa10146cf5eac9648
Instruction ID: ab8ea04fc633a9183ba5bc9ed1c7ad37f4a1b31b0ab034886c2ba990dd5d6924
Opcode Fuzzy Hash: 0a9a588a3240cadcf80440a4570f48dc6e5b16af22d844faa10146cf5eac9648
Instruction Fuzzy Hash: 08318BB4A057448EDB60CF6AD0887CAFFE2EF88324F28D42EC44D9B246D674A455CB61

Function 0344F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2271057784.000000000344D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0344D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_344d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149b5ad59a848786905391ab315d81b4f52c157e8a0809ebe5b9b9a8bc364a60
Instruction ID: 481e8d123169821cf7ce6ad2c402c6d09f98a30b496269248cb77016144931ef
Opcode Fuzzy Hash: 149b5ad59a848786905391ab315d81b4f52c157e8a0809ebe5b9b9a8bc364a60
Instruction Fuzzy Hash: 0C21F275504244EFEB14DF24D9C0B26BBA5EBC4324F24C5BED90A4F352C77AD84ACA61

Function 04EA9400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1482fdefe4d71205cb18b94563ba4a1cb3245e0450b5045ccd217f119a8911f9
Instruction ID: 5e6c60b709044e0dad8f77d54440b302024e7a20b32c9fab1506aae63a2f0a06
Opcode Fuzzy Hash: 1482fdefe4d71205cb18b94563ba4a1cb3245e0450b5045ccd217f119a8911f9
Instruction Fuzzy Hash: 0C2159B4A057448EEB60CF6AD08878AFFE6EB88314F28D41ED41D9B246D67464918B61

Function 04EA767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd2005edc964753e1282f7786f11ec113bea60fb11a9a528102dc13901c1329
Instruction ID: e449b6633ca05d0f4f51cc18966a80c2666847c8bf4620ac580117c1a8c1ab6c
Opcode Fuzzy Hash: 9fd2005edc964753e1282f7786f11ec113bea60fb11a9a528102dc13901c1329
Instruction Fuzzy Hash: 2011FE3A7001188FDB04DFA9D840AED7BF6EBC8365B0440A9E509DB315DB31ED118BA1

Function 04EAE318 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95b7001c3ec9c99635c9c32607df5530db62b7fc5e467fc4029dead35b6ae4b
Instruction ID: cd73c61a5eea70425b996a1f0ead5024117b6b8c8f34824a5eb17b140ceb1712
Opcode Fuzzy Hash: a95b7001c3ec9c99635c9c32607df5530db62b7fc5e467fc4029dead35b6ae4b
Instruction Fuzzy Hash: 9C11AC718053858FDB11CF6AC504BEEBFF0AF49314F2880AEC008EB252D379A548CBA1

Function 04EADF18 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4826e48261aadc1c764b2f7c8106f52091ea17c4ab2cb66236429194849b4e2
Instruction ID: 873328a717e5d1ee7d8785adaabec415fe60c5c67416a8ff6b8ed314b325603e
Opcode Fuzzy Hash: f4826e48261aadc1c764b2f7c8106f52091ea17c4ab2cb66236429194849b4e2
Instruction Fuzzy Hash: D4115E357052549FC716DF68D858AAABBF1FB89315B0444AEE40ADB352C731A806CB50

Function 0344F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2271057784.000000000344D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0344D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_344d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
Instruction ID: 21382e3cc564d55a4c9347af0c18a7990adab58b06dc328768c582d2b2565f21
Opcode Fuzzy Hash: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
Instruction Fuzzy Hash: 35218C76504240DFDB06CF10D9C4B16BF72FB88314F28C5AAD9494E766C73AD46ACB91

Function 0344F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2271057784.000000000344D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0344D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_344d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1baa4135a3ffa84b7eafa0616a1ffb5636ea4d9d3a95b2124a7f7c9932413226
Instruction ID: 79a11e9601921cc799f7094e518af52f8cc4b21a134531b4944ab9a9f95752cb
Opcode Fuzzy Hash: 1baa4135a3ffa84b7eafa0616a1ffb5636ea4d9d3a95b2124a7f7c9932413226
Instruction Fuzzy Hash: D0118B7A504284DFDB15CF14D5C4B16BFA1FB84228F28C6AAD8494F756C33AD44ACB62

Function 04EABCE0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e7336d47cf15a73c4a87a247ee4c87139ab4d86e0b920ec6597c1e5aaddc2a
Instruction ID: ec4b6bde73242327158979d91aefcbc24bbafbbbf9ee35c3dc57615aad61fe22
Opcode Fuzzy Hash: a7e7336d47cf15a73c4a87a247ee4c87139ab4d86e0b920ec6597c1e5aaddc2a
Instruction Fuzzy Hash: 4C11D2312087849FD729DB79D894A5A7FE0AF45210F1888FED18ACB6A2DB20F845C741

Function 04EAE328 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b93fdf285c2957c48a95a3950a5e651d1f219bbbe80885596ad6289cd2a800
Instruction ID: 2f0c482597d56133cc5a4a8edf0bbc8753f70caa2ff691712df5c47a8541abc8
Opcode Fuzzy Hash: a4b93fdf285c2957c48a95a3950a5e651d1f219bbbe80885596ad6289cd2a800
Instruction Fuzzy Hash: B7116AB1900309CFDB10CF9AC504BAEBBF4EB48324F24806DD508AB240D779A544CBA5

Function 04EAE2A0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0580a1a3dd486b05dc5a357fb031529bff7e522096f2f0bca873df68d3fe3f91
Instruction ID: 75696b70c74a98dde9ab0efbff07645c53c1eb7d3df6145be3f9dca65b68a9b9
Opcode Fuzzy Hash: 0580a1a3dd486b05dc5a357fb031529bff7e522096f2f0bca873df68d3fe3f91
Instruction Fuzzy Hash: 90111B34204754CFC728DF79D09089AB7F6EF8931936089ADD48A8BBA1CB32F845CB50

Function 04EADE98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f300ed52d173eb793a98352c5e2b690ffd205047b6fc5b251c84b53d4400a709
Instruction ID: 2b51c3d9f4a28f0a32bc6ace4e4701b1bc605cc9443fecfd8e093ba652f30158
Opcode Fuzzy Hash: f300ed52d173eb793a98352c5e2b690ffd205047b6fc5b251c84b53d4400a709
Instruction Fuzzy Hash: C8015236B05214DFCB25AFB5E808AAEBBF5FB88315F14406DE51AD3342DB31A911CB91

Function 04EABF10 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1797a939c807f984a41269cc45ed8157aded9aa6de3034e58f5bd0a45d2303aa
Instruction ID: a3e819aaf18928ae8c246106ee8a0dd5db852725f44c924ea25be98c2da05694
Opcode Fuzzy Hash: 1797a939c807f984a41269cc45ed8157aded9aa6de3034e58f5bd0a45d2303aa
Instruction Fuzzy Hash: CCF0A4353093A15FD7028A799C9096B7FE9DF9651170944BBF584CB3A3C670CD04C760

Function 0344D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2271057784.000000000344D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0344D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_344d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8213955c190c2c339398bf79f9d0425f37632edfabee1112051ede73d43a55c
Instruction ID: fd86af056ccd1d0548e0c9fd515de5706b72129c63d8a75722585ee309ea9741
Opcode Fuzzy Hash: c8213955c190c2c339398bf79f9d0425f37632edfabee1112051ede73d43a55c
Instruction Fuzzy Hash: 6201047140E3C05FE7128B25C994756BFB4DF43224F1D81DBD9848F2A3C2695845C772

Function 0344D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2271057784.000000000344D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0344D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_344d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d022e304d60b023c09db720c5b64fb277120c4536ef6f6c45f85cc49dc2d45
Instruction ID: fed247e99de0dabc5163c8de1cd0e172b4748969bd763266460026911efed41d
Opcode Fuzzy Hash: 07d022e304d60b023c09db720c5b64fb277120c4536ef6f6c45f85cc49dc2d45
Instruction Fuzzy Hash: F401DF718043409AF7108A25CD80B67BF98EB82228F08C06BED181F243CAB89842C6B5

Function 04EA7958 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac714926f9dd0fb4fe792a9d6482f0d4773a59e978525ac605c9b79ceb01bc2
Instruction ID: 478ad5603ba9107abe17c5062d733b2cea5e85a3a5a601b3c32015ad21d13c6b
Opcode Fuzzy Hash: 3ac714926f9dd0fb4fe792a9d6482f0d4773a59e978525ac605c9b79ceb01bc2
Instruction Fuzzy Hash: 99F02B717012109FE724CB69D844E6F7FE5EBC8621F00062DE44AC7340DE306C0587A1

Function 0344D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2271057784.000000000344D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0344D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_344d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e53e347bbfc8a7b499ec296cf81f9fd4a054a7fda2fc0b3401548062886c73b
Instruction ID: e20a854fa8deff0e8114576c68f731f99e430e85acee6ea8a32afc76304857b2
Opcode Fuzzy Hash: 9e53e347bbfc8a7b499ec296cf81f9fd4a054a7fda2fc0b3401548062886c73b
Instruction Fuzzy Hash: BDF0F976600604AFD720CF0AD985C27FBEDEBD5670719C56AE84A8B712C671EC42CEA0

Function 04EA90D8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de08df67e09fcc26c5ac7bdf45fbe301617acc57fb3ec1ee9679ab1f7602c5a
Instruction ID: 93352bcce5ee9f2229f754cafb645fba6502dba2feb4cce5651a5162938bfa3c
Opcode Fuzzy Hash: 8de08df67e09fcc26c5ac7bdf45fbe301617acc57fb3ec1ee9679ab1f7602c5a
Instruction Fuzzy Hash: BCF0C235B082404FE355AF2490587ABBBA1EFC5319F1081AFC5568F292CE396846CBA1

Function 04EADE38 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90da082b596c2141bb8131c6ab77a9e7a0b61d8d2cb4bf1f4774bfd13ef1290
Instruction ID: 0386e24162aa661ee7aeaae644ea3e549afc78ab70e5bb51098488d53eba160c
Opcode Fuzzy Hash: c90da082b596c2141bb8131c6ab77a9e7a0b61d8d2cb4bf1f4774bfd13ef1290
Instruction Fuzzy Hash: 49F05E387042508FC3119B2CD894CBABBF69FCA31931950AAE185CF772CA61DC12CB91

Function 04EA7968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac74ef878532383d334ca68bd3899c83b1f18ccc6457dd7414a20f39672a695
Instruction ID: 9169b13a3e056c93bc0fa60b2cafa2dbd0a05c102dfd1cf232d59e72a93e1da3
Opcode Fuzzy Hash: 0ac74ef878532383d334ca68bd3899c83b1f18ccc6457dd7414a20f39672a695
Instruction Fuzzy Hash: 9BF0A035700714AFE724DB6AE844A6FBBE9EBC8675B000A2DE10AC7340DF71BC0187A4

Function 0344D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2271057784.000000000344D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0344D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_344d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36656b980d165bf1b9ee809b1aad376458c49c1bffbb87491901682f1b41eca3
Instruction ID: 99d6906d11fae632ea89fca9076d1a105273b6d8432ccf1f249ff7f763799d95
Opcode Fuzzy Hash: 36656b980d165bf1b9ee809b1aad376458c49c1bffbb87491901682f1b41eca3
Instruction Fuzzy Hash: 37F04979100A40AFE321CF06C984D23BBB9EB85620B198499A85A8B312C670FC02CF60

Function 04EAE7A8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec93631f7f8571d637cd468f304637c6af9d8d963b4385820ebd56f9ece45116
Instruction ID: eaa20c8a5a3a7313d27dda874362272a287f1d833d1e6f9eaf11d74c1dcfac73
Opcode Fuzzy Hash: ec93631f7f8571d637cd468f304637c6af9d8d963b4385820ebd56f9ece45116
Instruction Fuzzy Hash: A3F0E531B882A56DCB26997C98848DE7F948F96120F0400BDE541AF253C651941AC391

Function 04EA7697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb864306b65d90341a1776d5caa788fd4a9dd4a81cbbddff9d9b35b5d797407
Instruction ID: 8b276c93f9d34e5098ba3290a57c1f021351115a59141f06024916838cc7846d
Opcode Fuzzy Hash: dcb864306b65d90341a1776d5caa788fd4a9dd4a81cbbddff9d9b35b5d797407
Instruction Fuzzy Hash: 27F0E5397001048FDB00DBBDD800AEA7BE2EBC875570945A9E509CF311DF70EC128BA1

Function 04EA90E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17a37c42b9c12d466317106374e438e59c6504556fc6ec1adcb372e02faa39c
Instruction ID: 671727d8a81fd3ccaace10a40b2ce77138b14adcb801051a6a04cf5671318840
Opcode Fuzzy Hash: f17a37c42b9c12d466317106374e438e59c6504556fc6ec1adcb372e02faa39c
Instruction Fuzzy Hash: A3F0E2396042044BE314BF65D0187ABB796EBC0718F10812EC50A4B385CE396842CBE0

Function 04EA9158 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebe057b7336d74c4f6f4630c89d0856d93c1ca109d5b22f45210d8216e95677
Instruction ID: 98c195b4e8da84b60200792ee9d1ffef947d41e9f10695f57b4d16346f63c5bf
Opcode Fuzzy Hash: 2ebe057b7336d74c4f6f4630c89d0856d93c1ca109d5b22f45210d8216e95677
Instruction Fuzzy Hash: AEF09070A093915FD765EFB894DC38ABFE0EF02210F0404AED44ACB282CB346885C750

Function 04EADE48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114e6e4a7bf7069b57435f891c1f93af05fec8947604488dd024864d0fc5b9e4
Instruction ID: b78b62145d074b1897b8cdb4b7af825e075a868dcd2099d234959cfe0a17122d
Opcode Fuzzy Hash: 114e6e4a7bf7069b57435f891c1f93af05fec8947604488dd024864d0fc5b9e4
Instruction Fuzzy Hash: 93E01A397002108F83109F1DD898C6AB7FAEFCE76971950AAE549CF731DA61EC11CB90

Function 04EA9542 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c122f6d1eac6cd3f03c8050b84309ed24e5ad0af01c75be175bb85481185ec78
Instruction ID: 368bc829e6f86bfcc92b80197c5c076af1b78984fe7fa49b28dba5e97bfef0ff
Opcode Fuzzy Hash: c122f6d1eac6cd3f03c8050b84309ed24e5ad0af01c75be175bb85481185ec78
Instruction Fuzzy Hash: B3E09A2174A2E21A8756A2BC68105BA6EDA5FC206830910FEC945CF293D844AC1683B2

Function 04EADCD9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ae1911a94086d8ade93f5004ccce56fe46761b0056eda1ea524fd639d98ac1
Instruction ID: 58a38487204ec9b1ec9c06c7a77e7c844f896fd5b1a92bf35263bc043ecc9e32
Opcode Fuzzy Hash: 82ae1911a94086d8ade93f5004ccce56fe46761b0056eda1ea524fd639d98ac1
Instruction Fuzzy Hash: 9EE0E531B100506BCB098A6CD8408EDFBE6AFC9210F04807EE4069B641CA216416D6E0

Function 04EA896A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb4c5bde0db9acc39e49c4c864d01ff5556f9bbe740eb093dadb1f9b5bccbaa
Instruction ID: d1c56294f84bd967750cef1a2ad1d1c1c3ca563c6e588a75c7b59fa3f4a3d0fa
Opcode Fuzzy Hash: 5eb4c5bde0db9acc39e49c4c864d01ff5556f9bbe740eb093dadb1f9b5bccbaa
Instruction Fuzzy Hash: DEF0823530D2915BCB1A6BB4A4185AE6FA19BC6614B05007FD106CB283CE6848058795

Function 04EAE92E Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d8fc67eb71597b73f4251b55da4b7ae44cd560c11b6a0a32c6b659861aea1d
Instruction ID: be6cfc38585f00302c342d62f8711ff9957e23618d00f64819f9fd778b00a0a3
Opcode Fuzzy Hash: 89d8fc67eb71597b73f4251b55da4b7ae44cd560c11b6a0a32c6b659861aea1d
Instruction Fuzzy Hash: 8DF0BD39A55108DFCB00DF98E989D9CFBF2FF48220B158544E90AA7322CB31AD01CB80

Function 04EA9168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9323158dd5e90d4bc86f177d5aba6da2cf9926f147c606b1317d7458aaaa891d
Instruction ID: 4c0371db9a156ffacc5f6a7042e5f523a0396c1d8ce7d58e7a327d71268ef8ff
Opcode Fuzzy Hash: 9323158dd5e90d4bc86f177d5aba6da2cf9926f147c606b1317d7458aaaa891d
Instruction Fuzzy Hash: 46F06D70A043044FD360EFB9E49C79ABBE5EB44320F40442DE50ECB341DB396880CB90

Function 04EAAF88 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5823ca735089911f7396a12bcc90095d4bc99f4e55f9dbb22848926ed890ce3e
Instruction ID: 1f28882af76f48400e29a93b6e111f56f893e84dee9c6410b1e5c01b40fcab8a
Opcode Fuzzy Hash: 5823ca735089911f7396a12bcc90095d4bc99f4e55f9dbb22848926ed890ce3e
Instruction Fuzzy Hash: F9E0862674D3D11E5B5B913D64A04AA5FB38AD752130A80FAD084CF242C8518C0B8391

Function 04EAF860 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b612dafd42a5c2cd6a2f6aa5988d78cd45fa4cc9b7fdb37a17baf09877b524
Instruction ID: bf8743d5e5e2e55ccfa0e3f97724e49c6e393513d6d09c18623135b2fe765b4c
Opcode Fuzzy Hash: b6b612dafd42a5c2cd6a2f6aa5988d78cd45fa4cc9b7fdb37a17baf09877b524
Instruction Fuzzy Hash: AEE01270E04249AFC780DFF8C49116AFFF4AF09200B2080BECA49EB312E6715612DBD1

Function 04EA8978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03131b03775e5491d958408f20d3f134b488cc1484821f1f9949cfd1d4811345
Instruction ID: aa86ec405c5938978238447ba15376abf8880a7f0ab01da9a3b1569371405d0a
Opcode Fuzzy Hash: 03131b03775e5491d958408f20d3f134b488cc1484821f1f9949cfd1d4811345
Instruction Fuzzy Hash: 45E0263530831047CB097BB5A40C6AEBA56EBC9B24F00002ED6078B342CF78691183D9

Function 04EA9550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20477b45c72e1d72ce89a485c1baf5a99ff82700a610264f0946298b359f0966
Instruction ID: 8310470d448d220a8f3a753925f4a87d4397f087b14e43bb9323b7405c6a68de
Opcode Fuzzy Hash: 20477b45c72e1d72ce89a485c1baf5a99ff82700a610264f0946298b359f0966
Instruction Fuzzy Hash: 1DD0A722B0122117165472FE6801ABBA5CEAFC45AD7052036DA09CF342EC44FC2243F1

Function 04EADCE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: e018d0222ef56fb1f16c50254547270be4f88be640b64512e4d6df131a348dfd
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: E6E08635B1001497CB08995DD8108EDF7AADBCC220F04C07AD90AAB740DA32791586E1

Function 04EA8800 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23cc96b137676b3d017eb458f96f7c0e6501053330aacd63bbdc2db47bca48ba
Instruction ID: e6b73c859f8d9e0405b27ed2e09fe8f7633db88b882558fd661f5d3d3717f13c
Opcode Fuzzy Hash: 23cc96b137676b3d017eb458f96f7c0e6501053330aacd63bbdc2db47bca48ba
Instruction Fuzzy Hash: C0E09230A4C3865FCB59EFB8D44686FBFF0AB45200B0041BDD90ACB243D6215406DBC1

Function 04EA8739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb5e3de944101e1cd2cbca3980cdb8f4af553154d1e2bf374e04ea4daeaa6bc
Instruction ID: b888625bff45558cabbd1da6183ecb83b5d26ca6c6234db8f7c412d971cf9ab1
Opcode Fuzzy Hash: feb5e3de944101e1cd2cbca3980cdb8f4af553154d1e2bf374e04ea4daeaa6bc
Instruction Fuzzy Hash: D3E04F31E080468BCB0DBBF4D8994FDBF70EE15301B4001ADD45397492EA22199ACBC0

Function 04EAF870 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: d287ac535db8a8380b3d76df407d87eccd15eaf2e9db4b0477c3e4b2ab733b1a
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 96D06270D042099F8780EFADC94156DFBF4EF48200F5085AA8919E7301F7319612DBD1

Function 04EA8748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30453a5342bad4b1f2d6f3307f9485c440a7a456d9a68eb4f2b0181a018084a4
Instruction ID: a46d4444bec4ffa1dbc401dfc68b808bbbaa80cd2c38a3b38e6e3625a998aff3
Opcode Fuzzy Hash: 30453a5342bad4b1f2d6f3307f9485c440a7a456d9a68eb4f2b0181a018084a4
Instruction Fuzzy Hash: EFD067319081098BCB1CBBA5E85A4BDBB74FB14301F40416DE91792191EA322A5ACBC5

Function 04EA8810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d083c9ef76e03a7eacf72583885376cc70b37b535c1e791f7130a30091bc3875
Instruction ID: 47a4f174e48028be67f7f0a4df3ba89634beea65005c518c153814c613d0112b
Opcode Fuzzy Hash: d083c9ef76e03a7eacf72583885376cc70b37b535c1e791f7130a30091bc3875
Instruction Fuzzy Hash: 8BD01734A0820A8BCB58EFA4E44686EFBB4EB44300F004169DA0A93355EA316811CBC1

Function 04EAEA57 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698ad6d28139cbcfec37fdc74e8f17ffe0a6d8abb31a2f7fb7a668bc3fa18307
Instruction ID: d840ea770d825653df14c923c25b39ea287ca8e983de14a1939cba3e60246941
Opcode Fuzzy Hash: 698ad6d28139cbcfec37fdc74e8f17ffe0a6d8abb31a2f7fb7a668bc3fa18307
Instruction Fuzzy Hash: 3FD09239B84218CFCB14DB98E895ADCF3B1FF84325F1480A5E9169B251CB32A916CB40

Function 04EA7932 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb2e8dfc7453366d63f88b0895e33b7b5689fbc3b16952ba87219088e80a44e4
Instruction ID: 64f09f4ca2ecc783bba0062eeef71170b59b81578782b4161e568ef78b2d992c
Opcode Fuzzy Hash: eb2e8dfc7453366d63f88b0895e33b7b5689fbc3b16952ba87219088e80a44e4
Instruction Fuzzy Hash: 0DD012748493849BEB254F74A4D59143F546B12211F0405DDDC860E6A3D9768898CF45

Function 04EA7EA0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081e925bb83c0ab27766caef415bcdf4da2ecaa22bd140f0dcc8666fcd6854e9
Instruction ID: 7a0686a08b55ad82ea776c7c3be89ca5bca5e1589fe98d86f388e3918dfcecab
Opcode Fuzzy Hash: 081e925bb83c0ab27766caef415bcdf4da2ecaa22bd140f0dcc8666fcd6854e9
Instruction Fuzzy Hash: 72C08C628091810BFF09A236441A6226E222782100F0781E9849586480C820400ECA03

Function 04EA7940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2273253656.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1946c1cd0287a74f650ba1ba183ed8a947a2b017151a7581ffe2e0fc8238b58
Instruction ID: 30eced8b445f7726dfd637ca47caf60ec297993258ce4be529c70b362aa9d140
Opcode Fuzzy Hash: f1946c1cd0287a74f650ba1ba183ed8a947a2b017151a7581ffe2e0fc8238b58
Instruction Fuzzy Hash: D0B092301857488FC2586F75A804814772DBB4022538004A8E80E0A7A28E76E884CA48

Analysis Process: powershell.exePID: 5392, Parent PID: 4364COMMON

Executed Functions

Function 04CCB490 Relevance: 4.0, Strings: 3, Instructions: 258COMMON

Download Yara Rule

Strings

kU'n^, xrefs: 04CCB770, 04CCB775
{U'n^, xrefs: 04CCB738, 04CCB73D
['n^, xrefs: 04CCB529

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID: kU'n^${U'n^$['n^
API String ID: 0-3725065086
Opcode ID: 88e78c201c822671e8091a7aa3ab56afaf193bd547b8352a2c80f9afbde36800
Instruction ID: d0ca47d4d8bc288bf9606b0fb451bcf2e94624e34dcf3b201431ddb94763e34c
Opcode Fuzzy Hash: 88e78c201c822671e8091a7aa3ab56afaf193bd547b8352a2c80f9afbde36800
Instruction Fuzzy Hash: FE9183B4F017559BDB19EFB488506AE7BB3EFC4610B40892DD106AB344DF386D068BD5

Function 04CCB4A0 Relevance: 4.0, Strings: 3, Instructions: 252COMMON

Download Yara Rule

Strings

kU'n^, xrefs: 04CCB770, 04CCB775
{U'n^, xrefs: 04CCB738, 04CCB73D
['n^, xrefs: 04CCB529

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID: kU'n^${U'n^$['n^
API String ID: 0-3725065086
Opcode ID: 9ff30bf80a1678ed6f474e213ff450d73d1c9e8e82a4c9c1c8be908d3387d1f4
Instruction ID: 5b51ec95248f3c9f76ad243eaed10858335649294db9570d5def3bdd6a12f359
Opcode Fuzzy Hash: 9ff30bf80a1678ed6f474e213ff450d73d1c9e8e82a4c9c1c8be908d3387d1f4
Instruction Fuzzy Hash: B49181B4F017559BDB19EFB488506AE7BB7EFC4A00B40892DD106AB344DF38AD068BD5

Function 04CCC4D0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

B'n^, xrefs: 04CCC526

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID: B'n^
API String ID: 0-1927066434
Opcode ID: 85b58eaa1f64360be44d63a0e6d4593efc6f31e2c563a6b1f52a59473015e57a
Instruction ID: 6416d16fe60c9a84facc97517bbbb74893370e2ba1f3d727d5a5ab57cc2d2ad1
Opcode Fuzzy Hash: 85b58eaa1f64360be44d63a0e6d4593efc6f31e2c563a6b1f52a59473015e57a
Instruction Fuzzy Hash: C5F0A4755043445FD315EB28D48096ABBA6EFC22247158A7EC14A8F725DA79AC0AC7A0

Function 04CCC4E0 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

B'n^, xrefs: 04CCC526

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID: B'n^
API String ID: 0-1927066434
Opcode ID: 8f1ffc9450d95f814e8fef816c13977a33a2874eeaf505f06ecccc84d256b0eb
Instruction ID: b1b3151364c7712e00cd1b9a8e40946422088ef98d1d020dbbddd5f492e6f1bb
Opcode Fuzzy Hash: 8f1ffc9450d95f814e8fef816c13977a33a2874eeaf505f06ecccc84d256b0eb
Instruction Fuzzy Hash: 48F0A7792003045BD314EB29D88095BBB96EFC56257009A3DD20E8F714DF7AEC0687E0

Function 07B42700 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2366442352.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7b40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd808774ce347688a507f900a6318f1c1ee4b7ad8e0b1ac89b4b272a8e48ff6
Instruction ID: f4e54b9f045254746fca975553f64c4fc7b0be22161c2b09b20779f9dbde0800
Opcode Fuzzy Hash: 0dd808774ce347688a507f900a6318f1c1ee4b7ad8e0b1ac89b4b272a8e48ff6
Instruction Fuzzy Hash: E0B1F6B2B00206DFEB249BA888447AE7BE1FFC5210F1484FAE505DB251DB71CC45E762

Function 04CC29F0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2b8a8d71c9b5123052a2b96bd2fa7585e228db3eaa0bc68ef556c73052b30b
Instruction ID: 523f13ff76b4ec122913fef7c675f2714e5b011d01f94b1fab3b514597f55a92
Opcode Fuzzy Hash: 2a2b8a8d71c9b5123052a2b96bd2fa7585e228db3eaa0bc68ef556c73052b30b
Instruction Fuzzy Hash: 6D915974A00605CFCB15CF59C494AAEFBB2FF88310B2486A9D915AB365C735FD52CBA0

Function 07B41990 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2366442352.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7b40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40afc05de2df729d97589d5702bcab4fcf86447f0f5917d5475938ccfabad51d
Instruction ID: dde75cb45fcb2b9ee0b451b1aa54bc2649cd6c76114564df8984272178815154
Opcode Fuzzy Hash: 40afc05de2df729d97589d5702bcab4fcf86447f0f5917d5475938ccfabad51d
Instruction Fuzzy Hash: 74514BF2B0435E9FE7209BADC80066ABBE5DFC5210F1480BBD515DB252EA31CC81C761

Function 04CC7728 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd11e1d39c61ddca3b73a205135d3d591019dc67ded5fd0a1d718cbbbd60efd
Instruction ID: a532c90f66819065afcdfdc7dd3bff72d01583e797ca615c8e7630c606449beb
Opcode Fuzzy Hash: 7cd11e1d39c61ddca3b73a205135d3d591019dc67ded5fd0a1d718cbbbd60efd
Instruction Fuzzy Hash: 0151BB347052069FD705DBA9C854A6A7BE6FFC8254B18846AD609DB352EB31EC02CBA0

Function 04CCBAD0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb2c674f78affae02e7db52588f9fb06b544ec1d11ad2d8f57cf1bfbfb49edc
Instruction ID: 90e77dd7fe391303e09c6d657c67e3e0fb06f8c5e045e4116e2c00b8c3144b10
Opcode Fuzzy Hash: 7bb2c674f78affae02e7db52588f9fb06b544ec1d11ad2d8f57cf1bfbfb49edc
Instruction Fuzzy Hash: BF611375E00248CFDB14DFA9D584A9DBBF2FF88310F14812AE819AB355EB74AD41CB60

Function 04CCBAC0 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb62c200ce23e4555ed8091aa3371e9a1a8bff48d051b2ca020ee57ec023505d
Instruction ID: faad464183cfd122ea724ef3a17af7f86450798b8248ab7add3c44e6633bea5c
Opcode Fuzzy Hash: bb62c200ce23e4555ed8091aa3371e9a1a8bff48d051b2ca020ee57ec023505d
Instruction Fuzzy Hash: B4512674E00248DFDB14DFA9D584A8DBBF2FF88310F14802AE819AB355EB74AD45CB61

Function 07B43D9D Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2366442352.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7b40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c67125a28b7e3909b2d5dda1cf7278ad596c5396f42979dd4acfbba0274c815
Instruction ID: e03cd4ea19402c6301c718fef62ec89ee4fcbe3d7f0acc137390fbd5f3e6ab07
Opcode Fuzzy Hash: 6c67125a28b7e3909b2d5dda1cf7278ad596c5396f42979dd4acfbba0274c815
Instruction Fuzzy Hash: 41418AF1B40211CBEB259BB8C5107AEBBD29FC1614B1848EAD501AB742DF32DD01D7B6

Function 04CC6FC8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef67fde627fb1ab3624e3f6b5edc449c13309587f8e2c1d438a2a41b3eb4fad7
Instruction ID: e1d1f86c08eceb5d7bcfd77bd0de2911c5a8309c3a2bd31ba761f420463e783f
Opcode Fuzzy Hash: ef67fde627fb1ab3624e3f6b5edc449c13309587f8e2c1d438a2a41b3eb4fad7
Instruction Fuzzy Hash: C7412834B052058FDB08DFA4C594AAEBBF2EB89715F1480A9E502AB391DB35ED01CF61

Function 04CC2B00 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47caaef925b6d9c15d36ba5c9b45209f3c5d4ff952270d2db745bebb116cb76c
Instruction ID: 2fb03f5977db86944154f489c64f133d24f4662cc31c9943319414fd3ba2522a
Opcode Fuzzy Hash: 47caaef925b6d9c15d36ba5c9b45209f3c5d4ff952270d2db745bebb116cb76c
Instruction Fuzzy Hash: E2414974A00605CFCB05CF59C5989AEFBB2FF48310B1585A9D916AB364C736FD51CBA0

Function 04CCC398 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 313b62a620be757191b8de9b31782f7ed5665ac46a2c89cf60489014c7a3869a
Instruction ID: 8786c78aa732576c3b5f4e4bc178f80e4a3b44c9b897e9aabc8471ab878d0329
Opcode Fuzzy Hash: 313b62a620be757191b8de9b31782f7ed5665ac46a2c89cf60489014c7a3869a
Instruction Fuzzy Hash: 02318F393006019FE709EB78E894B9ABB96EBC4311F04953DD60ACB355DFB5A8058BA1

Function 04CC6FB9 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cfabd011b73b149215526f87414ad8a00235ed3eb35b06404ab11dbbe13084f
Instruction ID: 7726e0fdd1efa1bcb982bc611b478f83d02e2436d54e7bc9aae3adf7eccba98f
Opcode Fuzzy Hash: 8cfabd011b73b149215526f87414ad8a00235ed3eb35b06404ab11dbbe13084f
Instruction Fuzzy Hash: 5A310A34A012058FDB14DFA4C598AAEBBF2EF8D315F1890A9E406AB351DB31ED41DF61

Function 04CCAE70 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67abbaf418f6e614399d5fb9ddb275b6222fd1844396883ad98c1e85b49fbcc9
Instruction ID: a77e2ff055e93f42a59d7ac77c7dff9ce4393a3a360566422300cef77b6d3d3b
Opcode Fuzzy Hash: 67abbaf418f6e614399d5fb9ddb275b6222fd1844396883ad98c1e85b49fbcc9
Instruction Fuzzy Hash: 0331AE74E002099BCB04DFB9D4887AE7BF6EF88310F14802DE405EB355EB75AC419BA1

Function 04CCBCF0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8398e68f880646c9538fec647c41c9b546b380472bc3103cf2bf7a91d2558114
Instruction ID: 2927cf6c9f19f49b5fc05c4f943f7937ab716c37440c3aa44ec89eb812a5ecac
Opcode Fuzzy Hash: 8398e68f880646c9538fec647c41c9b546b380472bc3103cf2bf7a91d2558114
Instruction Fuzzy Hash: 1C31E2349087818FDB24DF78E44469ABFF1AF06320F1488AED09ECB6A2D735B905CB41

Function 04CCE04F Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6c89ea41e2f32ec3399e039d25d2771dd6183d17a7a4760421fb2af5de7473
Instruction ID: 9a52ae137f528399d6fc51b9c8500d4b06926a6948133825c37ce3ff60050527
Opcode Fuzzy Hash: 3e6c89ea41e2f32ec3399e039d25d2771dd6183d17a7a4760421fb2af5de7473
Instruction Fuzzy Hash: 30316B74A002048FCB18EF69D49869EBBF6FF89314F04846DD546EB351DF34A845CB90

Function 04CCAD38 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d3cd4402649736c1249e6072d385c8644494a623b04c6a192908f880c863f9
Instruction ID: 1dd09a0308b14cfa75fd51761f569fb9f249a2f7be744d097dfe257600931db2
Opcode Fuzzy Hash: 23d3cd4402649736c1249e6072d385c8644494a623b04c6a192908f880c863f9
Instruction Fuzzy Hash: A6318EB8E003499FDB05EB64D898AAE7BB3EF85300F1184A9D101AF395DA799D418B60

Function 04CCAE80 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97ce4d25e31464691575816249e94efa02f7dd04f5eb6ca608442068f8d8da9
Instruction ID: 47f2fc6b4f3f077a508e02b45307885ed3ee7aa8be5fbc45c9876b5b26e6098c
Opcode Fuzzy Hash: b97ce4d25e31464691575816249e94efa02f7dd04f5eb6ca608442068f8d8da9
Instruction Fuzzy Hash: 77317A74E012099FDB04DFA9D4987AEBBF6EF88300F14902DE505EB354EB759C419BA1

Function 04CCAFA8 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614a9941af90ad105b6a8ad02b397e2b24e16a9bb8cf36858f04df95e4c049e1
Instruction ID: 1eefda505f0ae2000c7f1f7f8ec39830fae6c88989129cafcdf898ae40374aff
Opcode Fuzzy Hash: 614a9941af90ad105b6a8ad02b397e2b24e16a9bb8cf36858f04df95e4c049e1
Instruction Fuzzy Hash: A021DE75A043188FCB14DFAED84479EBBF6EB88320F14842ED408E7340CB75A9058BA5

Function 07B426F6 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2366442352.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7b40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6265833159114727a1d0f629bffd51b2ef90eff99ddd3837b148719e6be4c069
Instruction ID: 3ee6b232699771bbab1f2a8d02651c91f2ab58213308f4452ee6e166186623b6
Opcode Fuzzy Hash: 6265833159114727a1d0f629bffd51b2ef90eff99ddd3837b148719e6be4c069
Instruction Fuzzy Hash: 9F2148F5A00206EFEB208F59C544BEAB7A0FF85661F0480E6F9049B250D734DD84FBA2

Function 07B41901 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2366442352.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7b40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2313521aee2252237b0a73ad1f212a8b92d124a2d4df7e84e9c47a6efef1cdd7
Instruction ID: 7682a652ff520e20908a5188fc64ddb07fec659d154966966c6a91e79984d09f
Opcode Fuzzy Hash: 2313521aee2252237b0a73ad1f212a8b92d124a2d4df7e84e9c47a6efef1cdd7
Instruction Fuzzy Hash: A721D6F2E0434E9FE710DB9CC8407A97BF1EF45221F0541E6D514CB152D3318985D762

Function 04CCE060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3cc0283258fc537b11ae2052abb3978432ba72ef2fe743a5ead0b908b19e3ef
Instruction ID: 8933b758450adb05287a94521440ea241e577a09affd6d1420bda71f126be148
Opcode Fuzzy Hash: f3cc0283258fc537b11ae2052abb3978432ba72ef2fe743a5ead0b908b19e3ef
Instruction Fuzzy Hash: E8311478A002048FCB18EB69D498A9EBBF6EB89714F04946DD446EB391DF74AC45CB90

Function 04CCAD48 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1edd3bef09f3cd1a06c87b20df1c9cf0edaa3f8e11682fe3c3eb1c5fdf5a7b90
Instruction ID: 7f6fe5a2ea4b79cd611e6605274b928dcdc884bc5e376822a66536a7211bc769
Opcode Fuzzy Hash: 1edd3bef09f3cd1a06c87b20df1c9cf0edaa3f8e11682fe3c3eb1c5fdf5a7b90
Instruction Fuzzy Hash: 4D3150B8E003099FEB04EBA4D894ABE77B3EF84700F118469D111AB394DB399D418F50

Function 04CC93F8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ce1cd865c87ec549791b82bcea52f472176771ed18091d5b05d065f9d576bb
Instruction ID: baedcbfb10787babcb4e24a7dbe4128f5093257acfba58e2539440bc5e608a06
Opcode Fuzzy Hash: 34ce1cd865c87ec549791b82bcea52f472176771ed18091d5b05d065f9d576bb
Instruction Fuzzy Hash: A3319CB59057848EEB60CF6AD08839AFFF6EF88320F28C05DD44D97215DB74A445CB61

Function 0338F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2328439149.000000000338D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0338D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_338d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12c085291319b69a4edd969adb7a8768d29a1fad7d0a1aa1a7f45d49122e8bdc
Instruction ID: e10f9d07704c8ffff45b31a598c6e0fa8bfc5deaec37eed9cac78636b91e471a
Opcode Fuzzy Hash: 12c085291319b69a4edd969adb7a8768d29a1fad7d0a1aa1a7f45d49122e8bdc
Instruction Fuzzy Hash: BE21F776608300EFDB05EF50E9C0B26BB65FB88314F24C5AEE9090B256C736D496CBA1

Function 07B41968 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2366442352.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7b40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3c74e85c47665b32324c8e35e091341b9782dd048ab2da6f2a907fcd257acc
Instruction ID: ca99e70c518b757c3622a9c319c3b97c163afe3a660f9eeb468acc5fa3919ab8
Opcode Fuzzy Hash: 7c3c74e85c47665b32324c8e35e091341b9782dd048ab2da6f2a907fcd257acc
Instruction Fuzzy Hash: F721B2F2E0434E9FE7118B5CC844AAA7BF1EF46220F0541E6D5148B252D7359886D7A2

Function 0338F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2328439149.000000000338D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0338D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_338d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0a7a6c46f50021bc9316788f4c46fd4c683bccdf9f71601c949cc3fe70f79a
Instruction ID: 0fe72c718f7324bd785dc91bd2af295349a2f4022559cd787f530ed57d4bbab5
Opcode Fuzzy Hash: ca0a7a6c46f50021bc9316788f4c46fd4c683bccdf9f71601c949cc3fe70f79a
Instruction Fuzzy Hash: A52129B5504344DFDB14EF14E9C0B26BF69FB84314F24C5ADD9094B252C77AD446CA61

Function 04CC9408 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a20840f4a37e52def5bf9f2407cecfa7fec94e517c907f51b947b69ae8c9c59
Instruction ID: 91559bb893909f89a53863c1320c617bf88ed923fe36cbc6da841b4d239f02f6
Opcode Fuzzy Hash: 6a20840f4a37e52def5bf9f2407cecfa7fec94e517c907f51b947b69ae8c9c59
Instruction Fuzzy Hash: BF217AB49057448FEB60CF6AD08838AFFF6EF88320F28C45ED85D97205DB7464808B61

Function 04CC7664 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7bdc4498c8a8c27fe3d632c5d63954bdd44aed7ffbb1a61c486b6b8687e8bb
Instruction ID: 256edd21b225a3a404a9daa065ba5bb889bcb8b1d8a0492b655c2dc3ec50b9c8
Opcode Fuzzy Hash: 5e7bdc4498c8a8c27fe3d632c5d63954bdd44aed7ffbb1a61c486b6b8687e8bb
Instruction Fuzzy Hash: 5D11FE39B002198FCB04EBACD840ADE77F6EBC8725B0440A9E509DB715DB35ED118BA1

Function 0338F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2328439149.000000000338D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0338D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_338d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
Instruction ID: 2e1c949876e69beb452f821b931b4c06965b7b96fbb34d3bd4fdb697511089b4
Opcode Fuzzy Hash: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
Instruction Fuzzy Hash: 7B215E76508340DFCB06DF50D9C4B15BF72FB48314F28C5AAD9494B666C33AD45ACB91

Function 0338F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2328439149.000000000338D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0338D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_338d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1baa4135a3ffa84b7eafa0616a1ffb5636ea4d9d3a95b2124a7f7c9932413226
Instruction ID: f2c28c5995f603bc66c7f00b573ab13f7e92d034a18dbac17c43fe6df491b91f
Opcode Fuzzy Hash: 1baa4135a3ffa84b7eafa0616a1ffb5636ea4d9d3a95b2124a7f7c9932413226
Instruction Fuzzy Hash: 35119DBA504384DFCB15DF14E9C4B15FFA1FB84328F28C6AAD8494B656C33AD44ACB61

Function 04CCDCE1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40e90b085b748e87cd2c27d269c722aef174dc77589022ae0dffe661ae9852b5
Instruction ID: 3ffb66947b3aa5934355aba866b3f7fef52630a70ae7d49cdaec329b774416fc
Opcode Fuzzy Hash: 40e90b085b748e87cd2c27d269c722aef174dc77589022ae0dffe661ae9852b5
Instruction Fuzzy Hash: 78010831A041449BCB15CA68D4444FCBFB39BD8210B1844BED50797352DA70AD12DBA1

Function 04CCDEA0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04e52583b6560a2b25c7d0fac8fd2a00fac0f9cd879b7b061100dfe9aea53406
Instruction ID: 3439bfe2869b7b416e7793b8c81abf8851442a2a9053f1a1e6624c0254415584
Opcode Fuzzy Hash: 04e52583b6560a2b25c7d0fac8fd2a00fac0f9cd879b7b061100dfe9aea53406
Instruction Fuzzy Hash: 5B01B539B00214DFCB159F74E808AAEBBF6FB89315F00446EE50AD3342DB315905CB90

Function 04CCDFD8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbe8125a47c98380c972bf1ee9a996169156e839862696bbb52d0907110ab180
Instruction ID: 981a576bf6a099f74e93f5a16e719e1c260f192f8005f3f31cbb4bc60711be16
Opcode Fuzzy Hash: bbe8125a47c98380c972bf1ee9a996169156e839862696bbb52d0907110ab180
Instruction Fuzzy Hash: 41111B34204754CFC728DF75D0808AAB7F6EF8931536089ADD48A87BA0CB32F845CB50

Function 04CCBF20 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8339b0c63eca58a08b1fa8e77fe641b0d10c989d2bbbc975f673cd760b80ebc
Instruction ID: 0a76d6e0694e0f91e50d163f16865d22bce1b0e3aff66457ad95d04f686516f3
Opcode Fuzzy Hash: b8339b0c63eca58a08b1fa8e77fe641b0d10c989d2bbbc975f673cd760b80ebc
Instruction Fuzzy Hash: 1B01D6363193A51FD7118AB95C549B7BFEEDF8616070440AFF540C7392DA71EE049B60

Function 04CCDC90 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb0b5b5bdad0e4a82b3d1a0eba43ed84e35abb0d48d749b52bc9b6ef3f7527c
Instruction ID: 6b2ab93b63d732c4663affa494dc988683e8fffe1568358f0a9ffcbaa6a31d65
Opcode Fuzzy Hash: 3eb0b5b5bdad0e4a82b3d1a0eba43ed84e35abb0d48d749b52bc9b6ef3f7527c
Instruction Fuzzy Hash: 64F0F63A7446146B8726665DAC008EEBB5BCEC56B1305007FE04BCB215DA78AA4643F1

Function 0338D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2328439149.000000000338D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0338D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_338d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 259f53101b5fa4b991d9f3d4ce32f893bf5857547bb04b4fe6b67d9827d37353
Instruction ID: 46d55c1ede54f6bee47360c0229d2b134f6ccd7431654a73c74828df978e201e
Opcode Fuzzy Hash: 259f53101b5fa4b991d9f3d4ce32f893bf5857547bb04b4fe6b67d9827d37353
Instruction Fuzzy Hash: 1301F2B14083449AE710AF25DDC0B66FF9CEF81324F0CC45AED084A6C2CABD9841C6B2

Function 04CC90E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d7201e03136b1400c3085248f4e5645f2dd8dfb4607cf5ff77fa1caba570a5
Instruction ID: 497f4181c9e2f6dedce89e14ab7025f113b23f65aa6676ddc427bb8a577c345f
Opcode Fuzzy Hash: 05d7201e03136b1400c3085248f4e5645f2dd8dfb4607cf5ff77fa1caba570a5
Instruction Fuzzy Hash: 26012BB6A087405BE7119B74C4583A63BA2EFC6320F5480AFC4568B397DE396946C7B1

Function 0338D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2328439149.000000000338D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0338D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_338d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ffae57b25540a83987a66199cd8d206911f852b5283d3f2f74136b5da73d7c
Instruction ID: 23728fe0b1eb86e143119ff5b74068992208f35e28567f7be0d8ebf9071e06f6
Opcode Fuzzy Hash: 34ffae57b25540a83987a66199cd8d206911f852b5283d3f2f74136b5da73d7c
Instruction Fuzzy Hash: FA01007240E3C49ED7128B25CD94B56BFB8DF43224F1D81DBD9888F2A7C2699845C772

Function 04CCF7C1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2baf51920e68776c92017dd76c75cb67014f17e4fb22ee8fb8b435e4450ae241
Instruction ID: 33876084e0fb04186e14a7fa4a29fdfbfb493015e82d13083461bcce8904ecad
Opcode Fuzzy Hash: 2baf51920e68776c92017dd76c75cb67014f17e4fb22ee8fb8b435e4450ae241
Instruction Fuzzy Hash: AB112971D5074A9BCF10DFE4C8445EDBBB2FF99310F10471EE011AA685EBB02686CB90

Function 04CC78E1 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3857671f149b8d4978e6201c1b340bec2fc9d96282bc2a4031677cf85fe07a14
Instruction ID: 85cd4631ba75228f6549fd042575b1a30e50e33f0b04a2c7b8007e96d732dad9
Opcode Fuzzy Hash: 3857671f149b8d4978e6201c1b340bec2fc9d96282bc2a4031677cf85fe07a14
Instruction Fuzzy Hash: 1FF0C235301349DBEB086AB9E89457DB7A2EBC8325B10452DD60E8BB90DE22E8038790

Function 04CC7940 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6a1733a185b0bb4037fbf6c1e5ad5a9fcec586fac44a69765fcf38b5352532
Instruction ID: 7b3990633d6c894ced838b6f6aca5641949a009e86f0606c0b16d91bcd727b90
Opcode Fuzzy Hash: 8a6a1733a185b0bb4037fbf6c1e5ad5a9fcec586fac44a69765fcf38b5352532
Instruction Fuzzy Hash: BDF0463120A344AFC3019764D8409AF7BF6EF89121B04049ED04EC7351DE746C05C360

Function 04CCCB62 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc296cb2d422fda923c68e32dcac8f50c860e04d6fd6bda0535f3b63de3f12cf
Instruction ID: ca04268fd403528928e7734f4639e60a242f1c2e567a7fcbe3bcbe651776df68
Opcode Fuzzy Hash: bc296cb2d422fda923c68e32dcac8f50c860e04d6fd6bda0535f3b63de3f12cf
Instruction Fuzzy Hash: 5AF0243420A3800FC316A339989086D7FA6DEC712031506BEC18ACFB22CE2C58068B72

Function 0338D993 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2328439149.000000000338D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0338D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_338d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f7586297bca7d1201e34ad99f6ff735912c5a6d372bf539976c0782c72a231
Instruction ID: 4e303e419f991efe0410c6d6492ac806827fe17897936a0cf210ed943dbd4918
Opcode Fuzzy Hash: a5f7586297bca7d1201e34ad99f6ff735912c5a6d372bf539976c0782c72a231
Instruction Fuzzy Hash: 35F0F976200610AFD720DF0AD984C27FBADEBD4670319C59AE84A4B752C671EC42CEA0

Function 04CCDE40 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56030886f3a8ed6b214a5b8a7657fb517fa2385dd6539fea546560742a79730
Instruction ID: cf7bc0d323bb7da29a91e269e9b4f506db68510c1a55d01c17a979f7c98f7cca
Opcode Fuzzy Hash: d56030886f3a8ed6b214a5b8a7657fb517fa2385dd6539fea546560742a79730
Instruction Fuzzy Hash: 81F082353042408FC3109F2DD894CA6BBF69FDB71532910ADE585CB336DA61EC01CB90

Function 04CCF7D0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90472d9202a93158f93ebdfa8cf5845bda0a283ad17fe4c638e7b1cb2c29c0f0
Instruction ID: ca6b11577bb856c9f8c76b30bb740f954e7f18e4a7c29550ba3a253ba4a03ee1
Opcode Fuzzy Hash: 90472d9202a93158f93ebdfa8cf5845bda0a283ad17fe4c638e7b1cb2c29c0f0
Instruction Fuzzy Hash: CA01D271D1075ADBCB04CFE4C8446EDBBB5FF99300F10472EE015A6644EBB02689CB80

Function 04CC7950 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3ae5dba5a5c5292fb0687a5b79a26fa284aea07354c02ac40ef8ad92c45c4e
Instruction ID: cc970e6f0d1b7b2c9933dcc9560590e18a9ccef60d0966da2b0191f8278fa095
Opcode Fuzzy Hash: ce3ae5dba5a5c5292fb0687a5b79a26fa284aea07354c02ac40ef8ad92c45c4e
Instruction Fuzzy Hash: BEF0A775700715AFD714AB5AD84497F77EAEBC8671B00052DE10ED3750DF74AD0287A0

Function 0338D984 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2328439149.000000000338D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0338D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_338d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418e166d39a00dfa974a249532addf66c65ae8a153cf475e31a127ce7b76ab15
Instruction ID: d5dc8f7892fcd872a7f1c17301ee0c8193e468e24e98b33e620ebf99b4411922
Opcode Fuzzy Hash: 418e166d39a00dfa974a249532addf66c65ae8a153cf475e31a127ce7b76ab15
Instruction Fuzzy Hash: 04F0F975104A40AFD725DF06CD84D23BBB9EB95660B198589A84A4B752C671FC42CFA0

Function 04CC9160 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6dd25f2de944a839cc08383aee13a1695b6c077f1e846c92b901a970c2a7f1
Instruction ID: bd46eea71cac00cac9a782fe311d807c15842ba5cf93f2955925b48e3cde2edb
Opcode Fuzzy Hash: da6dd25f2de944a839cc08383aee13a1695b6c077f1e846c92b901a970c2a7f1
Instruction Fuzzy Hash: 4EF0BE799153404FE7209F78D4AD79A7FE5EB06320F00446EE14EC7283DB35A881C750

Function 04CC9549 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e24e6317b4095d444a75bc07151d296df5d57e4541d9a2c012956f5360368df
Instruction ID: 918c44e477079e9c109adb37f61bb10eead435a2cbf2b131a5ef0827c00a2d03
Opcode Fuzzy Hash: 1e24e6317b4095d444a75bc07151d296df5d57e4541d9a2c012956f5360368df
Instruction Fuzzy Hash: 21E068923053849B8B5461B948142BB2D8F8BC3771708037EC908D33C2DC34FC0663B0

Function 04CC767F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92069a9911449ac49f2d4e166a1ce594fa9d70186687266d5c83770f83c24be3
Instruction ID: d58e089574a8a95a21ece749d2ffe4674554e02a4e6722a0e796dca40cb78f12
Opcode Fuzzy Hash: 92069a9911449ac49f2d4e166a1ce594fa9d70186687266d5c83770f83c24be3
Instruction Fuzzy Hash: 12F030397006158FDB00EBADD840A9A7BB3EBC97557154169E50ACB315DF34DD024BA1

Function 04CC90F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b064cd5c7d0d6317c8ec3b31dd7d325d40145973e32a3e72820b8fac0ab87ff
Instruction ID: ebeb551bed4f5022e39306b3008e8ce9faa444feb62986c7371b7c0293e01b43
Opcode Fuzzy Hash: 8b064cd5c7d0d6317c8ec3b31dd7d325d40145973e32a3e72820b8fac0ab87ff
Instruction Fuzzy Hash: 00F02739A042044BE700BB69D0583AB7796DFC0725F50812EC91A4B389DE396C41CBF0

Function 04CCDE50 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c863708d2dd9b924f7106f53e14730cc0051ca5e60852575464a7365e9a3462
Instruction ID: d7e56fa71ab1c1901ea6a3809ad194a4a92ff40c9e0529fa2cabf2ea70d89666
Opcode Fuzzy Hash: 5c863708d2dd9b924f7106f53e14730cc0051ca5e60852575464a7365e9a3462
Instruction Fuzzy Hash: 41E0E5353001148F83109B1DD898C6AB7EAEFDE76576A00AEE94ACB325DA61EC01CB90

Function 04CC8969 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519e9888e2df156b4f36782b15ad460ce56bc23f190ccffeb36d1c4933eb09e6
Instruction ID: 402c65a45eef7eae16d6b6b57cf41240b58fc032aa398582e2d5e0b7ed11d6cf
Opcode Fuzzy Hash: 519e9888e2df156b4f36782b15ad460ce56bc23f190ccffeb36d1c4933eb09e6
Instruction Fuzzy Hash: F2F027397183805FCB0A6B70A41826D3F62DF8A629F05409FE6068B243CF684801C3E1

Function 04CCAF98 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8883b4eaba9bd72db9dd6df44e44d223f1054d03900b23aac2ba075271102c9a
Instruction ID: a37691771f95fd31580f24a1cacc5782e5134ae290756be090b455661715af89
Opcode Fuzzy Hash: 8883b4eaba9bd72db9dd6df44e44d223f1054d03900b23aac2ba075271102c9a
Instruction Fuzzy Hash: 9DE0D86170839D178B2A412E6C1C372BB7746C357030844BFE144CB246DC33AD464354

Function 04CCCB78 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2c5a65cc2dcd4e5d23cb50a95b4ebf6ab731d4016b758e9cb0334954a8e368
Instruction ID: 6a8ecbd157f9feed6b25e4db647d46b50d79b2dfeaa20b1353fbdcb1f397ffb7
Opcode Fuzzy Hash: 9d2c5a65cc2dcd4e5d23cb50a95b4ebf6ab731d4016b758e9cb0334954a8e368
Instruction Fuzzy Hash: 77E04F352053045B8268F76EEC81C6EBA8ADEC9570354893DD24E9BB00DE796C0657B1

Function 04CC8739 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dce277296b0f8de0a4f4e8d0bb4f8272b8d0f4a02927ce7d257860b5e683b1f
Instruction ID: fb7c06afc447edb8260f0779600c6448aec44ab2cf9bc04482ff3eae9cb5d910
Opcode Fuzzy Hash: 1dce277296b0f8de0a4f4e8d0bb4f8272b8d0f4a02927ce7d257860b5e683b1f
Instruction Fuzzy Hash: A0E092358541098BCF19BBBAE4494BA7F31EA01202B0041AEF51392196FA30669ACB91

Function 04CC9170 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865c9ce4e9d801148192fb9b0abb5b64877157156b511103671f714c59ce8f0c
Instruction ID: 5814dad2e2f643245fa94a5768cd749350f2707398c8e35aca477a0513c7ac8a
Opcode Fuzzy Hash: 865c9ce4e9d801148192fb9b0abb5b64877157156b511103671f714c59ce8f0c
Instruction Fuzzy Hash: 5FF0ED789113049FD764EFB9E49C79A7BE5EB44320F00542EE55ED7341DB35A980CB90

Function 04CCC590 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed5e88c273cf329dadbc97e468f90feaced0a79bc4ee2dd0cad1162f1c64d38
Instruction ID: 071cc8b296cf7db980da92b9801889cc01605e65cc01e8ab832a65c41a12e404
Opcode Fuzzy Hash: 8ed5e88c273cf329dadbc97e468f90feaced0a79bc4ee2dd0cad1162f1c64d38
Instruction Fuzzy Hash: 3FE0D8393043641B8315A71DE8444287BA9EAD6751314107FE649D7261DB18AD0297D1

Function 04CC8978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cde03e2178448cc1e50ca69af8ea8720c34f0ffa7ff14a9ade1b7cb5cd261cf
Instruction ID: 8b5c58b25d7a04f76ca3b04e0a0713a63ceaf4c5395f21805b09946ac8f218b5
Opcode Fuzzy Hash: 7cde03e2178448cc1e50ca69af8ea8720c34f0ffa7ff14a9ade1b7cb5cd261cf
Instruction Fuzzy Hash: E0E0DF3971421097CB093775A41C2AE7A56EBC4724F00402FE61A83346CF68681183D9

Function 04CC9558 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966a0689e5d78da4974961ff71c8da21fbf57b1bf29a6dae7c4d9d75fac62802
Instruction ID: d4cf502582ee85bcc983a70f0e00da66397d39d940b90b25695a72651c41aefe
Opcode Fuzzy Hash: 966a0689e5d78da4974961ff71c8da21fbf57b1bf29a6dae7c4d9d75fac62802
Instruction Fuzzy Hash: FED0A7927012250B5A5470FE18006BBA9CFCEC55B7745013EDE05D3385EC64EC0933F1

Function 04CCDCF0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: bb56572f295f448589798bab189e19ee5ccdc40d01074063932cd0d55cfdb84a
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 3DE08631B00014D78B08959AD4504E9F7A6DBCC220F04847ED90AA7340EA32691686E1

Function 04CCDCA0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f352a4ecd4b2c893cdb92b13f2cb16b62612691b1c463f592948f4614e1ffec
Instruction ID: c2c59862521a524ae4314b92f4f94ba3807624508916b7e8df34a132f71ab3cc
Opcode Fuzzy Hash: 9f352a4ecd4b2c893cdb92b13f2cb16b62612691b1c463f592948f4614e1ffec
Instruction Fuzzy Hash: 24E08C39700B14578225AA1EA80085F7B9BDAC4A71350842EE01A87308DFB8E90247D5

Function 04CC8800 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a92358b2b73138c8ba6424c69fb9377b82aee7adb9dddc02573adc05b08ac0e
Instruction ID: e737ae4f58be291b6d5b07438fdf9ddb68653cf8df0e0a9f961f00bf53a6c2f3
Opcode Fuzzy Hash: 8a92358b2b73138c8ba6424c69fb9377b82aee7adb9dddc02573adc05b08ac0e
Instruction Fuzzy Hash: 12E09234D1824A4B8714AF64E44696ABFB2DB15306F00806DED0597746DB316951DB90

Function 04CCC5A0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d9e2a4a983ce838b2c854f91b163ccbd950a46bd644bf14fc19120ac1c1c00
Instruction ID: 464682809b0773aa225a0a0151ce2b67f4e01033c1e213dc199ed7b3bba38e53
Opcode Fuzzy Hash: 33d9e2a4a983ce838b2c854f91b163ccbd950a46bd644bf14fc19120ac1c1c00
Instruction Fuzzy Hash: 27D05E3D3002101B42046359F44445977DDD6DAA62300403FE60AC3344DF659C0283A4

Function 04CCF860 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925c76fc2d0450d3e8da988feed976be5847f318c241a2a6992d531769e9f0df
Instruction ID: 5745178da9cd260773038dc7cd5c6259a74c6b51a1572c17922bfbd34668f336
Opcode Fuzzy Hash: 925c76fc2d0450d3e8da988feed976be5847f318c241a2a6992d531769e9f0df
Instruction Fuzzy Hash: 1BE01A70E0014ACFC780DF7DC8415A9FFF0EB49200B1486AEC949D7201E3324611CB81

Function 04CCF870 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: dfd836f0e9296d13078995941446d21401d8daee6adbc06fe6c699fb4a3e80e7
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: E6D067B4E042099F8780EFADC94156EFBF5EB49200F6485AEC919E7341F7329A12DBD1

Function 04CC8748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30243e5894a82c35fdb2d96ba8c524bfd5953438a2dbbb2213692df6c912390
Instruction ID: 0c81b4c3f02ee5664d6eea2f13f0d63ec0ebb60b6b4089773696c07f70d2bb3b
Opcode Fuzzy Hash: d30243e5894a82c35fdb2d96ba8c524bfd5953438a2dbbb2213692df6c912390
Instruction Fuzzy Hash: 4BD012348141098BCB08BBA5F41A4BD7B34FA00301F41415EE91752196EB301696CBC0

Function 04CC8810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1205065e09848f1e2add9db35d4b3eb122af55fc4b2dd04ac75f300705e49eb7
Instruction ID: 06a9ff7fd5d544e0d9219046ba076f1a79639141da6e06218f1961ddb2e6383a
Opcode Fuzzy Hash: 1205065e09848f1e2add9db35d4b3eb122af55fc4b2dd04ac75f300705e49eb7
Instruction Fuzzy Hash: 10D01234A1420A8B8704EFA5E44646EBBB5EB45301F00815EED0593345EB305851CBC1

Function 04CC7E90 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4182e68d60f51dedd14b2bebdc3cc3a49a1ac56b7e890f92e3638a3da64bf85e
Instruction ID: b53fd7b643848e8ced16f7b34ec8386cc1f0385dc9087de1025b5134cdfb4d5f
Opcode Fuzzy Hash: 4182e68d60f51dedd14b2bebdc3cc3a49a1ac56b7e890f92e3638a3da64bf85e
Instruction Fuzzy Hash: 6FC04C1904FBCC9FD30312254D615456F31154301474F11DA8584CF563D55D5809CF62

Function 04CC7920 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 532fbd1d2aad14e1cfb16eeb74add2665d087fb8c7895fb8e379959784b2cdd5
Instruction ID: 2fb74bb85a37197ed0fac8c394f7d637d14c8c03a612c13dd01959f1ab7f05ab
Opcode Fuzzy Hash: 532fbd1d2aad14e1cfb16eeb74add2665d087fb8c7895fb8e379959784b2cdd5
Instruction Fuzzy Hash: BAC080340473C89FCB259B34D06485C3F34EF0111475104DCD8460F6B3C9728086DF01

Function 04CC7928 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f63d3eb981df515506e18a91d1bc444071d510b9cd37f674306744f2e105125
Instruction ID: db22956f4210f685a647b34d1cd1d70d533c50ba2ef490ab0ec5199edcaeec24
Opcode Fuzzy Hash: 6f63d3eb981df515506e18a91d1bc444071d510b9cd37f674306744f2e105125
Instruction Fuzzy Hash: 10B0923018674C9FC2486F75A818814772DEB402157C004A8E80E0B3A29E76E885CA44

Non-executed Functions

Function 07B42327 Relevance: 5.1, Strings: 4, Instructions: 137COMMON

Download Yara Rule

Strings

piSk, xrefs: 07B42416
piSk, xrefs: 07B423B0
piSk, xrefs: 07B423A0
piSk, xrefs: 07B42363

Memory Dump Source

Source File: 0000000E.00000002.2366442352.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7b40000_powershell.jbxd

Similarity

API ID:
String ID: piSk$piSk$piSk$piSk
API String ID: 0-3297288369
Opcode ID: 7679cf954ec34f3270cf72dd331e954bda66c6f14ec50cc914ea8e9791d99c7b
Instruction ID: 27d056dc78279859bc9668e8246fe3267197b1fe2ef43be653ce11067b264944
Opcode Fuzzy Hash: 7679cf954ec34f3270cf72dd331e954bda66c6f14ec50cc914ea8e9791d99c7b
Instruction Fuzzy Hash: D841F5B270021ADFFB249B6985402EABBF2FBC5210F4484BAF9558F641DB31D944E762

Function 04CC4D62 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

'n^, xrefs: 04CC4D82
'n^, xrefs: 04CC4DE2
'n^, xrefs: 04CC4D62
'n^, xrefs: 04CC4DD2

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID: 'n^$'n^$'n^$'n^
API String ID: 0-370614551
Opcode ID: 8bffb7ec3236e2116026a153954d9cd694f79a29d3bd80aff70e5014d62dda2e
Instruction ID: 84ec4d31f59d7259c2e55c65c93b9f3224a739a49a0f55f4b647625dd92bb3b2
Opcode Fuzzy Hash: 8bffb7ec3236e2116026a153954d9cd694f79a29d3bd80aff70e5014d62dda2e
Instruction Fuzzy Hash: 1441D2616093D09FC7079B3CD8A46D53FE2AF97258B0A40DBD5C4CF2A3EA249C0AC756

Function 04CC4CB2 Relevance: 5.0, Strings: 4, Instructions: 43COMMON

Download Yara Rule

Strings

'n^, xrefs: 04CC4CD2
'n^, xrefs: 04CC4CB2
'n^, xrefs: 04CC4D32
'n^, xrefs: 04CC4CE2

Memory Dump Source

Source File: 0000000E.00000002.2329425313.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4cc0000_powershell.jbxd

Similarity

API ID:
String ID: 'n^$'n^$'n^$'n^
API String ID: 0-370614551
Opcode ID: ea076350bd7f81fd6b9f2f3456f29b12d3cc5e85893a882cac19349b0ef609ae
Instruction ID: 2d1950b06a0df84364079d5e8f66c0beefc84d8af031fe7790c77f00b4ec3e9f
Opcode Fuzzy Hash: ea076350bd7f81fd6b9f2f3456f29b12d3cc5e85893a882cac19349b0ef609ae
Instruction Fuzzy Hash: 0711299650A3C14FCB1A9B2988A82853F66FFA72D4F0E10DBC0C89F093DD26150B8706

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report r10072024085940.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1mcbxpec.fms.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2g0af0uo.c4b.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bur112n4.vuu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_darftneo.tma.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dfyfk3ya.dqh.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g2ide0yr.khe.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gvdupxdf.out.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ia1mhcba.m00.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kue1o3yy.lqi.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_om4vysac.n30.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_soyoeknt.bj2.psm1

Windows Analysis Report
r10072024085940.scr.exe

Function 0282D41A Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Function 0282D420 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 073161AD Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON