Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6ab092aeab924edb854b3ff21ea579df.exe

Overview

General Information

Sample name:6ab092aeab924edb854b3ff21ea579df.exe
Analysis ID:1508105
MD5:5d5aa86355c219b3c6d2d1f3cbc48f7b
SHA1:cd80999aa94c79a3f1b6e27afd7ec89f72a820c3
SHA256:d45384c86bcee5d875a2fbe48be240636478bf3c8d730526816d2e30d04a5c61
Tags:exe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 6ab092aeab924edb854b3ff21ea579df.exe (PID: 7980 cmdline: "C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exe" MD5: 5D5AA86355C219B3C6D2D1F3CBC48F7B)
    • RegSvcs.exe (PID: 8056 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 8064 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • powershell.exe (PID: 8172 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 8180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7792 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regsvcs.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["notes-ease.gl.at.ply.gg"], "Port": "22444", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "Windows.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3837785716.0000000000402000.00000020.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000003.00000002.3837785716.0000000000402000.00000020.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xd554:$s6: VirtualBox
    • 0xd4b2:$s8: Win32_ComputerSystem
    • 0xefa3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xf040:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xf155:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xe59d:$cnc4: POST / HTTP/1.1
    00000000.00000002.1389347400.0000000002ADC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000002.1389347400.0000000002ADC000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x1b434:$s6: VirtualBox
      • 0x1b392:$s8: Win32_ComputerSystem
      • 0x1ce83:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x1cf20:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x1d035:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x1c47d:$cnc4: POST / HTTP/1.1
      00000000.00000002.1389347400.0000000002A76000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            3.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xd754:$s6: VirtualBox
            • 0xd6b2:$s8: Win32_ComputerSystem
            • 0xf1a3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xf240:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xf355:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xe79d:$cnc4: POST / HTTP/1.1
            0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
              0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                Click to see the 13 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 8064, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', ProcessId: 8172, ProcessName: powershell.exe
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 8064, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', ProcessId: 8172, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 8064, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', ProcessId: 8172, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 8064, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', ProcessId: 8172, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-09T17:33:02.910364+020028531931Malware Command and Control Activity Detected192.168.2.864172147.185.221.1722444TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: 6ab092aeab924edb854b3ff21ea579df.exeAvira: detected
                Found malware configuration
                Source: 00000003.00000002.3842842028.00000000034D1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["notes-ease.gl.at.ply.gg"], "Port": "22444", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "Windows.exe", "Version": "XWorm V5.6"}
                Multi AV Scanner detection for submitted file
                Source: 6ab092aeab924edb854b3ff21ea579df.exeReversingLabs: Detection: 34%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: 6ab092aeab924edb854b3ff21ea579df.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 3.2.RegSvcs.exe.400000.0.unpackString decryptor: notes-ease.gl.at.ply.gg
                Source: 3.2.RegSvcs.exe.400000.0.unpackString decryptor: 22444
                Source: 3.2.RegSvcs.exe.400000.0.unpackString decryptor: <123456789>
                Source: 3.2.RegSvcs.exe.400000.0.unpackString decryptor: <Xwormmm>
                Source: 3.2.RegSvcs.exe.400000.0.unpackString decryptor: XWorm V5.6
                Source: 3.2.RegSvcs.exe.400000.0.unpackString decryptor: Windows.exe

                Compliance

                barindex
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeUnpacked PE file: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.f30000.0.unpack
                Source: 6ab092aeab924edb854b3ff21ea579df.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 6ab092aeab924edb854b3ff21ea579df.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: C:\Users\US\source\repos\Mevlana\obj\Debug\Mevlana.pdb source: 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000002.1389347400.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000002.1389788935.0000000004F00000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: C:\Users\US\source\repos\Mevlana\obj\Debug\Mevlana.pdbBSJB source: 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000002.1389347400.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000002.1389788935.0000000004F00000.00000004.08000000.00040000.00000000.sdmp

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:64164 -> 147.185.221.17:22444
                Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:64172 -> 147.185.221.17:22444
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: notes-ease.gl.at.ply.gg
                Yara detected Generic Downloader
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ae49b8.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ab7070.3.raw.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.8:49706 -> 147.185.221.17:22444
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                Source: Joe Sandbox ViewIP Address: 147.185.221.17 147.185.221.17
                Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                Source: unknownDNS query: name: ip-api.com
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: ip-api.com
                Source: global trafficDNS traffic detected: DNS query: notes-ease.gl.at.ply.gg
                Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
                Source: powershell.exe, 00000007.00000002.1490075894.0000000008679000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                Source: powershell.exe, 00000004.00000002.1450036216.0000000008AFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro.
                Source: powershell.exe, 00000007.00000002.1490075894.0000000008633000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microz
                Source: 6ab092aeab924edb854b3ff21ea579df.exeString found in binary or memory: http://goo.gl/YroZm&quot;
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000002.1389347400.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp, 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000002.1389347400.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3837785716.0000000000402000.00000020.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3842842028.00000000034D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                Source: powershell.exe, 00000004.00000002.1442843234.000000000605C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1480318089.0000000005C1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000007.00000002.1470108915.0000000004D06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000004.00000002.1438844114.0000000005146000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1470108915.0000000004D06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                Source: RegSvcs.exe, 00000003.00000002.3842842028.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1438844114.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1470108915.0000000004BB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000004.00000002.1438844114.0000000005146000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1470108915.0000000004D06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                Source: powershell.exe, 00000007.00000002.1470108915.0000000004D06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000007.00000002.1490075894.0000000008679000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                Source: powershell.exe, 00000007.00000002.1490075894.0000000008679000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co6
                Source: powershell.exe, 00000004.00000002.1438844114.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1470108915.0000000004BB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                Source: powershell.exe, 00000007.00000002.1480318089.0000000005C1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000007.00000002.1480318089.0000000005C1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000007.00000002.1480318089.0000000005C1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000007.00000002.1470108915.0000000004D06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000004.00000002.1442843234.000000000605C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1480318089.0000000005C1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                Operating System Destruction

                barindex
                Protects its processes via BreakOnTermination flag
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: 01 00 00 00 Jump to behavior

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ae49b8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ae41d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ae3ddc.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ab7070.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000003.00000002.3837785716.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000002.1389347400.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000002.1389347400.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                .NET source code contains very large strings
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _R36BdaYaPpYeiRyCHEHU2oSfcY8.csLong String: Length: 121984
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _R36BdaYaPpYeiRyCHEHU2oSfcY8.csLong String: Length: 46432
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_04EB8CEC NtAllocateVirtualMemory,0_2_04EB8CEC
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_04EB8CE0 NtUnmapViewOfSection,0_2_04EB8CE0
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_04EB8CF8 NtWriteVirtualMemory,0_2_04EB8CF8
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_04EB8D10 NtSetContextThread,0_2_04EB8D10
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_04EBA060 NtResumeThread,0_2_04EBA060
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_04EBBC50 NtWriteVirtualMemory,0_2_04EBBC50
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_04EB8D1C NtSetContextThread,0_2_04EB8D1C
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_04EBC1B0 NtSetContextThread,0_2_04EBC1B0
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_00F6E58C0_2_00F6E58C
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_00E3541D0_2_00E3541D
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_04EBA4700_2_04EBA470
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_04EB7DA00_2_04EB7DA0
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_04EB96E10_2_04EB96E1
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_04EB80100_2_04EB8010
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_04EB7D910_2_04EB7D91
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_04EB28800_2_04EB2880
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_04EB80000_2_04EB8000
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_04EBA1620_2_04EBA162
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_04EB2A6C0_2_04EB2A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_018342903_2_01834290
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_018385903_2_01838590
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_018348A83_2_018348A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01838E603_2_01838E60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_018382483_2_01838248
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_018314483_2_01831448
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_036DB4904_2_036DB490
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_036DB4704_2_036DB470
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04AFB4907_2_04AFB490
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08AD3A987_2_08AD3A98
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000002.1389347400.0000000002ADC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs 6ab092aeab924edb854b3ff21ea579df.exe
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000002.1389347400.0000000002ADC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesystem.exe4 vs 6ab092aeab924edb854b3ff21ea579df.exe
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000000.1375086028.0000000001004000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesDTRwD vs 6ab092aeab924edb854b3ff21ea579df.exe
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000002.1389347400.0000000002A76000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMevlana.dll0 vs 6ab092aeab924edb854b3ff21ea579df.exe
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000002.1389347400.0000000002A76000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesystem.exe4 vs 6ab092aeab924edb854b3ff21ea579df.exe
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000002.1389347400.0000000002A76000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs 6ab092aeab924edb854b3ff21ea579df.exe
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000002.1389817763.0000000004F50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs 6ab092aeab924edb854b3ff21ea579df.exe
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000002.1388712864.0000000000C9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 6ab092aeab924edb854b3ff21ea579df.exe
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000002.1389788935.0000000004F00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMevlana.dll0 vs 6ab092aeab924edb854b3ff21ea579df.exe
                Source: 6ab092aeab924edb854b3ff21ea579df.exeBinary or memory string: OriginalFilenamesDTRwD vs 6ab092aeab924edb854b3ff21ea579df.exe
                Source: 6ab092aeab924edb854b3ff21ea579df.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ae49b8.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ae41d0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ae3ddc.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ab7070.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000003.00000002.3837785716.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000002.1389347400.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000002.1389347400.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.4f00000.7.raw.unpack, ControlLayout.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ab7070.3.raw.unpack, ControlLayout.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, fWw8ZyhVlYkHfBB67GaeRrj3PIe1no6n0BLCw.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, 88nQNm25NQh5PkykT63K46WdwQjci7gq4ATYT.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, 88nQNm25NQh5PkykT63K46WdwQjci7gq4ATYT.csCryptographic APIs: 'TransformFinalBlock'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _R36BdaYaPpYeiRyCHEHU2oSfcY8.csBase64 encoded string: 'gE8SCPF1rSsBdcJb5dI3UlYL7jvEFvWAfFstM0QWR5jgVMUnOKOKcHxbLTNEFkeYfFstM0QWR5h8Wy0zRBZHmHxbLTNEFkeYfFstM0QWR5jasZcp3A2fe0aFOtODdmp7jcUMdI1e5/NEDOeWnYtrp8OzCVG8A1dO+C2EVzrl/zLeh59k3kpk7Nzdgw0nm7IG2y/qQ1/ZJMr5NK71WL5fnax+l/m78yQ//EqmC6lLlmSsGyI0+T5EQfvxsnhW6HUnyeAk/VcJT7pNgGIyE0AVXPVbmy5v0B1VfFstM0QWR5gml07URirmxsvGGowiNLXaWM8riYSiJIXWFwHOiIZ1v2Xr8W3S47zPAXXCW+XSN1JTjEiT/J/JphTVOReKVJm16v6chc1y6nC0fuG3gm2L9aeRl2SxgqA5/+WTZWgHOP6NBq/lkBgY/XxbLTNEFkeYlkkSl83fmeWObhwapHqI/slEHlncTBsMfFstM0QWR5h8Wy0zRBZHmHxbLTNEFkeYNHb5aM2/ZXV8Wy0zRBZHmHxbLTNEFkeYfFstM0QWR5h8Wy0zRBZHmHxbLTNEFkeYfFstM0QWR5h8Wy0zRBZHmHxbLTNEFkeYVpVwvdEn/g+HC1Uz+DZ9qHxbLTNEFkeYINJrdPQUr8l8Wy0zRBZHmMapIDYT5p8nTgZiRxUntK3ZX70F/dH7saSiOPGSI7qx6SgXXWkZqVR8Wy0zRBZHmF6dXgvkQVI2woLxzcO3cMZHhYEbWgW1TcvGGowiNLXa+bLOfG/XR/B0sk/SxjozpXxbLTNEFkeY2MCkOYR+KZXkd1Zhlmksahg1rGh+P1Edz8K0ug09Eauf0FoW1PvBOXxbLTNEFkeYfFstM0QWR5ggaJPQ2kdDrXxbLTNEFkeYfFstM0QWR5jW5anwcPSd2rwVVxzNO/SOJz7yCfHcUZideLVp5X4gZ59VzKu6ciVM2ZXxE6GhIMB8Wy0zRBZHmHxbLTNEFkeYfFstM0QWR5h8Wy0zRBZHmHxbLTNEFkeYfFstM0QWR5h8Wy0zRBZHmD68ygj98WOCKNaWvYHy/N0fr8s1S1uxs7i2YviS0NmYlTC6AE5mQI19w1UyNpnF/MPO8qHt1o8wc51GTvilIWhLpiXC+zK/nsYHO3TixUZqiZBkej4G0tQ57+IigGaxLB5pNgOHC852BZ9FzKqv5FFEA763bNOf7eHaBhLDqaHUHC7/8evysvFaJUavchUXb84+O4XU/3CNWcCQhWVJ+RHmmJYsWfOFievq3SihwtyPRNRFkLTbZ0/QA/7V0t++sMqE6bMnKtlzc6jONZRTcnF8eSATDLTcfwCf5PSMXHlDE2iI5EFTAazTsMIEiFtH0D1phkKCLMgBLZCoTlW5p25QwkvGLOnNo66gOeK3VsWtAy1um+O3jzRBae7D0iUr98o5SyJsTTzu/uzEbH1tJtkiQdWZNTOMgb0zoe5LawBN+NACi+4bPWA6by487MqIpxfNRRPsfj1QyDaTlqJzAiJfsvX8vXNN4Ym8ywN9JBY05kGrQgQEVxghe0cZwuyqVag+1quq/NiAFpRsFojlD5XPcbjgwaYawNigZqRCjgxXQTorDU8pHOo/HASMqHUlx9UJgIKKcus6ClMuptISlmoZ+2zr0puG9jIfec8G+IBN6eY0nvpNRwbasFGrD8FSK8NChV0oCKMZRNEgsbxNtgRvQEK0ZmpV9ZzTvLRoRb30/hHqEn8JGhh0qvv8chrOUcJyVpU7SnnMH3ADKxz7GK2ZAdUen4mUywlVR5nHrDtI7U4ACgPz69mVLTm1q38ZJfM1ErCZKDjqE5GBaa/GsxqqP+qw7bi8+YCA+hDfFQkiDgtNgXlKAxkS4g6wbMUwxGCa3bR7h199jcAXE3GvcnK016S3XD8e3SkSjcdEapIeWSwI0rXcOewtqUTB3QmwJoAjkfWo3PW/mncHID9Tu7tvvZRoFCvzTR1pEq2xPwPVNlEzVBRzig3Xj7+o+hyabpl3E8BgHkcKHII4B53HNkMFQpJSJPI8hGTsIXhOQa7QZS2RtjqCBh40nRW6LmL+CAabbXq2EeDr5/y6eXdErmxi0qw8ilfOMtBmN7FPeqGQZrXcBEVL63FtOKDv8EwIfyn3idEV217jKi838Y0Yxhtq4NTsaHTVayLzfCNmuVT4Zmlz4PjeVAZSeCZpGjYArWL2f7n/r5uAwjwtO3dBqWLiDffAL8W1z2p9QmbXlVz3BFXfzbChoK02ZZnB6dEjnQRtvKNu0AjoRAyrn+lX2FcI7amQj6RNPiovN/GNGMYbSsLrmxd709bUfglHjoLzeQdp9Xc1HVuBIEASPIxPxgQdGcINQAv8BYwdipqJULQIUrObOr5cBSID7Y7cT0ZY0sfVicLEem8rtVS/XF3qTt2MTYt61jCowOumFVXh/I2vftW/LlkvxrVfmeZmf5cP2FqGG9sNETubICVJR0E9M4TSyobiEaIxf1fBRrdxhx0c/cu5aOKaC9RXOhrw22yKo943v86sHaIkVmKhE6GFl7E3Z1iDpwbsgQWR4jecQgvUbPbO3rakuW0x8swUansIig1bJOdSCqRpYtKsPIpXzjK0MTIIbZ07Uhqsn7ut8Emavkf8Nz9nDMQbyDXabk1u2a2a7pSw3q/DetKUGVGz2QJLtMWFcGBP9WZ+zIVjFF4ohkrqN10+sgw7A/HOkxh+ylis7ZjcZUV/rZrulLDer8PVP1x4c9odMbYF3kMvK4D8TxNsdnxVHqSuzDdIZM5CLUvBgGOOSNxsFFVNSvV7F59NZnrFEAzQfI4+6URIYmwPFA1dqr3HLqIwvfgKSjBRBIkfC/BnM8hPKe/xMEs+sp9zqM41lFNycVr+hJ0XxgcL0FF11lSTi06hhgFvY8j4u6JEtXxMVkh3fxDgx/r410ma6LluLYASLPwQGibIBVpC8TLBZOtsL6UX04NRrxG714P6f9Fz6XPPBDa/mYX8ht/x/nbsm3Z8E8J
                Source: classification engineClassification label: mal100.troj.evad.winEXE@12/10@4/2
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6ab092aeab924edb854b3ff21ea579df.exe.logJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8056:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8180:120:WilError_03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\YI6MWrq1gpwP8vnH
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_redb0z52.iff.ps1Jump to behavior
                Source: 6ab092aeab924edb854b3ff21ea579df.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 6ab092aeab924edb854b3ff21ea579df.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 6ab092aeab924edb854b3ff21ea579df.exeReversingLabs: Detection: 34%
                Source: unknownProcess created: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exe "C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exe"
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regsvcs.exe'
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regsvcs.exe'Jump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: 6ab092aeab924edb854b3ff21ea579df.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: 6ab092aeab924edb854b3ff21ea579df.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: C:\Users\US\source\repos\Mevlana\obj\Debug\Mevlana.pdb source: 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000002.1389347400.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000002.1389788935.0000000004F00000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: C:\Users\US\source\repos\Mevlana\obj\Debug\Mevlana.pdbBSJB source: 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000002.1389347400.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000002.1389788935.0000000004F00000.00000004.08000000.00040000.00000000.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeUnpacked PE file: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.f30000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeUnpacked PE file: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.f30000.0.unpack
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, eTiKHLF34GolSQ6PFMcloAOO0g0kcw9nw8ECGA7aqWjnLLecA3bY.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{PO2J9D1WRiI6m0ipwAd0v13JsqfjP1meDFXCDrksTbZIjBpTdSzl.OmWuI4nkSIssBvsyZDzNWwsauLa6WzcnQqLJh63e7vFp2X405M5t,PO2J9D1WRiI6m0ipwAd0v13JsqfjP1meDFXCDrksTbZIjBpTdSzl.fj08V1L4HFqalfusBSE3tp7Gb04vOsubka5M8PjU7E5kWoJvI0YY,PO2J9D1WRiI6m0ipwAd0v13JsqfjP1meDFXCDrksTbZIjBpTdSzl.vLl0MljO54R8brose5tfATQZI2jIB6Pr7TLzCgdC698wFaF8aKkX,PO2J9D1WRiI6m0ipwAd0v13JsqfjP1meDFXCDrksTbZIjBpTdSzl.CA6QriPNJC2bLWeMIzIRBvz1xYWLY7cuzMLdG96b0xh2f31TQDTR,_88nQNm25NQh5PkykT63K46WdwQjci7gq4ATYT.ZAVGY18lDoOiIcIdX4JQ0nCbXacIaJg1jdk5K()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, eTiKHLF34GolSQ6PFMcloAOO0g0kcw9nw8ECGA7aqWjnLLecA3bY.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{O5EROl0chZMbWFbwLvsPDnUYFqitJDznEIXiKoq81bU7ZNRnMNMi[2],_88nQNm25NQh5PkykT63K46WdwQjci7gq4ATYT.AOpKzwPWRZAQ3RyCPRu6EptUIq9QllYsDuZ0y(Convert.FromBase64String(O5EROl0chZMbWFbwLvsPDnUYFqitJDznEIXiKoq81bU7ZNRnMNMi[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                .NET source code contains potential unpacker
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.4f00000.7.raw.unpack, VectorManager.cs.Net Code: CheckFunction System.Reflection.Assembly.Load(byte[])
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ab7070.3.raw.unpack, VectorManager.cs.Net Code: CheckFunction System.Reflection.Assembly.Load(byte[])
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, eTiKHLF34GolSQ6PFMcloAOO0g0kcw9nw8ECGA7aqWjnLLecA3bY.cs.Net Code: TvGeLPqvcnN0MCiMa5O21nmRHVTLf74gNqH26yLP2mHF3ERWvgTj System.AppDomain.Load(byte[])
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, eTiKHLF34GolSQ6PFMcloAOO0g0kcw9nw8ECGA7aqWjnLLecA3bY.cs.Net Code: ghGC0FKih7ZVa7xycWLpmrjF2OYI0r9CP4rr9amztEFjzVgfduYi System.AppDomain.Load(byte[])
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, eTiKHLF34GolSQ6PFMcloAOO0g0kcw9nw8ECGA7aqWjnLLecA3bY.cs.Net Code: ghGC0FKih7ZVa7xycWLpmrjF2OYI0r9CP4rr9amztEFjzVgfduYi
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_00F3255B push ds; ret 0_2_00F32617
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeCode function: 0_2_04EB2F5D push 69FFFFFFh; iretd 0_2_04EB2F62
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_018372E8 pushad ; iretd 3_2_018372E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01837230 push eax; iretd 3_2_01837231
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_036D6348 push eax; ret 4_2_036D6351
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_036D6328 push eax; ret 4_2_036D6351
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_036D633D push eax; ret 4_2_036D6351
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_036D62DD push eax; ret 4_2_036D6351
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_036D62A8 push eax; ret 4_2_036D6351
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_036D62B8 push eax; ret 4_2_036D6351
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_036D629D push eax; ret 4_2_036D6351
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_036D2CA5 push 04B807EEh; retf 4_2_036D2CFE
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04AF629D push eax; ret 7_2_04AF6351
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _pnHdYInA20yBItAr4X83VVFIeHQA.csHigh entropy of concatenated method names: '_BXND2LCMYzvhGdxW2atZpZuD4Mb', '_YHCkm1HGzkSWFddjLdfQQJTNRHF', '_jNfKERK9lOZbvLGnMcob5JtkB8r', '_0CJIzJCTAkjXqdZ4wGIytESOpm', '_rixS0h4yK9wPdBUIMkhweRu2AXO'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _HGZddQbY7RqcqYfmWDUBpZ1cCr3.csHigh entropy of concatenated method names: '_YHCkm1HGzkSWFddjLdfQQJTNRHF', '_qF8QT8PlmRmB5ASiuVLDJxhNTAU', '_yZ1OVLH4acpmQxpNcumlD61JtUu', '_TthZiaTLyOCZE5YuEMwq9sn1hxA', '_qb66koZOngPbg5KiF3rBUY9GU1D', 'Resolve', '_X2VXW3Sn6qm3MdKa3BlBOlzzsWD', '_X2VXW3Sn6qm3MdKa3BlBOlzzsWD'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _i54krVf2ti5d1QJUGUmbGOsrMPc.csHigh entropy of concatenated method names: '_q4KdNJ0OmCZx0IbEHyNPM8BsHXbA', '_97ihLUJQw0jIXYtlSkmR1g51bSg', '_KwA31fda4XTbIFgiM7dteeQ4Hj1A', '_QnjzvXqjDcax2XF0YRQC7kdZWOF', '_bfkWAAGbBh7Ehw5krx8d656oXGN', '_kWjapE8BOjDngPqnY39LBwhtm5BA', '_yUd3nIlbWYMTQeAQHs5lijfyJ2m', '_VMVVCSiyxeGbPXvx0uxdekQOher'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _yEZHUnbqtq0X2gi7NscSxbLyUWb.csHigh entropy of concatenated method names: '_Yo4mb7kSvrozUNcBTEbJpo1AwbY', '_Yo4mb7kSvrozUNcBTEbJpo1AwbY', '_x9ybuOvaa9dgJHSmFjiIHAyCgGd', '_x9ybuOvaa9dgJHSmFjiIHAyCgGd', '_jMcaDqg7gNRVLYrB86gdS36Fpb', '_jMcaDqg7gNRVLYrB86gdS36Fpb', '_fkAcVP8KA8Wet29zh9gmvAapQRG', '_fkAcVP8KA8Wet29zh9gmvAapQRG', '_yP33DjL3pXxOTlCUfT4JvAN31Bi', '_yP33DjL3pXxOTlCUfT4JvAN31Bi'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _MmQQiz5TQ5y9wXClDuxeDKI3NMc.csHigh entropy of concatenated method names: '_6sl8r3ruawa8jVsdSRFb1tKk88q', '_YHCkm1HGzkSWFddjLdfQQJTNRHF', '_opIePo5Bf1rtLXUJBRYpB26qJmp', '_0CJIzJCTAkjXqdZ4wGIytESOpm', '_rixS0h4yK9wPdBUIMkhweRu2AXO', '_KMgKLbrclZ0XFmhShwNgsunJoDe'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _3J6eTk36VAZkoYK3ANkiaHLbis0.csHigh entropy of concatenated method names: '_BCosM6D6HCPhFHjkh9Eiqd4TqRe', '_67fDFRe6Weea8LrjxYAslfAyIPd', '_opA8D9dgEXkACLvlHdQtla390oR', '_Ek7ktFHKbm2jI9gQOSuPOcQJGdD', '_JQACZrULgFQ3gKZUhlBVlrj5WZo', '_eonsJWYx1UUQ2XS3fTTTrROVwlD', '_3e2ZbMVCmjdFQfCqqNguzLDkIv3', '_1itHVJuBfb1iSDNFcl0DNfdTjuAb'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _UA8rH75rjnfzyNaSMdadot3aaxQ.csHigh entropy of concatenated method names: '_Yo4mb7kSvrozUNcBTEbJpo1AwbY', '_x9ybuOvaa9dgJHSmFjiIHAyCgGd', '_jMcaDqg7gNRVLYrB86gdS36Fpb', '_fkAcVP8KA8Wet29zh9gmvAapQRG', '_yP33DjL3pXxOTlCUfT4JvAN31Bi', '_6XiVAyukQ6RqNpJ8gAKgvQs77D', '_rBqkIcBphA878fQBcM73N9orGQC', '_9WkIxDgjbD6akYCkqXHVjuaztHo', '_tHCUPEpHOiQUZQ0UmbxAr6M69BF', '_DQtdeKyyB0P9Wtdz9lqFrIsOI3L'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _4sWKzH5oCEPVYV9RyeQ08sUNEkC.csHigh entropy of concatenated method names: '_Hy3uGVNPmKwxxrEVUufWQx9CpTb', '_FN4XmA3BlcI8HLa0CBM4ZDlKyPM', '_YHCkm1HGzkSWFddjLdfQQJTNRHF', '_mJ8asGFDxIqUNz5pk8WMiJQJHjn', '_jNfKERK9lOZbvLGnMcob5JtkB8r', '_0CJIzJCTAkjXqdZ4wGIytESOpm', '_rixS0h4yK9wPdBUIMkhweRu2AXO'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _519BVx64bmd54KeJE2bvsZwLdJQ.csHigh entropy of concatenated method names: '_6sl8r3ruawa8jVsdSRFb1tKk88q', '_YHCkm1HGzkSWFddjLdfQQJTNRHF', '_opIePo5Bf1rtLXUJBRYpB26qJmp', '_0CJIzJCTAkjXqdZ4wGIytESOpm', '_rixS0h4yK9wPdBUIMkhweRu2AXO', '_KMgKLbrclZ0XFmhShwNgsunJoDe'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _pBke3PVG05aWgnNhOpru0HtZo9G.csHigh entropy of concatenated method names: '_n0neIQHFr3hO4g4KfNaALCIALgb', '_BeuLBDHGv4CDnGuT2zOrUW1RYys', '_3MOo2YGhnDajfbCifidAq8rUvyE', '_6olejtmFiuPc8aKf10XZbGJ2ppb', '_4I8zB0rz7oAXSEiJEAE3dPldzQp', '_uTtztgEw43XKiJFDacPO6timSjo', '_esK6okIrtAfAedrSKoa0vt5qZJf', '_895MlcGITnjpERThob7DddyQHof', '_T2jy8rPNDhaaiWKb06666cPKau1', '_60SbQsqQmkMI0nOgZMn7NoUZBrq'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _P1XzYXkTBIdtzb7Acge6afzUzxM.csHigh entropy of concatenated method names: '_6sl8r3ruawa8jVsdSRFb1tKk88q', '_FflYJm5d8KrHwNbXuHheIH64JAd', '_YHCkm1HGzkSWFddjLdfQQJTNRHF', '_opIePo5Bf1rtLXUJBRYpB26qJmp', '_TAfZTMrDh4hNAe1kgu1nWDYDief', '_0CJIzJCTAkjXqdZ4wGIytESOpm', '_L8LrHRget0XUMuWznx4xbZNLG4'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _8GmB1kFFSHoxNT31CjfxLEMJdPi.csHigh entropy of concatenated method names: '_BCosM6D6HCPhFHjkh9Eiqd4TqRe', '_opA8D9dgEXkACLvlHdQtla390oR', '_67fDFRe6Weea8LrjxYAslfAyIPd', '_67fDFRe6Weea8LrjxYAslfAyIPd', '_JQACZrULgFQ3gKZUhlBVlrj5WZo', '_RBUokc2hAMyl4WA7y2Sdmyw2onx', '_u2EM6kJdjSYqImVW9NOph5N2WOm', '_wBpUFhRT7z6ON6zdWbXAtGQhIKJ'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _uQnystXNqRBqffZNHeQdyoIxEKm.csHigh entropy of concatenated method names: '_aDsnlXkoQWaLgRWvfYVndW1J9FF', '_bNLmm52duUhbuSO8jNy4XNQza7A', '_9PvlBKuIG2FvQDweKjugxWzl89k', '_8rKjBogCjXJ6dk9jqjrQrm0KbMl', '_9PvlBKuIG2FvQDweKjugxWzl89k', '_8rKjBogCjXJ6dk9jqjrQrm0KbMl', '_OBrDFkzXnz2k6XuYDgu1GoRNhMb', '_4dAROH0JTv9UWNLJTuhJmrCN1mc', '_svzadJGNal1wdgDsMVLEksdl8FpA', '_svzadJGNal1wdgDsMVLEksdl8FpA'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _VT0gfhuVqU4apqT8xiB0tXJCrtp.csHigh entropy of concatenated method names: '_UWztMTSnkOQdJKF37GHLieQCvgC', '_BeuLBDHGv4CDnGuT2zOrUW1RYys', '_n00B6iDpKejwaEoKDmMPwh8CNOv', '_895MlcGITnjpERThob7DddyQHof', '_t8MXAWQKz6XuPj7uvSkf7DJyb8I', '_v4fiMI6Dz0CcXni16fpay9Er0Vg', '_mpI3bL0iMZmlRjH4RZpLTUiIwfp', '_RJtbt8WRxI6YW7jHww6zVttixzE', '_PxJGsGXx0IXnLvVb8YmUvlCfSXJ'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _sPfb3mFZMTSgy1cbPhCbtnAqNx3.csHigh entropy of concatenated method names: '_3sypi4LlAek69dQayidduhkx50Q', '_6d7KOE4GeZydBDBBSLjblu1fyQbA', '_cBGhbi20yAYLVJyw1gDUiYxgpUB', '_YHCkm1HGzkSWFddjLdfQQJTNRHF', '_3Ssi1btst003FDLgMY8aOBimDIN', '_FcMARstOAdSMZ7JiDqg9l7fvOSY', '_jNfKERK9lOZbvLGnMcob5JtkB8r', '_0CJIzJCTAkjXqdZ4wGIytESOpm', '_rixS0h4yK9wPdBUIMkhweRu2AXO', '_gdNkOrZf6ayDJWVaPTzIirVmZdd'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _sq8IEGnE9jTbHKVOBHFs20AinyL.csHigh entropy of concatenated method names: '_RaLRAv5QmJjlRBJBT0KnE5jArlp', '_d9ctPn4biMdRMhNVyyGDySV8wAp', '_f5d4Ni6IuhpgyaN2iSnus6Z6Zog', '_u1tgj33ddgd6S4gFumxPvHoBeEk', '_m8VgcGVXBfHXiRwDw0sAaFSKdsD', '_Jarc2RkxyYKu76KpfDMvMB1GvWG', '_rFHD0g5tWxcvZ8T1PGHuEikpicq', '_gZoFDTjozNq35Wvp11y6RK5XpNA', '_pBAYd7kPygr6aeaLWXBaEiswIyM', '_VZjnCrNawbLKNd5v7axOEwgxswI'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _KWnXiNAk0mga73FQWv6Bpm6Lqie.csHigh entropy of concatenated method names: 'Resolve', '_rixS0h4yK9wPdBUIMkhweRu2AXO', '_X2VXW3Sn6qm3MdKa3BlBOlzzsWD', '_X2VXW3Sn6qm3MdKa3BlBOlzzsWD', '_ugTplnFtnJofe5cMQgodu6UugO', '_Ct2YkOBlsGGZGwI0uFy9Bco5iIf', '_5zY3NUJgfv3Ecw3W4lDcFGRdXfq', '_U3JHJBuRzsQRxqeHhnaz9YXvndh', '_8vanbHiVyMzjbKZP3Za1PZkR5Sg'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _GN8QuG3bOILo41U8rt2w03Ampzi.csHigh entropy of concatenated method names: '_Ek7ktFHKbm2jI9gQOSuPOcQJGdD', '_Ek7ktFHKbm2jI9gQOSuPOcQJGdD', '_JQACZrULgFQ3gKZUhlBVlrj5WZo', '_JQACZrULgFQ3gKZUhlBVlrj5WZo', '_opA8D9dgEXkACLvlHdQtla390oR', '_Gpmiz3mzcUUuz3ktGGXaOOk4uui', '_opA8D9dgEXkACLvlHdQtla390oR', '_RBUokc2hAMyl4WA7y2Sdmyw2onx', '_y8vbV2b9emqT5zchW1LQP1Nas3V'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _28L2EDauBZpsXJfbZ0EKNemkkRd.csHigh entropy of concatenated method names: '_Uy1hWQUVMAhqm0Nk3FSCh1I2GFO', '_BCosM6D6HCPhFHjkh9Eiqd4TqRe', '_8rhajqx1hfUtRGY5P7lmJNcenZL', '_opA8D9dgEXkACLvlHdQtla390oR', '_67fDFRe6Weea8LrjxYAslfAyIPd', '_67fDFRe6Weea8LrjxYAslfAyIPd', '_JQACZrULgFQ3gKZUhlBVlrj5WZo', '_RBUokc2hAMyl4WA7y2Sdmyw2onx', '_AHua4CbkA4IMfViIlOBVT8jCuIdb', '_u2EM6kJdjSYqImVW9NOph5N2WOm'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _aAxs4rszpUKxy56wKYiH14VRO1e.csHigh entropy of concatenated method names: '_nCmD3sSUnVTmtMhz7RobKOnhqz6', '_KwA31fda4XTbIFgiM7dteeQ4Hj1A', '_QnjzvXqjDcax2XF0YRQC7kdZWOF', '_9hkFcFK6s1eLPDsssW3A2I4lUc', '_9hkFcFK6s1eLPDsssW3A2I4lUc', '_S1GhhbgFGDxitopjZKsvObL5g7H', '_lB2InSnxZxS4dYuPaOIdSqTARUm', '_0O6cnFSVQsziTwrXPpPTO7WzuRi', '_nV0JewzwtKB6WQL00FUq6mTKitc', '_azXbLBRL59OfxOOpx7BxLqyz4Fr'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _WnKi5is6lL7oH9KRd609y35huyd.csHigh entropy of concatenated method names: '_LCaFM6SAcwaCIcvjqzpNCI5u1pC', '_2WPnof0WhCJ8Ttmb1h20u6bBDEM', '_0isaaKRhLvYfeFq0xVqcrIjiHJ6', '_ohF3DV1X9rJBoZePa4DmDcBrK4h', '_uXIuWpU4UXvLGhwlZFwqQcTrgId', '_xlmzPjFKHsuccdMBIbnMls5hW7A'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _pyzNCxdc71jAy0qEaNphCRUAFUaA.csHigh entropy of concatenated method names: '_y5yeV4pm8cYDSdvUMw9cdJEJyYJ', '_Zt4LmgILunPjYJMbLVFCncyEJQ8', '_AHua4CbkA4IMfViIlOBVT8jCuIdb', '_67fDFRe6Weea8LrjxYAslfAyIPd', '_wi8bza6m0LVXHa0ZTXkqgHZRI6J', '_jhoIrMZGgH8ysyQ6zkbgcpzDdAS', '_Ek7ktFHKbm2jI9gQOSuPOcQJGdD', '_RBUokc2hAMyl4WA7y2Sdmyw2onx', '_opA8D9dgEXkACLvlHdQtla390oR', '_opA8D9dgEXkACLvlHdQtla390oR'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _P62yFAl6GwZviNNUfqOdQSTnh8e.csHigh entropy of concatenated method names: '_nCmD3sSUnVTmtMhz7RobKOnhqz6', '_nCmD3sSUnVTmtMhz7RobKOnhqz6', '_KwA31fda4XTbIFgiM7dteeQ4Hj1A', '_KwA31fda4XTbIFgiM7dteeQ4Hj1A', '_QnjzvXqjDcax2XF0YRQC7kdZWOF', '_QnjzvXqjDcax2XF0YRQC7kdZWOF', '_9hkFcFK6s1eLPDsssW3A2I4lUc', '_9hkFcFK6s1eLPDsssW3A2I4lUc', '_9hkFcFK6s1eLPDsssW3A2I4lUc', '_9hkFcFK6s1eLPDsssW3A2I4lUc'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _dHpvvsnlLC7RYZuXP7EZCaVhbPm.csHigh entropy of concatenated method names: '_4Vdny5nO2goci5fLEVvUhIiwPW', '_5LD8ufenams8RdPCBdYSqp0od0I', '_iGzrgHGDbqJMHW0dh6RICTqJNRcA', '_QKXIKScLx6wUpOwN6FuA3Bjk7CL', '_wNR1mSM2h6QA7Ke0AAiEbl9j49J', '_Bf1Dri7ZMdZkk8RpBqLDU1ppSMB', '_pWyG7cHjl0kkMIINpKPLGzTYehc', '_f0PNcvlG1fBpef3ltHCb8eFMHwK', '_Ok7MeIiUkxnfKPhW0UylNUWj1jd', '_k3GZSlbJRMF7ZZkhZHla8CKEvUw'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _IITdhszoK6GlVm3s2Ubk6HzApWt.csHigh entropy of concatenated method names: '_CDMVEd7X4ngvvH61DqvI1EE4E6m', '_BeuLBDHGv4CDnGuT2zOrUW1RYys', '_60SbQsqQmkMI0nOgZMn7NoUZBrq', '_rHs40s7hryCQljucEJqZBHZneKZ', '_3JjZgsO5OeaPCaVbe1JJzRfeaCB', '_6Vj1uKZwGTT7OwECNMvHJ76G91', '_xaGpmmbl6BmcbSzcATIqc4TzzK', '_Z6oVXvz30M77KUETAYpjFTcmr3O', '_5faGROhLntrDiS1OhIEEI64OjIf', '_v4fiMI6Dz0CcXni16fpay9Er0Vg'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _ujLnCcAJ5DloL5HWFZ0mnkBINCo.csHigh entropy of concatenated method names: '_kMHM8xkpo3UBWrd5e6QDtCY07ii', '_pTcdJb648l6cukWr0JNoopywkHG', '_H2Hb204PTdXipbDEmphqi4Ix6uT', '_L7k0uG4DhGZNWvFVW0IkR1gCX0BA', '_Q3WRgZgjdCcGdk5hZzhucDNg78P', '_gTCcXSPTKOhV51EK4mV4XKptB2f', '_4GhsvuDKTeO29b56ZtPf2gMIxWG', '_MN1Dmonsb0YRXgD9T3pqckSG3pk', '_Hwu9zFijtQOdCiGOLHWPq2natID', '_Hwu9zFijtQOdCiGOLHWPq2natID'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _dgB0OssWQoC5iaBC4BjuoKZZgpC.csHigh entropy of concatenated method names: '_0OaasE6unegtsK8h66DV8wZcbhO', '_0OaasE6unegtsK8h66DV8wZcbhO', '_0OaasE6unegtsK8h66DV8wZcbhO', '_FpTitZ8M2mukUsYIrbLsExTAwkn', '_FpTitZ8M2mukUsYIrbLsExTAwkn', '_FpTitZ8M2mukUsYIrbLsExTAwkn', '_0dGKpYlQBAnsDzgyLCaboqpEflb', '_0dGKpYlQBAnsDzgyLCaboqpEflb', '_0dGKpYlQBAnsDzgyLCaboqpEflb', '_JkyadZZZfBD85ozgFAyVE1IoP7w'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _chTCBifIjad50SCMhdDDqDarQoh.csHigh entropy of concatenated method names: '_lL1l91GqcC45wai5xZuK0HeeiTK', 'GetEnumerator', 'GetEnumerator', 'MoveNext', 'MoveNext', 'Reset', 'Dispose', '_huHjV4jiupZe20JbmKp9AO83H4J', '_5faGROhLntrDiS1OhIEEI64OjIf', '_Zt4LmgILunPjYJMbLVFCncyEJQ8'
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, _mSmHaTjeptjsodoHQyVvTUd3xNi.csHigh entropy of concatenated method names: '_Wg7byFc0BVecelfRvZBFWBKpKrKb', '_hQJCz4BgXwa20tpgVEM1DzmjoWAA', '_1pL2VHi9uLbapYJY6OXgkEV3irf', '_q9MiPIFCKrrUXOBwkwHfGODr1KU', '_vqVT07Q0PufqvCKrQYi7wqbuXdD', '_F3fA8H5GDuxwXtZCw5JJ7XEaFmL'
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, YyuYqbca3CLhxViMNj8E6Xcj6VHUkmxhWM6Zh.csHigh entropy of concatenated method names: 'uJO60Ra5QyP796gvRKy3gvHn6XNBh3ru0RfPQ', 'niiyIRI0xYH5BJ1mxsmfRaY7afHtGHk4mCQBn', 'qPtu0APtHfdvmTMrizZzsR62b53ZQ5q5tqvnx', 'ovwbhcAbZOe8', 'WHBW74ceG3ZP', 'M7sZJrFT26ZS', 'xnZlbn6rda2r', 'ag6aXckRrUCV', 'Tq9bVtJfXceh', 'S0jC6ivqK0XF'
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, PO2J9D1WRiI6m0ipwAd0v13JsqfjP1meDFXCDrksTbZIjBpTdSzl.csHigh entropy of concatenated method names: 'heuGvrbwrJkZlsv1SDs0NiCXyCShoqIwA5cDqzUVrQ2ZmDnGY77eatAmeKb6DD8FZ4i0n', 'CRsdQ0U34LWH5aVIx3TG0XLncyvwTt9A3ejWFyDIqB9nxsaIxULHTqohdIVighKkUKStT', 'o5HFlCfrDjoThWzhW0bRnzww7mOfcAd89bERuMbyxrGkMQ9UqBtXZ8bNA1VFT5UI3CqF7', 'YISbYE1PAlqTRRj1Db45C9pCku8uREaQ0vlvGWP0LZC5dJewySX1qvtV2BIPz3UC4aEyK'
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, 5h5xAmfnZGtkMaNXfYn.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'qRhzIxbRRtq6RzE4akKn9R11ayMxtJKlEwCjecUuJFfRHZyxv9A0tpk6GBoovnmwY9zyG', '_6LgvyH9sBVxZITORr9eJUoHQ6NjMcCKE8MlhehvJTPvUogeBmEuviccLdTeDrR8Suzgm0', '_4fBaKy8LjvXrZX2WGsuJ1XiNOXo7FJWtoeCGQK8ybbProFEVAf41PwC9vkjsKIXtNoCbx', 'WaUzWl07WIjhhBUHH3YqvNs9Ds2ExA9qqENmKJGJcc00eGSAirAe4Uda1xB2JiqPwNsLW'
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, jDKpt8hItxlJLLzKNvaldA4YWgyebdv9hqGY2KmOs3WtP3M8sk2r.csHigh entropy of concatenated method names: 'Odw1WVHL5lYYFYPODbTZIh49jmnuHiqKWwqX6E8CPrSH7cQlmBiw', 'Xbmw4e3wMTP1dLlMiDHl2xx2JIFuuS85zCEB9jPLIcPcSFdmRDe5', '_8zuP0bVC0FrFEV0PMVo1QSLDSwSsiEWUynj9gOnrd8xOZSyLvsaQ', 'HHCA8nfRHxjHhY3odsjFxcI91X3gLmyGcShAwStUu4tYEJpozRMg', 'cL6Kdz6YWjYnuXZOVQ0WQrEuy4srSS6hVV2m9b6wbCx7GuE20xNF', 'QNn9XvzyWFD8xGsdUwL2lR3J94p7gbMA65VpC7En6jCFP9yqIdo8', 'CqttZTaJ2io4U6yf7i8MEcnSVCdT4NSRThvGuWGql4J2R5VJyNPB', 'jVc3EsomXIUHhHq4O4tMTOuHK53seMJFGg8IQXScEbqnV907nEbi', '_2Kv1rpzXo4qLOiUsm23DsF0Nw6y4Ys9KibHJwQsXTjU9fKvsKW4x', 'PsrLWfXXIM6yPKhJShyqhKyp2qvsIjTWJ1CeVKqSrvXeNs8QeMAN'
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, 88nQNm25NQh5PkykT63K46WdwQjci7gq4ATYT.csHigh entropy of concatenated method names: 'eydQU2Zz93nsfqQ3FudIwtL32UTgtGxEhp2gr', 'JbTBqTDTwoQfAmWztv4k1yCo2HWu3N0hbZxHP', '_4jFTaeYtn3OxBpxhirI44bLApcYU4d4DMItjw', 's62bqThYMxKu79O4I0aA7YNBxlMMkLLGjIC3G', 'rZQdgIuQAMIRxUiuZ50mPuSDgENybiH09oFep', 'E4Wx9XCnYJkrlZY54zq6BtyGfdmcQAsxuLBoX', 'DLHyGqiRj8Gt6JQ2xT1xh2ag7sG6MZXzLLedi', '_2e4J3yVsQ75SwPGsIMeVT9yO1plgI8WtCVDDP', 'kBg2uJx7lfMJmrikfZbV4NhELBgo6oIuvDNr0', 'QPzOfEvXJSFFiQgm0gp0nOtC442bOWunupu17'
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, 11FxyBo1jAz21Irma2rp0JSYq6WtMg2YhWVCy8dpv8QQW8f2i7M8.csHigh entropy of concatenated method names: 'osu3Dr2PEKZaaY2kkGeO2U4iEa44w5r8JvV4CPz0zJ576pMIEqa0', 'fDQlxJm32twlHDC1DPjbmRfxn1Y5jVaiWGQ8YAIODwUV484Cz3wI', 'bOO867nUbCTa1nJJGiKGyV5XaqhH1SbaobqYjqsHZForqsEuFxOD', 'HeSWCWu9G5zcX2ualFphFpc5ekis5vDWZ2ajBpwG83ue4PCp9Kkm', 'IexoapuByiWVX4oNzX5QIbzCnDPiKyHjJwTGpDeNiBz4FmoRHRTr', 'IDkS5xaW1KADRZjkfQHf960bcumF51skPYwWOf2uFrtAujdV76rF', 'WUHMAxK34fUIL0aOMY1kEpItHQktGLUr3g98bSIMm5WUiQ6uNmZ3', 'ubCC3ivhD2eYumSsCQuMjOJBQRT0nfNyQqdivt2ScTRWL3xK6lXS', '_1NK26DOhdI3DPyj4oPkx0kTQVL718zphfza4JqANOX88vE1J9H7h', 'ZihShet2cgOlbUux9WGudsLhj5Kx55BZG00GvVpQiWllp0h7dGOF'
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, eTiKHLF34GolSQ6PFMcloAOO0g0kcw9nw8ECGA7aqWjnLLecA3bY.csHigh entropy of concatenated method names: 'aPOgYje42fWEeDLWFDrSiXx0dBhcf04qNQzJ2sG0WA0c8ZdGiYfT', 'TvGeLPqvcnN0MCiMa5O21nmRHVTLf74gNqH26yLP2mHF3ERWvgTj', 'oRLUTMZoKYJuueB2QZNnmMetw9E1vz32fKndEY2S778unSEjMppa', 'FmIuypd2VzguPsjaHOSOldrtx5ps5akaQ0HTsMlPVlAu0YrXDx6B', 'UaiZfLqnAtMxqKNFJowOBvegs39z94FcQi4HBmjxozxKeT6RjkVB', 'yGZXch34FzBPKcGvrtwBPrZkVaNSprMKXpbiSh04TZLuN8EoBvhj', 'Xx7DHVx90FdjZlFKTQa8FMagoSrhWrqIdTStNKUt1hx4DxomDSjZ', 'JbPsdsxI2xzJ8XpGXx5tbIlGuxPEEk6YKokfA3OkBIIdNkBtCWyK', 'dBVqgznIqwxqHV3qhWXLAP0XxH6QnXU9K6KwPFiYtvIFAfKxTAqr', 'op79wL0ry88sjop5ud26Qx0skMsdGy8P780wg66p4521Ds40B0YN'
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, snUww6Y8cfg75XnNgBA9azzWHAVsxS39FujuFNV1ZcQz7SCBp2WZ.csHigh entropy of concatenated method names: 'iuWhGWCNtlWxXSf1hjCJ4wHT92YrsBWrwedOq', 'SCY7kIvEVFsvno16IoFx4EHOUtpz1mVYi0oXA', 'RENKOBvVhTFayfpOt9eyMDPeZ1RVU93s0k58v', 'pakjMK6QzUOP', 'N1Nadf83hvyl', 'kS7suSsqzdrM', 'NQcRMWcTiixX', '_7Wvn7SDDWqwE', 'Gqo2iPgRGcDq', '_6GPIeyzVmQlT'
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, qteMdBf1KPh3gAjeg5KtlBwkyZLgrsTOrJomO.csHigh entropy of concatenated method names: 'SPPVHtLW6dchIy5v8OftmQS2lonxUP8JlgheX', 'eQRcAADdLeUO0stXyi4aq31XbvsHXOtdB0hY8', 'hZxlR3ddILxNBzrZjXFnhPxVpL8JDKqiljz52', 'X46SAiWEzm2AbB1TeQsS0jv9qR6T1ZhR5dQIo', 'c1jYow2joEZJhdYzuqvVVbsg3wC2ql7fXVv0h', 'HNmfS2W02pmgGwn4I5Y29dSAuynOwb4OlYC07', 'aVjZdnG67nVVTVWEJ15n5v8HHbsQm9MIJt4nq', 'CfFZD9b2AP7qEB7u1huAiYrcyKld67hyetUqr', 'PJVTbNZSKXVyEAZSAmBMRcxMEDdXPGvQmCOdj', 'qevASp5SaHVevsL14Vsqphc7sZYSI14JDh7VL'
                Source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, ZWZtC2VbBslX9k6DNILvPj3AfXodquTMI3Egi.csHigh entropy of concatenated method names: 'fXw4inQnD0DwbFihr3bIztqx0PrBMiHkmtzWv', 'whG3HvV1xc6E6yKvuWAcDCJQMXMdqpTK7hPKm', 'WwjV26uXEm5hwNcw6bXojG7uLZd5o6F0eqyZr', 'vCXvRGQ0DCUMkYzDSOhLEItydzZ6O3oCYXvf4', 'br1YeM8DAFQa', '_2vxCagAPM16B', 'u6Jm8y6dZeJS', '_23GwLhJXCLYg', '_93iDpEFPiZP6', 'ifychiNYzKvi'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: 00000007.00000002.1470108915.0000000004D06000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1438844114.0000000005146000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 6ab092aeab924edb854b3ff21ea579df.exe PID: 7980, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8172, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7792, type: MEMORYSTR
                Check if machine is in data center or colocation facility
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000002.1389347400.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp, 6ab092aeab924edb854b3ff21ea579df.exe, 00000000.00000002.1389347400.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3837785716.0000000000402000.00000020.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3842842028.00000000034D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeMemory allocated: E00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeMemory allocated: 29B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeMemory allocated: 49B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 398Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9442Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7347Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2304Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5579Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4191Jump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exe TID: 8000Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7500Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3532Thread sleep count: 5579 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3532Thread sleep count: 4191 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2736Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: RegSvcs.exe, 00000003.00000002.3842842028.00000000034D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: RegSvcs.exe, 00000003.00000002.3838288200.0000000001478000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0183AB6C CheckRemoteDebuggerPresent,3_2_0183AB6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Bypasses PowerShell execution policy
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 414000Jump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 416000Jump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1152008Jump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regsvcs.exe'Jump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeQueries volume information: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: RegSvcs.exe, 00000003.00000002.3838288200.0000000001478000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ae49b8.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ae41d0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ae3ddc.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ab7070.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3837785716.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1389347400.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1389347400.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3842842028.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 6ab092aeab924edb854b3ff21ea579df.exe PID: 7980, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8064, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ae49b8.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ac18c4.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ae41d0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ae3ddc.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.6ab092aeab924edb854b3ff21ea579df.exe.2ab7070.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3837785716.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1389347400.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1389347400.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3842842028.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 6ab092aeab924edb854b3ff21ea579df.exe PID: 7980, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8064, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                Windows Management Instrumentation                		1
                DLL Side-Loading                		311
                Process Injection                		1
                Masquerading                		OS Credential Dumping431
                Security Software Discovery                		Remote Services11
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		11
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
                Virtualization/Sandbox Evasion                		Security Account Manager141
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeylogging12
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                Obfuscated Files or Information                		Cached Domain Credentials1
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Software Packing                		DCSync13
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1508105 Sample: 6ab092aeab924edb854b3ff21ea... Startdate: 09/09/2024 Architecture: WINDOWS Score: 100 32 notes-ease.gl.at.ply.gg 2->32 34 ip-api.com 2->34 36 206.23.85.13.in-addr.arpa 2->36 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 14 other signatures 2->48 9 6ab092aeab924edb854b3ff21ea579df.exe 1 2->9         started        signatures3 process4 file5 30 6ab092aeab924edb854b3ff21ea579df.exe.log, CSV 9->30 dropped 52 Detected unpacking (changes PE section rights) 9->52 54 Detected unpacking (overwrites its own PE header) 9->54 56 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->56 58 3 other signatures 9->58 13 RegSvcs.exe 15 3 9->13         started        17 RegSvcs.exe 9->17         started        19 conhost.exe 9->19         started        signatures6 process7 dnsIp8 38 ip-api.com 208.95.112.1, 49705, 80 TUT-ASUS United States 13->38 40 notes-ease.gl.at.ply.gg 147.185.221.17, 22444, 49706, 64164 SALSGIVERUS United States 13->40 60 Protects its processes via BreakOnTermination flag 13->60 62 Adds a directory exclusion to Windows Defender 13->62 21 powershell.exe 23 13->21         started        24 powershell.exe 23 13->24         started        64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->64 66 Bypasses PowerShell execution policy 17->66 68 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 17->68 signatures9 process10 signatures11 50 Loading BitLocker PowerShell Module 21->50 26 conhost.exe 21->26         started        28 conhost.exe 24->28         started        process12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                6ab092aeab924edb854b3ff21ea579df.exe34%ReversingLabsWin32.Trojan.Generic
                6ab092aeab924edb854b3ff21ea579df.exe100%AviraTR/Dropper.Gen2
                6ab092aeab924edb854b3ff21ea579df.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                http://crl.micro0%Avira URL Cloudsafe
                http://schemas.xmlsoap.org/soap/encoding/0%Avira URL Cloudsafe
                http://pesterbdd.com/images/Pester.png0%Avira URL Cloudsafe
                http://crl.micro.0%Avira URL Cloudsafe
                http://schemas.xmlsoap.org/wsdl/0%Avira URL Cloudsafe
                https://aka.ms/pscore6lB0%Avira URL Cloudsafe
                http://goo.gl/YroZm&quot;0%Avira URL Cloudsafe
                http://www.microsoft.co60%Avira URL Cloudsafe
                http://crl.microz0%Avira URL Cloudsafe
                notes-ease.gl.at.ply.gg0%Avira URL Cloudsafe
                https://github.com/Pester/Pester0%Avira URL Cloudsafe
                http://www.microsoft.0%Avira URL Cloudsafe
                http://ip-api.com/line/?fields=hosting0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ip-api.com
                		208.95.112.1
                		truetrue
                  		unknown
                  notes-ease.gl.at.ply.gg
                  		147.185.221.17
                  		truetrue
                    		unknown
                    206.23.85.13.in-addr.arpa
                    		unknown
                    		unknownfalse
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      notes-ease.gl.at.ply.ggtrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://ip-api.com/line/?fields=hostingfalse
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://crl.micro.powershell.exe, 00000004.00000002.1450036216.0000000008AFF000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1442843234.000000000605C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1480318089.0000000005C1B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.micropowershell.exe, 00000007.00000002.1490075894.0000000008679000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.1470108915.0000000004D06000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000004.00000002.1438844114.0000000005146000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1470108915.0000000004D06000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://aka.ms/pscore6lBpowershell.exe, 00000004.00000002.1438844114.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1470108915.0000000004BB1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.1470108915.0000000004D06000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000004.00000002.1438844114.0000000005146000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1470108915.0000000004D06000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://contoso.com/powershell.exe, 00000007.00000002.1480318089.0000000005C1B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1442843234.000000000605C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1480318089.0000000005C1B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/Licensepowershell.exe, 00000007.00000002.1480318089.0000000005C1B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/Iconpowershell.exe, 00000007.00000002.1480318089.0000000005C1B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.microsoft.co6powershell.exe, 00000007.00000002.1490075894.0000000008679000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://goo.gl/YroZm&quot;6ab092aeab924edb854b3ff21ea579df.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.microzpowershell.exe, 00000007.00000002.1490075894.0000000008633000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.microsoft.powershell.exe, 00000007.00000002.1490075894.0000000008679000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000003.00000002.3842842028.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1438844114.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1470108915.0000000004BB1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.1470108915.0000000004D06000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      208.95.112.1
                      		ip-api.comUnited States
                      		53334TUT-ASUStrue
                      147.185.221.17
                      		notes-ease.gl.at.ply.ggUnited States
                      		12087SALSGIVERUStrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1508105
                      Start date and time:2024-09-09 17:28:08 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 8m 2s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:15
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:6ab092aeab924edb854b3ff21ea579df.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@12/10@4/2
                      EGA Information:
                      • Successful, ratio: 75%
                      HCA Information:
                      • Successful, ratio: 98%
                      • Number of executed functions: 217
                      • Number of non-executed functions: 4
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target powershell.exe, PID 8172 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • VT rate limit hit for: 6ab092aeab924edb854b3ff21ea579df.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      11:29:04API Interceptor20x Sleep call for process: powershell.exe modified
                      11:29:11API Interceptor9884909x Sleep call for process: RegSvcs.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      208.95.112.1Ubk6gnUESo.exeGet hashmaliciousXWormBrowse
                      • ip-api.com/line/?fields=hosting
                      4RXDcatXyT.exeGet hashmaliciousAsyncRAT, XWormBrowse
                      • ip-api.com/line/?fields=hosting
                      jj7svxNeaQ.exeGet hashmaliciousXWormBrowse
                      • ip-api.com/line/?fields=hosting
                      fattigdomsrapporten.exeGet hashmaliciousAgentTeslaBrowse
                      • ip-api.com/line/?fields=hosting
                      KM75Avr7PS.exeGet hashmaliciousAgentTeslaBrowse
                      • ip-api.com/line/?fields=hosting
                      RHUENHera1.exeGet hashmaliciousAsyncRAT, XWormBrowse
                      • ip-api.com/line/?fields=hosting
                      0HAsH94TVT.exeGet hashmaliciousAgentTeslaBrowse
                      • ip-api.com/line/?fields=hosting
                      Bm3Ux1o05M.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                      • ip-api.com/line/?fields=hosting
                      shipping doc for Invoice No. 61-FK-24.pdf.exeGet hashmaliciousAgentTeslaBrowse
                      • ip-api.com/line/?fields=hosting
                      Rejected Shipping Documents compiled PL pdf.exeGet hashmaliciousAgentTeslaBrowse
                      • ip-api.com/line/?fields=hosting
                      147.185.221.17Hoodbyunlock.exeGet hashmaliciousXWormBrowse
                        x.exeGet hashmaliciousXWormBrowse
                          cougif6lqM.exeGet hashmaliciousDCRat, XWormBrowse
                            FUDE.bin.exeGet hashmaliciousXWormBrowse
                              system47.exeGet hashmaliciousXWormBrowse
                                setup.exeGet hashmaliciousXWormBrowse
                                  APPoKkkk8h.exeGet hashmaliciousUnknownBrowse
                                    hatabat.exeGet hashmaliciousBlank Grabber, DCRat, XWormBrowse
                                      file.exeGet hashmaliciousStealerium, SugarDump, XWormBrowse
                                        system.batGet hashmaliciousXWormBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          ip-api.comUbk6gnUESo.exeGet hashmaliciousXWormBrowse
                                          • 208.95.112.1
                                          4RXDcatXyT.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                          • 208.95.112.1
                                          jj7svxNeaQ.exeGet hashmaliciousXWormBrowse
                                          • 208.95.112.1
                                          fattigdomsrapporten.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1
                                          KM75Avr7PS.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1
                                          RHUENHera1.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                          • 208.95.112.1
                                          0HAsH94TVT.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1
                                          Bm3Ux1o05M.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 208.95.112.1
                                          shipping doc for Invoice No. 61-FK-24.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1
                                          Rejected Shipping Documents compiled PL pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          SALSGIVERUS4RXDcatXyT.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                          • 147.185.221.22
                                          jj7svxNeaQ.exeGet hashmaliciousXWormBrowse
                                          • 147.185.221.21
                                          RHUENHera1.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                          • 147.185.221.22
                                          PPz346dmz6.exeGet hashmaliciousNjratBrowse
                                          • 147.185.221.22
                                          PCCooker2.0_x64.exeGet hashmaliciousAsyncRAT, DCRat, GuLoader, Lokibot, Njrat, PureLog Stealer, SilverRatBrowse
                                          • 147.185.221.21
                                          BrxaiME612.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                          • 147.185.221.22
                                          Nursultan.exeGet hashmalicious44Caliber Stealer, BlackGuard, Blank Grabber, Rags Stealer, Umbral Stealer, XWormBrowse
                                          • 147.185.221.22
                                          aimbot.exeGet hashmaliciousXWormBrowse
                                          • 147.185.221.22
                                          Launcher.exeGet hashmaliciousUnknownBrowse
                                          • 147.185.221.22
                                          Launcher.exeGet hashmaliciousUnknownBrowse
                                          • 147.185.221.22
                                          TUT-ASUSUbk6gnUESo.exeGet hashmaliciousXWormBrowse
                                          • 208.95.112.1
                                          4RXDcatXyT.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                          • 208.95.112.1
                                          jj7svxNeaQ.exeGet hashmaliciousXWormBrowse
                                          • 208.95.112.1
                                          fattigdomsrapporten.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1
                                          KM75Avr7PS.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1
                                          RHUENHera1.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                          • 208.95.112.1
                                          0HAsH94TVT.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1
                                          Bm3Ux1o05M.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 208.95.112.1
                                          shipping doc for Invoice No. 61-FK-24.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1
                                          Rejected Shipping Documents compiled PL pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6ab092aeab924edb854b3ff21ea579df.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exe
                                          File Type:CSV text
                                          Category:dropped
                                          Size (bytes):425
                                          Entropy (8bit):5.353683843266035
                                          Encrypted:false
                                          SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                                          MD5:859802284B12C59DDBB85B0AC64C08F0
                                          SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                                          SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                                          SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):2232
                                          Entropy (8bit):5.379238069165126
                                          Encrypted:false
                                          SSDEEP:48:+WSU4y4RFymFoUeW+gZ9tK8NPZHUxL7u1iMuge//MvUyus:+LHyIFvKLgZ2KRHWLOug8s
                                          MD5:694BBEF5E3FBA7BA13A17EAFB23E594C
                                          SHA1:7D1F19706FD30EA6DBD72FCC60DA187983BB9B87
                                          SHA-256:FAEFFC0EB211238069E6C0A21B14A128C0F6AE53D84D6C7BC72DD24E9346C0A8
                                          SHA-512:4EA69F9071AA37567E07B6A1C4E9F49096832C6DB4CA10479767A5DA9F4BBFAFE154FAD5D21CC886F4083E6F0E80FAEE20A88A12B21D795273E99A41DE0CA4E2
                                          Malicious:false
                                          Reputation:low
                                          Preview:@...e.................................*..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c2u2jo5d.3nn.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_js233wg4.ft2.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ksnq3jbx.uwa.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_liy3quaz.ctm.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nkqjrqyp.h0w.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qoc4aysr.zwc.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_redb0z52.iff.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_syu4i3oy.5oh.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):5.834868713624231
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:6ab092aeab924edb854b3ff21ea579df.exe
                                          File size:858'624 bytes
                                          MD5:5d5aa86355c219b3c6d2d1f3cbc48f7b
                                          SHA1:cd80999aa94c79a3f1b6e27afd7ec89f72a820c3
                                          SHA256:d45384c86bcee5d875a2fbe48be240636478bf3c8d730526816d2e30d04a5c61
                                          SHA512:61cd5ab70f1ed6691c46a1675886f9b6459c364c2ca42c6fd37eb7ae70b85371a2f742c82129451bfb2f34254ec61bfe5adbff5798ec59479cd30ce4c03f0614
                                          SSDEEP:12288:OmpoAZUB2efN/l9HeVUMyRLFTx+KDSlRflgTu/vAbs978bJAcGFcBHcbysm1yt17:ZpcAPryslR0DsP6Ce6P
                                          TLSH:BA05D8243EEB615DE173EE359BE4BDA19E2EF6632707E54F104303CA0A0BA81DE90575
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................./... ...@....@.. ....................................@................................

                                          File Icon

                                          Icon Hash:00928e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x4d2f9e
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x66DEA8DD [Mon Sep 9 07:50:53 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xd2f4c0x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x5a8.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xd60000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xd0fa40xd1000a1372df8cb85178f4b74e384ad3ad0feFalse0.4676379336124402data5.839911670149421IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xd40000x5a80x60048d179ad54589c57b865ba1836a25d28False0.42578125data4.1023721888767195IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xd60000xc0x20007ac93882b9bc9ea07e4d9b8d8634cbcFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0xd40a00x318data0.44696969696969696
                                          RT_MANIFEST0xd43b80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2024-09-09T17:29:50.627200+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.864164147.185.221.1722444TCP
                                          2024-09-09T17:33:02.910364+02002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.864172147.185.221.1722444TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 9, 2024 17:29:04.262262106 CEST4970580192.168.2.8208.95.112.1
                                          Sep 9, 2024 17:29:04.267108917 CEST8049705208.95.112.1192.168.2.8
                                          Sep 9, 2024 17:29:04.267195940 CEST4970580192.168.2.8208.95.112.1
                                          Sep 9, 2024 17:29:04.267926931 CEST4970580192.168.2.8208.95.112.1
                                          Sep 9, 2024 17:29:04.272762060 CEST8049705208.95.112.1192.168.2.8
                                          Sep 9, 2024 17:29:04.763123035 CEST8049705208.95.112.1192.168.2.8
                                          Sep 9, 2024 17:29:04.813920975 CEST4970580192.168.2.8208.95.112.1
                                          Sep 9, 2024 17:29:16.867402077 CEST4970622444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:29:16.872894049 CEST2244449706147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:29:16.872956991 CEST4970622444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:29:16.922508955 CEST4970622444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:29:16.927438974 CEST2244449706147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:29:29.817502975 CEST4970622444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:29:29.822410107 CEST2244449706147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:29:38.230077028 CEST2244449706147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:29:38.230199099 CEST4970622444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:29:39.189337015 CEST4970622444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:29:39.194758892 CEST2244449706147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:29:39.206120014 CEST6416422444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:29:39.211155891 CEST2244464164147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:29:39.211728096 CEST6416422444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:29:39.266518116 CEST6416422444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:29:39.271595955 CEST2244464164147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:29:50.627199888 CEST6416422444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:29:50.632466078 CEST2244464164147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:00.575634956 CEST2244464164147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:00.575850964 CEST6416422444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:01.412957907 CEST6416422444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:01.415954113 CEST6416522444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:01.419135094 CEST2244464164147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:01.422360897 CEST2244464165147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:01.422424078 CEST6416522444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:01.470413923 CEST6416522444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:01.475362062 CEST2244464165147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:12.721019983 CEST6416522444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:12.725893974 CEST2244464165147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:19.486483097 CEST6416522444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:19.493371010 CEST2244464165147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:22.810085058 CEST2244464165147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:22.810401917 CEST6416522444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:23.721956968 CEST6416522444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:23.727175951 CEST2244464165147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:23.728580952 CEST6416622444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:23.733582973 CEST2244464166147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:23.733627081 CEST6416622444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:23.761399984 CEST6416622444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:23.766746044 CEST2244464166147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:29.267817020 CEST6416622444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:29.272795916 CEST2244464166147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:29.346060991 CEST6416622444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:29.351316929 CEST2244464166147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:30.077294111 CEST8049705208.95.112.1192.168.2.8
                                          Sep 9, 2024 17:30:30.078119040 CEST4970580192.168.2.8208.95.112.1
                                          Sep 9, 2024 17:30:38.627300024 CEST6416622444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:38.632378101 CEST2244464166147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:44.767847061 CEST4970580192.168.2.8208.95.112.1
                                          Sep 9, 2024 17:30:44.772973061 CEST8049705208.95.112.1192.168.2.8
                                          Sep 9, 2024 17:30:45.105782032 CEST2244464166147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:45.105843067 CEST6416622444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:45.106237888 CEST6416622444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:45.109116077 CEST6416722444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:45.111041069 CEST2244464166147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:45.114078045 CEST2244464167147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:45.114145041 CEST6416722444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:45.155174017 CEST6416722444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:45.160135031 CEST2244464167147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:45.283653975 CEST6416722444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:45.465888977 CEST2244464167147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:45.465936899 CEST6416722444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:45.471019030 CEST2244464167147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:47.127365112 CEST6416722444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:47.135808945 CEST2244464167147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:50.111428022 CEST6416722444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:50.116391897 CEST2244464167147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:30:55.643018961 CEST6416722444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:30:55.648097038 CEST2244464167147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:03.705331087 CEST6416722444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:03.710520983 CEST2244464167147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:06.127409935 CEST6416722444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:06.132366896 CEST2244464167147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:06.481165886 CEST2244464167147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:06.482112885 CEST6416722444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:11.145184040 CEST6416822444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:11.145185947 CEST6416722444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:11.150219917 CEST2244464167147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:11.150233984 CEST2244464168147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:11.150300026 CEST6416822444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:11.205379963 CEST6416822444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:11.210630894 CEST2244464168147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:11.236494064 CEST6416822444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:11.241405010 CEST2244464168147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:13.736957073 CEST6416822444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:14.048827887 CEST6416822444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:14.348880053 CEST2244464168147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:14.348898888 CEST2244464168147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:16.160429001 CEST6416822444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:16.166486025 CEST2244464168147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:16.455992937 CEST6416822444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:16.460839033 CEST2244464168147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:16.471409082 CEST6416822444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:16.477202892 CEST2244464168147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:21.189876080 CEST6416822444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:21.195373058 CEST2244464168147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:25.877288103 CEST6416822444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:25.882873058 CEST2244464168147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:32.532994986 CEST2244464168147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:32.535409927 CEST6416822444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:36.924540997 CEST6416822444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:36.928116083 CEST6416922444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:36.932244062 CEST2244464168147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:36.934163094 CEST2244464169147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:36.934247017 CEST6416922444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:37.185442924 CEST6416922444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:37.190383911 CEST2244464169147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:37.220984936 CEST6416922444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:37.225914955 CEST2244464169147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:37.236633062 CEST6416922444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:37.241612911 CEST2244464169147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:39.127715111 CEST6416922444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:39.132616043 CEST2244464169147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:49.332920074 CEST6416922444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:49.338934898 CEST2244464169147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:57.533667088 CEST6416922444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:57.752072096 CEST6416922444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:58.064567089 CEST6416922444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:58.250159979 CEST2244464169147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:58.250200033 CEST2244464169147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:58.250228882 CEST2244464169147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:58.311117887 CEST2244464169147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:58.312459946 CEST6416922444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:58.312460899 CEST6416922444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:58.316183090 CEST6417022444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:58.317487955 CEST2244464169147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:58.321057081 CEST2244464170147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:31:58.326930046 CEST6417022444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:58.657812119 CEST6417022444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:31:58.663085938 CEST2244464170147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:32:03.705599070 CEST6417022444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:32:03.710752010 CEST2244464170147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:32:18.426245928 CEST6417022444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:32:18.432007074 CEST2244464170147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:32:19.701122046 CEST2244464170147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:32:19.701210976 CEST6417022444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:32:24.017982960 CEST6417022444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:32:24.019736052 CEST6417122444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:32:24.023075104 CEST2244464170147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:32:24.024549007 CEST2244464171147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:32:24.024610996 CEST6417122444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:32:24.070439100 CEST6417122444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:32:24.075723886 CEST2244464171147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:32:29.377656937 CEST6417122444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:32:29.382833958 CEST2244464171147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:32:29.408821106 CEST6417122444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:32:29.414072990 CEST2244464171147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:32:29.440148115 CEST6417122444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:32:29.446166992 CEST2244464171147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:32:29.612255096 CEST6417122444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:32:29.617204905 CEST2244464171147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:32:29.627816916 CEST6417122444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:32:29.632688046 CEST2244464171147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:32:29.721391916 CEST6417122444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:32:29.726667881 CEST2244464171147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:32:34.835408926 CEST6417122444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:32:34.842745066 CEST2244464171147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:32:36.394481897 CEST6417122444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:32:36.399591923 CEST2244464171147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:32:45.408744097 CEST2244464171147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:32:45.408804893 CEST6417122444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:32:50.064800978 CEST6417122444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:32:50.067228079 CEST6417222444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:32:50.072340965 CEST2244464171147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:32:50.074454069 CEST2244464172147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:32:50.074557066 CEST6417222444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:32:50.108374119 CEST6417222444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:32:50.115421057 CEST2244464172147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:33:02.910363913 CEST6417222444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:33:02.915474892 CEST2244464172147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:33:08.252713919 CEST6417222444192.168.2.8147.185.221.17
                                          Sep 9, 2024 17:33:08.257719040 CEST2244464172147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:33:11.453162909 CEST2244464172147.185.221.17192.168.2.8
                                          Sep 9, 2024 17:33:11.453233957 CEST6417222444192.168.2.8147.185.221.17

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 9, 2024 17:29:04.250823021 CEST6437853192.168.2.81.1.1.1
                                          Sep 9, 2024 17:29:04.258169889 CEST53643781.1.1.1192.168.2.8
                                          Sep 9, 2024 17:29:16.725333929 CEST5637453192.168.2.81.1.1.1
                                          Sep 9, 2024 17:29:16.860596895 CEST53563741.1.1.1192.168.2.8
                                          Sep 9, 2024 17:29:19.136548996 CEST53550361.1.1.1192.168.2.8
                                          Sep 9, 2024 17:29:32.649482965 CEST5356649162.159.36.2192.168.2.8
                                          Sep 9, 2024 17:29:33.126816988 CEST5488853192.168.2.81.1.1.1
                                          Sep 9, 2024 17:29:33.140069962 CEST53548881.1.1.1192.168.2.8
                                          Sep 9, 2024 17:29:39.191195011 CEST6299453192.168.2.81.1.1.1
                                          Sep 9, 2024 17:29:39.205502987 CEST53629941.1.1.1192.168.2.8

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Sep 9, 2024 17:29:04.250823021 CEST192.168.2.81.1.1.10x1ce7Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                          Sep 9, 2024 17:29:16.725333929 CEST192.168.2.81.1.1.10xbddStandard query (0)notes-ease.gl.at.ply.ggA (IP address)IN (0x0001)false
                                          Sep 9, 2024 17:29:33.126816988 CEST192.168.2.81.1.1.10x19eaStandard query (0)206.23.85.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                          Sep 9, 2024 17:29:39.191195011 CEST192.168.2.81.1.1.10x1c6cStandard query (0)notes-ease.gl.at.ply.ggA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Sep 9, 2024 17:29:04.258169889 CEST1.1.1.1192.168.2.80x1ce7No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                          Sep 9, 2024 17:29:16.860596895 CEST1.1.1.1192.168.2.80xbddNo error (0)notes-ease.gl.at.ply.gg147.185.221.17A (IP address)IN (0x0001)false
                                          Sep 9, 2024 17:29:33.140069962 CEST1.1.1.1192.168.2.80x19eaName error (3)206.23.85.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                          Sep 9, 2024 17:29:39.205502987 CEST1.1.1.1192.168.2.80x1c6cNo error (0)notes-ease.gl.at.ply.gg147.185.221.17A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • ip-api.com

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.849705208.95.112.1808064C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 9, 2024 17:29:04.267926931 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                          Host: ip-api.com
                                          Connection: Keep-Alive
                                          Sep 9, 2024 17:29:04.763123035 CEST175INHTTP/1.1 200 OK
                                          Date: Mon, 09 Sep 2024 15:29:03 GMT
                                          Content-Type: text/plain; charset=utf-8
                                          Content-Length: 6
                                          Access-Control-Allow-Origin: *
                                          X-Ttl: 60
                                          X-Rl: 44
                                          Data Raw: 66 61 6c 73 65 0a
                                          Data Ascii: false


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:11:28:59
                                          Start date:09/09/2024
                                          Path:C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\6ab092aeab924edb854b3ff21ea579df.exe"
                                          Imagebase:0xf30000
                                          File size:858'624 bytes
                                          MD5 hash:5D5AA86355C219B3C6D2D1F3CBC48F7B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1389347400.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1389347400.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1389347400.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1389347400.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:11:29:00
                                          Start date:09/09/2024
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                                          Imagebase:0x230000
                                          File size:45'984 bytes
                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:11:29:00
                                          Start date:09/09/2024
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                                          Imagebase:0xff0000
                                          File size:45'984 bytes
                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.3837785716.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.3837785716.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.3842842028.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:4
                                          Start time:11:29:04
                                          Start date:09/09/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'
                                          Imagebase:0x20000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.1438844114.0000000005146000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:11:29:04
                                          Start date:09/09/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6ee680000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:11:29:07
                                          Start date:09/09/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regsvcs.exe'
                                          Imagebase:0x20000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000007.00000002.1470108915.0000000004D06000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:11:29:07
                                          Start date:09/09/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6ee680000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:13
                                          Start time:11:29:49
                                          Start date:09/09/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6ee680000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:12.8%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:40.5%
                                            Total number of Nodes:37
                                            Total number of Limit Nodes:2
                                            execution_graph 8269 4eb3f88 8270 4eb3fd0 VirtualProtect 8269->8270 8271 4eb400a 8270->8271 8234 4ebb4ae 8236 4eba504 8234->8236 8235 4ebb4eb 8235->8235 8236->8235 8241 4eb8cf8 NtWriteVirtualMemory 8236->8241 8244 4eb8d04 VirtualProtectEx 8236->8244 8245 4eb8cd4 8236->8245 8249 4eb8ce0 8236->8249 8253 4eb8cec 8236->8253 8257 4eb8d10 8236->8257 8261 4eb8d1c 8236->8261 8265 4eba060 8236->8265 8241->8236 8244->8236 8247 4ebb7f0 CreateProcessA 8245->8247 8248 4ebba26 8247->8248 8250 4ebbaf0 NtUnmapViewOfSection 8249->8250 8252 4ebbb61 8250->8252 8252->8236 8254 4ebbb90 NtAllocateVirtualMemory 8253->8254 8256 4ebbc1e 8254->8256 8256->8236 8258 4ebc1b8 NtSetContextThread 8257->8258 8260 4ebc229 8258->8260 8260->8236 8262 4ebc1b8 NtSetContextThread 8261->8262 8264 4ebc229 8262->8264 8264->8236 8266 4ebc2e8 NtResumeThread 8265->8266 8268 4ebc361 8266->8268 8268->8236 8272 4ebb484 8273 4eba504 8272->8273 8274 4ebb4eb 8273->8274 8275 4eb8cd4 CreateProcessA 8273->8275 8276 4eb8ce0 NtUnmapViewOfSection 8273->8276 8277 4eb8cec NtAllocateVirtualMemory 8273->8277 8278 4eb8d10 NtSetContextThread 8273->8278 8279 4eb8cf8 NtWriteVirtualMemory 8273->8279 8280 4eb8d1c NtSetContextThread 8273->8280 8281 4eba060 NtResumeThread 8273->8281 8282 4eb8d04 VirtualProtectEx 8273->8282 8274->8274 8275->8273 8276->8273 8277->8273 8278->8273 8279->8273 8280->8273 8281->8273 8282->8273

                                            Executed Functions

                                            Function 04EBA470 Relevance: 3.5, Strings: 2, Instructions: 958COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 4eba470-4eba4a2 1 4eba4a9-4eba4ff 0->1 2 4eba4a4 0->2 3 4ebb4ce-4ebb4e5 1->3 2->1 4 4ebb4eb-4ebb4f2 3->4 5 4eba504-4eba5ea 3->5 4->4 6 4ebb4f4-4ebb4fc 4->6 14 4eba5ec-4eba62f 5->14 15 4eba631-4eba656 5->15 20 4eba65c-4eba678 14->20 15->20 22 4eba67a-4eba681 20->22 23 4eba6a7 20->23 22->22 25 4eba683-4eba688 22->25 24 4eba6b1-4eba719 call 4eb9fc8 23->24 35 4eba71b-4eba726 24->35 36 4eba728 24->36 26 4eba69a-4eba6a5 25->26 27 4eba68a-4eba694 25->27 26->24 27->26 37 4eba732-4eba763 call 4eb9fc8 35->37 36->37 41 4eba77b 37->41 42 4eba765-4eba76c 37->42 44 4eba785-4eba7cc 41->44 42->42 43 4eba76e-4eba779 42->43 43->44 47 4eba7fb-4eba809 44->47 48 4eba7ce-4eba7e1 44->48 50 4eba80f-4eba81a 47->50 48->48 49 4eba7e3-4eba7f9 48->49 49->50 51 4eba825-4eba846 call 4eb8cd4 50->51 53 4eba84b-4eba878 51->53 54 4eba8aa-4eba8f8 53->54 55 4eba87a-4eba881 53->55 62 4eba8fa-4eba901 54->62 63 4eba945-4eba973 54->63 55->55 56 4eba883-4eba89f 55->56 56->54 62->62 64 4eba903-4eba943 62->64 68 4eba979-4eba988 call 4eb8ce0 63->68 64->68 71 4eba98d-4eba994 68->71 72 4eba99d-4eba9c0 call 4eb8cec 71->72 74 4eba9c5-4eba9d3 72->74 75 4eba9d9-4eba9e0 74->75 76 4ebaa6e 74->76 75->75 78 4eba9e2-4eba9f3 call 4eb8cf8 75->78 77 4ebaa78-4ebaa98 76->77 79 4ebaaca-4ebaad3 77->79 80 4ebaa9a-4ebaaa1 77->80 83 4eba9f8-4ebaa06 78->83 84 4ebaf4b-4ebaf67 79->84 80->80 82 4ebaaa3-4ebaab4 80->82 93 4ebaabf 82->93 83->76 85 4ebaa08-4ebaa0f 83->85 86 4ebaad8-4ebab73 call 4eb9fc8 * 2 84->86 87 4ebaf6d-4ebaf80 84->87 85->85 89 4ebaa11-4ebaa28 85->89 105 4ebabaa-4ebabf8 86->105 106 4ebab75-4ebab7c 86->106 95 4ebafcf-4ebb000 87->95 96 4ebaf82-4ebaf89 87->96 94 4ebaa2f-4ebaa4d call 4eb8d04 89->94 93->79 100 4ebaa52-4ebaa6c 94->100 110 4ebb006-4ebb015 call 4eb8d10 95->110 96->96 97 4ebaf8b-4ebafcd 96->97 97->110 100->77 120 4ebac03-4ebac1c 105->120 106->106 108 4ebab7e-4ebaba9 106->108 108->105 114 4ebb01a-4ebb046 110->114 116 4ebb078-4ebb0b0 114->116 117 4ebb048-4ebb04f 114->117 122 4ebb211-4ebb31e call 4eb8cf8 116->122 123 4ebb0b6-4ebb0bd 116->123 117->117 118 4ebb051-4ebb06d 117->118 118->116 125 4ebac27-4ebad37 call 4eb9fc8 call 4eba010 * 2 120->125 151 4ebb320-4ebb33c 122->151 152 4ebb347-4ebb39c 122->152 123->123 124 4ebb0bf-4ebb133 123->124 146 4ebb13f-4ebb15b call 4eb8cf8 124->146 154 4ebad3c-4ebad5d call 4eb8cf8 125->154 153 4ebb160-4ebb199 146->153 151->152 171 4ebb39d-4ebb3a3 call 4eb8d1c 152->171 155 4ebb1cb-4ebb20c 153->155 156 4ebb19b-4ebb1a2 153->156 161 4ebad62-4ebad9b 154->161 155->171 156->156 159 4ebb1a4-4ebb1c0 156->159 159->155 163 4ebad9d-4ebadb9 161->163 164 4ebadc4-4ebae31 161->164 163->164 179 4ebae5f-4ebae80 164->179 180 4ebae33-4ebae5d 164->180 176 4ebb3a8-4ebb3e1 171->176 177 4ebb413-4ebb419 call 4eba060 176->177 178 4ebb3e3-4ebb3ea 176->178 184 4ebb41e-4ebb457 177->184 178->178 181 4ebb3ec-4ebb408 178->181 183 4ebae86-4ebae8e 179->183 180->183 181->177 188 4ebae95-4ebaecb call 4eb8d04 183->188 186 4ebb459-4ebb475 184->186 187 4ebb480-4ebb4c5 184->187 186->187 187->3 187->6 194 4ebaed0-4ebaf08 188->194 196 4ebaf3a-4ebaf45 194->196 197 4ebaf0a-4ebaf11 194->197 196->84 197->197 198 4ebaf13-4ebaf2f 197->198 198->196
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0$H
                                            • API String ID: 0-1388647558
                                            • Opcode ID: 70bcf825da3595e46a17da085da8b9a979ba10cdf350252d459211eb886b3b20
                                            • Instruction ID: 765bd15849ad98846be68c5d13c43a12db9300460c86c27987196ddb63120e36
                                            • Opcode Fuzzy Hash: 70bcf825da3595e46a17da085da8b9a979ba10cdf350252d459211eb886b3b20
                                            • Instruction Fuzzy Hash: C7A2AD74E012298FDB64DF65DD88BEEBBB1BB89300F1091E9D849A7250DB346E85DF40
                                            Function 00E3541D Relevance: 2.8, Strings: 2, Instructions: 278COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 201 e3541d-e35428 204 e3542a-e35430 201->204 205 e3546c-e35484 201->205 213 e35486-e35490 205->213 214 e354ce-e354d5 205->214 218 e354d6-e35504 213->218 219 e35492-e354ac 213->219 214->218 230 e35506-e35518 218->230 231 e3553b 218->231 240 e3555c-e35584 230->240 242 e3551a-e35539 230->242 233 e3553c-e3553e 231->233 235 e35540-e3555a 233->235 236 e3553f 233->236 235->240 236->235 250 e355c3-e355fb 240->250 251 e35586-e355c2 240->251 242->231 242->233 255 e35600-e35615 call e31034 250->255 251->250 261 e3561b 255->261 262 e35fff-e3600b 255->262 264 e35907-e35912 261->264 265 e35645-e3567e 261->265 266 e35975-e35995 261->266 267 e357a9-e357d9 261->267 268 e3585f-e35868 261->268 270 e36012-e36026 262->270 279 e358f3-e35902 264->279 280 e35914-e35920 264->280 287 e35690-e35697 265->287 288 e35680-e3568e 265->288 266->255 267->255 271 e36029-e36032 268->271 272 e3586e-e3587f 268->272 272->255 279->255 280->255 289 e3569e-e356a7 287->289 288->289 289->255
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (t$(t
                                            • API String ID: 0-3871297952
                                            • Opcode ID: fdead6e43724a0bad39ea04db5a94deac440b7dddd26af8061c5618fe3fa27a9
                                            • Instruction ID: b3607118ec437808d157ce5b691ab51c218929bad3ee6e5577f1958d6772550f
                                            • Opcode Fuzzy Hash: fdead6e43724a0bad39ea04db5a94deac440b7dddd26af8061c5618fe3fa27a9
                                            • Instruction Fuzzy Hash: 67A1383A518A80AFC719CF28845C99E7FA2EF41711FD4A0FEC6477B352D6229845CF45
                                            Function 04EB8CEC Relevance: 1.6, APIs: 1, Instructions: 61memorynativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 483 4eb8cec-4ebbc1c NtAllocateVirtualMemory 486 4ebbc1e-4ebbc24 483->486 487 4ebbc25-4ebbc42 483->487 486->487
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 04EBBC0F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: 616f07df8c2764d30bd1d391a98219b3b6fe5697f053fc281520f5e49b6e9fb0
                                            • Instruction ID: fd7969945eeb3f136c4e687ae0577c36dd2669d2a6d84dd15e9c268fdecefdec
                                            • Opcode Fuzzy Hash: 616f07df8c2764d30bd1d391a98219b3b6fe5697f053fc281520f5e49b6e9fb0
                                            • Instruction Fuzzy Hash: 4E21EFB190025DAFCF10DF9AD884ADEFBB4FB48710F50852AE918A7240D374A914CFA5
                                            Function 04EB8CF8 Relevance: 1.6, APIs: 1, Instructions: 61nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 490 4eb8cf8-4ebbca6 493 4ebbca8-4ebbcb4 490->493 494 4ebbcb6-4ebbce9 NtWriteVirtualMemory 490->494 493->494 495 4ebbceb-4ebbcf1 494->495 496 4ebbcf2-4ebbd06 494->496 495->496
                                            APIs
                                            • NtWriteVirtualMemory.NTDLL(?,?,00000000,?,?), ref: 04EBBCDC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID: MemoryVirtualWrite
                                            • String ID:
                                            • API String ID: 3527976591-0
                                            • Opcode ID: 00c34a14df3c71a681bec24e535456ae527964d3156ab0befd38e3eaafa032c0
                                            • Instruction ID: 02b0d7bcf8a7a043c3ca8465139a03bc8af9b2f81ea544be98a9dbaad2b6a033
                                            • Opcode Fuzzy Hash: 00c34a14df3c71a681bec24e535456ae527964d3156ab0befd38e3eaafa032c0
                                            • Instruction Fuzzy Hash: 8121F0B59002499FCB21DF9AC885BDEBBF4FB48310F108429E929A7250D774A954CFA1
                                            Function 04EBBC50 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 505 4ebbc50-4ebbca6 507 4ebbca8-4ebbcb4 505->507 508 4ebbcb6-4ebbce9 NtWriteVirtualMemory 505->508 507->508 509 4ebbceb-4ebbcf1 508->509 510 4ebbcf2-4ebbd06 508->510 509->510
                                            APIs
                                            • NtWriteVirtualMemory.NTDLL(?,?,00000000,?,?), ref: 04EBBCDC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID: MemoryVirtualWrite
                                            • String ID:
                                            • API String ID: 3527976591-0
                                            • Opcode ID: 7aae4ab1ed2c1b256a25363b1d6ed359b687fa09cc5afdbd8ee9478114bcd51d
                                            • Instruction ID: 51d43d1b15d920208594e3d2f9695691fcb55e758f5364d6e50054660bf9edc1
                                            • Opcode Fuzzy Hash: 7aae4ab1ed2c1b256a25363b1d6ed359b687fa09cc5afdbd8ee9478114bcd51d
                                            • Instruction Fuzzy Hash: 2C2102B59002498FCB11CF9AC885BDEBBF5FB88310F10842AE868A7750D774A954CFA1
                                            Function 04EBC1B0 Relevance: 1.6, APIs: 1, Instructions: 55nativethreadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 517 4ebc1b0-4ebc1b1 518 4ebc19d-4ebc1a5 517->518 519 4ebc1b3-4ebc227 NtSetContextThread 517->519 521 4ebc229-4ebc22f 519->521 522 4ebc230-4ebc244 519->522 521->522
                                            APIs
                                            • NtSetContextThread.NTDLL(?,?), ref: 04EBC21A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID: ContextThread
                                            • String ID:
                                            • API String ID: 1591575202-0
                                            • Opcode ID: 8784ddce5e9c15f54b45941ca796a83ff189772af73788f87b6d927b59297a37
                                            • Instruction ID: efc269240e5701cee4b28771ac14b5827f7ec1be7cf1c2a282ef722b252de9b1
                                            • Opcode Fuzzy Hash: 8784ddce5e9c15f54b45941ca796a83ff189772af73788f87b6d927b59297a37
                                            • Instruction Fuzzy Hash: 6D1143B59042498FDB20DF8AD485BDEBBF4FB88320F20842AD558A3350C374A945CFA1
                                            Function 04EBA060 Relevance: 1.6, APIs: 1, Instructions: 51nativethreadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 524 4eba060-4ebc35f NtResumeThread 527 4ebc368-4ebc37c 524->527 528 4ebc361-4ebc367 524->528 528->527
                                            APIs
                                            • NtResumeThread.NTDLL(?,?), ref: 04EBC352
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: b8de3eb32f1bf169b901859b8d9a39952f33921a0cb1784911ce6d1c79e10ca4
                                            • Instruction ID: 733cafd90337b53d5c179710021da904194be46f5010d04f355cf55ba7a3e62e
                                            • Opcode Fuzzy Hash: b8de3eb32f1bf169b901859b8d9a39952f33921a0cb1784911ce6d1c79e10ca4
                                            • Instruction Fuzzy Hash: 8911E2B19046599BCB10DF9AD484BDEFBF4FB48714F20816AE418A3240D374A914CFE5
                                            Function 04EB8CE0 Relevance: 1.5, APIs: 1, Instructions: 48nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 530 4eb8ce0-4ebbb5f NtUnmapViewOfSection 533 4ebbb68-4ebbb7c 530->533 534 4ebbb61-4ebbb67 530->534 534->533
                                            APIs
                                            • NtUnmapViewOfSection.NTDLL(?,?), ref: 04EBBB52
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID: SectionUnmapView
                                            • String ID:
                                            • API String ID: 498011366-0
                                            • Opcode ID: f4a5a24e272d0e7a1b8e267cdca8f2e61f94dc8977262c767dc2e81768e247a0
                                            • Instruction ID: 998632cd3d0de39d7a05eb4584f242ae2ed3e9282d106bf4d365c140bea89fc0
                                            • Opcode Fuzzy Hash: f4a5a24e272d0e7a1b8e267cdca8f2e61f94dc8977262c767dc2e81768e247a0
                                            • Instruction Fuzzy Hash: BE1122B19003498FCB20DF9AC885BDFBBF8EB88320F208419D459A3740D774A944CFA5
                                            Function 04EB8D1C Relevance: 1.5, APIs: 1, Instructions: 48nativethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtSetContextThread.NTDLL(?,?), ref: 04EBC21A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID: ContextThread
                                            • String ID:
                                            • API String ID: 1591575202-0
                                            • Opcode ID: 3feb4c1d0dd52e575e1ceb8a17f315b450dd0a7d71314486068113cb5f14d666
                                            • Instruction ID: 9ca314af3477981d264e083b7fa853979c296086dcd8a292f0610206df461c0b
                                            • Opcode Fuzzy Hash: 3feb4c1d0dd52e575e1ceb8a17f315b450dd0a7d71314486068113cb5f14d666
                                            • Instruction Fuzzy Hash: DE1122B59047498FDB20DF9AC484BDEBBF8EB88320F208429D558A3340D374A944CFA5
                                            Function 04EB8D10 Relevance: 1.5, APIs: 1, Instructions: 48nativethreadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 536 4eb8d10-4ebc227 NtSetContextThread 539 4ebc229-4ebc22f 536->539 540 4ebc230-4ebc244 536->540 539->540
                                            APIs
                                            • NtSetContextThread.NTDLL(?,?), ref: 04EBC21A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID: ContextThread
                                            • String ID:
                                            • API String ID: 1591575202-0
                                            • Opcode ID: 2f11707019d9d10a36d8ab075c71761d279ecc7c17b3dc534688a3c8419a1887
                                            • Instruction ID: 23f57dd2d72289c5f5b327a83098d4bd5ddf84cdaf14336a0dd5900db18ab6bd
                                            • Opcode Fuzzy Hash: 2f11707019d9d10a36d8ab075c71761d279ecc7c17b3dc534688a3c8419a1887
                                            • Instruction Fuzzy Hash: 761122B19047498FDB20DF9AC484BDEBBF4EB88320F208429D558A3340D374A944CFA5
                                            Function 04EB96E1 Relevance: .6, Instructions: 586COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f1ff671add88f8515bf8bbbaf3428e24d25502cb9b3ad54ae34f88c128cde9f4
                                            • Instruction ID: 229b23557cc2abda5e27ad59de5d14b36456994854f092a4f4cf80e00f9e45d3
                                            • Opcode Fuzzy Hash: f1ff671add88f8515bf8bbbaf3428e24d25502cb9b3ad54ae34f88c128cde9f4
                                            • Instruction Fuzzy Hash: CA528374A00229CFDB64CF69D984BDEBBB1BF49314F1091A9E949A7361D730AE81CF50
                                            Function 04EB8000 Relevance: .3, Instructions: 270COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 81a9f9dba599fdbed08451dfd314eec1bda168f5779c91f4e37c459156faa307
                                            • Instruction ID: c0d36338cd8a08ab59e1fd2982ad7b0f0471c9b603971db19552e30e569040ef
                                            • Opcode Fuzzy Hash: 81a9f9dba599fdbed08451dfd314eec1bda168f5779c91f4e37c459156faa307
                                            • Instruction Fuzzy Hash: 56A155797041049FD748EB98D5A15AAF7A6FBC9304B24C46AD906AB385DF32ED038B90
                                            Function 04EB8010 Relevance: .3, Instructions: 261COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4b94e9c68cd77e9cf4402610877c6fd26d57b25449afb16289f6142fb8a25641
                                            • Instruction ID: e1f2cd1b3a2f7754dfcf880cdcd68a0a24229fb6fb3d4c5dceb05dcc473a4f1d
                                            • Opcode Fuzzy Hash: 4b94e9c68cd77e9cf4402610877c6fd26d57b25449afb16289f6142fb8a25641
                                            • Instruction Fuzzy Hash: 55A166797041049FD748EB98D5A15AAF7A6FBC9304F24C45AD906AB385DF32ED038B90
                                            Function 04EB7D91 Relevance: .1, Instructions: 149COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 69154df2270ba542ba9d708f988041b021b1610c1012beedb7f32ab6412df675
                                            • Instruction ID: aec19f5ac4e2c64e55c7b0f74992b71f83471a585a276c6780437611c90486bd
                                            • Opcode Fuzzy Hash: 69154df2270ba542ba9d708f988041b021b1610c1012beedb7f32ab6412df675
                                            • Instruction Fuzzy Hash: 04519775B041049FD748EB64D5A19BEFBA6EBCE300B14C51ED806AB795DF31AC02CB91
                                            Function 04EB7DA0 Relevance: .1, Instructions: 144COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e54e879860526bba09d7838b5c23b0c823144ef8460fc93db105aa8c1bcff859
                                            • Instruction ID: ab2756e4620dc351a06fc5f0fff317c95a9de7e6fd09ad93c741590e3a346121
                                            • Opcode Fuzzy Hash: e54e879860526bba09d7838b5c23b0c823144ef8460fc93db105aa8c1bcff859
                                            • Instruction Fuzzy Hash: 16519779B041049FC748EB64D5929BEFBA6EBCD300B14C51ED806AB785DF31AC02CB91
                                            Function 04EB8CB8 Relevance: 1.7, APIs: 1, Instructions: 232processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 336 4eb8cb8-4ebb854 340 4ebb8a8-4ebb8c8 336->340 341 4ebb856-4ebb87b 336->341 345 4ebb8ca-4ebb8ef 340->345 346 4ebb91c-4ebb94c 340->346 341->340 344 4ebb87d-4ebb87f 341->344 347 4ebb8a2-4ebb8a5 344->347 348 4ebb881-4ebb88b 344->348 345->346 356 4ebb8f1-4ebb8f3 345->356 354 4ebb94e-4ebb976 346->354 355 4ebb9a3-4ebb9c3 346->355 347->340 349 4ebb88f-4ebb89e 348->349 350 4ebb88d 348->350 349->349 353 4ebb8a0 349->353 350->349 353->347 354->355 366 4ebb978-4ebb97a 354->366 364 4ebb9d3-4ebba24 CreateProcessA 355->364 365 4ebb9c5-4ebb9d1 355->365 357 4ebb916-4ebb919 356->357 358 4ebb8f5-4ebb8ff 356->358 357->346 361 4ebb903-4ebb912 358->361 362 4ebb901 358->362 361->361 363 4ebb914 361->363 362->361 363->357 367 4ebba2d-4ebba66 364->367 368 4ebba26-4ebba2c 364->368 365->364 369 4ebb99d-4ebb9a0 366->369 370 4ebb97c-4ebb986 366->370 375 4ebba68-4ebba6c 367->375 376 4ebba76-4ebba7a 367->376 368->367 369->355 372 4ebb98a-4ebb999 370->372 373 4ebb988 370->373 372->372 377 4ebb99b 372->377 373->372 375->376 378 4ebba6e 375->378 379 4ebba8a-4ebba8e 376->379 380 4ebba7c-4ebba80 376->380 377->369 378->376 381 4ebba9e 379->381 382 4ebba90-4ebba94 379->382 380->379 383 4ebba82 380->383 385 4ebba9f 381->385 382->381 384 4ebba96 382->384 383->379 384->381 385->385
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 04EBBA14
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 224d94c86d912e5eac700d4613da9f8c2ddcda1fbea8fb741b0a942a0c91bad0
                                            • Instruction ID: 2f6a59f7639ba87cd71c7e9c5feacb93df55eadb9276844aff754825bb176452
                                            • Opcode Fuzzy Hash: 224d94c86d912e5eac700d4613da9f8c2ddcda1fbea8fb741b0a942a0c91bad0
                                            • Instruction Fuzzy Hash: 01918A71E043599FDB11CFA9C8817EEBBF1EF48314F148129E894E7691E774A881CB91
                                            Function 04EB8CD4 Relevance: 1.7, APIs: 1, Instructions: 218processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 386 4eb8cd4-4ebb854 389 4ebb8a8-4ebb8c8 386->389 390 4ebb856-4ebb87b 386->390 394 4ebb8ca-4ebb8ef 389->394 395 4ebb91c-4ebb94c 389->395 390->389 393 4ebb87d-4ebb87f 390->393 396 4ebb8a2-4ebb8a5 393->396 397 4ebb881-4ebb88b 393->397 394->395 405 4ebb8f1-4ebb8f3 394->405 403 4ebb94e-4ebb976 395->403 404 4ebb9a3-4ebb9c3 395->404 396->389 398 4ebb88f-4ebb89e 397->398 399 4ebb88d 397->399 398->398 402 4ebb8a0 398->402 399->398 402->396 403->404 415 4ebb978-4ebb97a 403->415 413 4ebb9d3-4ebba24 CreateProcessA 404->413 414 4ebb9c5-4ebb9d1 404->414 406 4ebb916-4ebb919 405->406 407 4ebb8f5-4ebb8ff 405->407 406->395 410 4ebb903-4ebb912 407->410 411 4ebb901 407->411 410->410 412 4ebb914 410->412 411->410 412->406 416 4ebba2d-4ebba66 413->416 417 4ebba26-4ebba2c 413->417 414->413 418 4ebb99d-4ebb9a0 415->418 419 4ebb97c-4ebb986 415->419 424 4ebba68-4ebba6c 416->424 425 4ebba76-4ebba7a 416->425 417->416 418->404 421 4ebb98a-4ebb999 419->421 422 4ebb988 419->422 421->421 426 4ebb99b 421->426 422->421 424->425 427 4ebba6e 424->427 428 4ebba8a-4ebba8e 425->428 429 4ebba7c-4ebba80 425->429 426->418 427->425 430 4ebba9e 428->430 431 4ebba90-4ebba94 428->431 429->428 432 4ebba82 429->432 434 4ebba9f 430->434 431->430 433 4ebba96 431->433 432->428 433->430 434->434
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 04EBBA14
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 6e4716f187236034af424e4607489a6803a83f901fcf9e12821f244b3c2af9c0
                                            • Instruction ID: c348fdacef0defd82f7f63a7cdf817531c0f39dda32bf5bd1451a67103cfedef
                                            • Opcode Fuzzy Hash: 6e4716f187236034af424e4607489a6803a83f901fcf9e12821f244b3c2af9c0
                                            • Instruction Fuzzy Hash: 74817A71E002499FDB14CFA9C8817EEBBF1FB48314F149129E898E7791E774A881CB81
                                            Function 04EBB7ED Relevance: 1.7, APIs: 1, Instructions: 215processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 435 4ebb7ed-4ebb854 437 4ebb8a8-4ebb8c8 435->437 438 4ebb856-4ebb87b 435->438 442 4ebb8ca-4ebb8ef 437->442 443 4ebb91c-4ebb94c 437->443 438->437 441 4ebb87d-4ebb87f 438->441 444 4ebb8a2-4ebb8a5 441->444 445 4ebb881-4ebb88b 441->445 442->443 453 4ebb8f1-4ebb8f3 442->453 451 4ebb94e-4ebb976 443->451 452 4ebb9a3-4ebb9c3 443->452 444->437 446 4ebb88f-4ebb89e 445->446 447 4ebb88d 445->447 446->446 450 4ebb8a0 446->450 447->446 450->444 451->452 463 4ebb978-4ebb97a 451->463 461 4ebb9d3-4ebba24 CreateProcessA 452->461 462 4ebb9c5-4ebb9d1 452->462 454 4ebb916-4ebb919 453->454 455 4ebb8f5-4ebb8ff 453->455 454->443 458 4ebb903-4ebb912 455->458 459 4ebb901 455->459 458->458 460 4ebb914 458->460 459->458 460->454 464 4ebba2d-4ebba66 461->464 465 4ebba26-4ebba2c 461->465 462->461 466 4ebb99d-4ebb9a0 463->466 467 4ebb97c-4ebb986 463->467 472 4ebba68-4ebba6c 464->472 473 4ebba76-4ebba7a 464->473 465->464 466->452 469 4ebb98a-4ebb999 467->469 470 4ebb988 467->470 469->469 474 4ebb99b 469->474 470->469 472->473 475 4ebba6e 472->475 476 4ebba8a-4ebba8e 473->476 477 4ebba7c-4ebba80 473->477 474->466 475->473 478 4ebba9e 476->478 479 4ebba90-4ebba94 476->479 477->476 480 4ebba82 477->480 482 4ebba9f 478->482 479->478 481 4ebba96 479->481 480->476 481->478 482->482
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 04EBBA14
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: f042c3947b37ef819183374ba285e771b688c676b0000faf10d6cdae8e818d2e
                                            • Instruction ID: 7ec890a679a59b2cc5cf9bca71eac85bf62782d8cf14766343531bb1f67df777
                                            • Opcode Fuzzy Hash: f042c3947b37ef819183374ba285e771b688c676b0000faf10d6cdae8e818d2e
                                            • Instruction Fuzzy Hash: C0816A71E002499FDB14CFA9C8817EEBBF2FB48314F149129E898E7691D774A881CB81
                                            Function 04EB8D04 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 498 4eb8d04-4ebbde3 VirtualProtectEx 501 4ebbdec-4ebbe14 498->501 502 4ebbde5-4ebbdeb 498->502 502->501
                                            APIs
                                            • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 04EBBDD6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: 53673d08407b2df3804cf6d332fff9bf211ccfb45a5fd49251337a7961a12fe7
                                            • Instruction ID: 18403c48dd354701e7e4c8970088643606eddd42f0f3bc05b786e7818d6a3426
                                            • Opcode Fuzzy Hash: 53673d08407b2df3804cf6d332fff9bf211ccfb45a5fd49251337a7961a12fe7
                                            • Instruction Fuzzy Hash: 082115759003499FCB10DF9AC484BDEBBF5FF88320F548429E958A7251D778A944CFA1
                                            Function 04EB3F88 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 512 4eb3f88-4eb4008 VirtualProtect 514 4eb400a-4eb4010 512->514 515 4eb4011-4eb4032 512->515 514->515
                                            APIs
                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 04EB3FFB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: 8307629b3ae6edece568f0bf9c9064b56ee57635c652d2660d04adea9f8f7c34
                                            • Instruction ID: 67b0cb53353725cd7d81beb09c7c90df17c873d6d2e0805e8b4e2ffa648cf1c1
                                            • Opcode Fuzzy Hash: 8307629b3ae6edece568f0bf9c9064b56ee57635c652d2660d04adea9f8f7c34
                                            • Instruction Fuzzy Hash: 4B21E4B59002499FDB20DF9AC885BDEFBF4FB48320F108429E958A7251D378A944CFA1
                                            Function 00E38458 Relevance: .2, Instructions: 218COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1506334cf06753e5f3a25d5616e3b4d99e3912830405c6137ea7fddaff31dd38
                                            • Instruction ID: 636ccc703ebfdd8c294687e3185e05cb7a9584615a01e894610b0430e18fefef
                                            • Opcode Fuzzy Hash: 1506334cf06753e5f3a25d5616e3b4d99e3912830405c6137ea7fddaff31dd38
                                            • Instruction Fuzzy Hash: B891BE75A082509FC705DF24C99C999BFB6EFAA300B4A85EEE5459F3A2CB35DC41CB40
                                            Function 00E3599A Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b5f0ccc0d56f0ef8ad9eaae830945a4ae692a6332dc79c53ca1ae3542c63b898
                                            • Instruction ID: e3828a5386aadeeeb2038d1a8e5071119a7836198fdbc52265bab72f4ae74e4f
                                            • Opcode Fuzzy Hash: b5f0ccc0d56f0ef8ad9eaae830945a4ae692a6332dc79c53ca1ae3542c63b898
                                            • Instruction Fuzzy Hash: B94107B4A00125CFCB18CF65D58996DBBB2FF49305F25919AD845AB362CB32ED81CF50
                                            Function 00E31891 Relevance: .1, Instructions: 64COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bc647820e3833f4574f6af1e6062ebc2e7bc0ce23037c3c0d18de3d10aba061c
                                            • Instruction ID: e0cf1059a38355a6382d63fdcb582bad3e36930746ba2a52bb43b1a122a0fdd4
                                            • Opcode Fuzzy Hash: bc647820e3833f4574f6af1e6062ebc2e7bc0ce23037c3c0d18de3d10aba061c
                                            • Instruction Fuzzy Hash: 82219275A082548FDB60DB68D890B9ABBB2EF89300F0480EAD50DE7351DB715E45CF52
                                            Function 00E35E5D Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b77394c86abc4fe07489b1529f14482da9957a6e51035af37eae6fa1f22f2890
                                            • Instruction ID: 9283f1857fefa242186ac2cfa890f51d71f347fd514bc8957a2804a1ce90d1fb
                                            • Opcode Fuzzy Hash: b77394c86abc4fe07489b1529f14482da9957a6e51035af37eae6fa1f22f2890
                                            • Instruction Fuzzy Hash: 6F314A74A04228DFDBA4CF29D884B99BBF6BB09604F5040EAE94DE7311D7319E80DF52
                                            Function 00F1001F Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389231627.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_f10000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6877e5ca4ab42f55e6b5f6a53dfcef99a80433d9bafe80d08e16f1f22dd84893
                                            • Instruction ID: c11a550221f1d6662e38778ea693cdaad4a85884197541d102a62733b10637b8
                                            • Opcode Fuzzy Hash: 6877e5ca4ab42f55e6b5f6a53dfcef99a80433d9bafe80d08e16f1f22dd84893
                                            • Instruction Fuzzy Hash: 2D11002191E3C08FC70787B898741A07F71AE5B22139E40EBC0C6CF5F7D52A488AD722
                                            Function 00F10915 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389231627.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_f10000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d2de876eedda6776a42bff7522d547f0b1db8ca7030916c43b6df066f584b9fd
                                            • Instruction ID: 4c1e73378e0497491412f0ddb5fab09936f6686c2e67e2e59a2e1d39e7a345e0
                                            • Opcode Fuzzy Hash: d2de876eedda6776a42bff7522d547f0b1db8ca7030916c43b6df066f584b9fd
                                            • Instruction Fuzzy Hash: BA01F936B093514FD71A462998307AA3F625FC6760F69C1EBD440CF397C9618C82E791
                                            Function 00F10930 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389231627.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_f10000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1e365f92434582e3d20b9350146c653242bf4d2975d65b397a68e38dda330524
                                            • Instruction ID: b002bda960bb99f954c28bde723b4630c702cc00dd143a70965e1b02f5ffad97
                                            • Opcode Fuzzy Hash: 1e365f92434582e3d20b9350146c653242bf4d2975d65b397a68e38dda330524
                                            • Instruction Fuzzy Hash: 9DF0F636F402095BE72C950EC830B6B7696ABC8B20FB4C066D845CB385CEB18CC1BBD1
                                            Function 00F1032D Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389231627.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_f10000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 18adee103529bfa0b26f7573f4cc157d9e42c3bbe5be5cc50f54e7d48bb47946
                                            • Instruction ID: d15fbe67495c4f93ee3012340f6e7c726cb761e71b388cf023ec1bc086144d74
                                            • Opcode Fuzzy Hash: 18adee103529bfa0b26f7573f4cc157d9e42c3bbe5be5cc50f54e7d48bb47946
                                            • Instruction Fuzzy Hash: 88F06821B093954FD72A423858206A56F626BCB620B6D86FBC891CB156CA554CC6B352
                                            Function 00E32093 Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cf7124402ff5df5c5405aadcf0f99ccd5bcf41837e9558807919897483fab752
                                            • Instruction ID: b5832618558c2d535dca13e7e4fc9d35e1c3c4dd32745694e35bcfb09d1b8357
                                            • Opcode Fuzzy Hash: cf7124402ff5df5c5405aadcf0f99ccd5bcf41837e9558807919897483fab752
                                            • Instruction Fuzzy Hash: 4F014074B001089FDB14DF54C992BEDBBB1EB49704F20C5AAD909AB385DA31ED42CB90
                                            Function 00F1043D Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389231627.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_f10000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e71b0aec2915f55678ce051b4ee035c6edac40f38143463f859cef2033a445b5
                                            • Instruction ID: a05aff13fabd18e88ed48e47558dbb5c8139787aa3950d14ba5b4fd0edfa6107
                                            • Opcode Fuzzy Hash: e71b0aec2915f55678ce051b4ee035c6edac40f38143463f859cef2033a445b5
                                            • Instruction Fuzzy Hash: D1F0F621B4D3994FD72E926858701A52B621AC722036EC5FBC885CB256DE248CC3F392
                                            Function 00E334D8 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c83fe615f9c06630e664725d2e4b5775d9a57708fd1935a4b182e35350af35c8
                                            • Instruction ID: f7f15654399d1ff8bf2b33ef1289e17fd35b6004f4c9c29ff8eecfb68ddf4e22
                                            • Opcode Fuzzy Hash: c83fe615f9c06630e664725d2e4b5775d9a57708fd1935a4b182e35350af35c8
                                            • Instruction Fuzzy Hash: F9F09075A00608DFDB049BA4D85869DBBB2EBC5311F4084BAD62A67390DF351A68CB51
                                            Function 00E33573 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 88f7f6a735c474d55c3363fbec8c79cf4a1965a191bc8d4b3905d58c88f5b860
                                            • Instruction ID: d8bb45b96c7a70279e5ec7be089fb38350a1f86ceb2d2e0856196e8eb413cc7e
                                            • Opcode Fuzzy Hash: 88f7f6a735c474d55c3363fbec8c79cf4a1965a191bc8d4b3905d58c88f5b860
                                            • Instruction Fuzzy Hash: C4F04470A006089FCB088F64C8597DDBBB2FF89301F1080AAD316A7390DF301A95DF51
                                            Function 00E34D83 Relevance: .0, Instructions: 26COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e753256a9c69109c394c64ad4d9ba809a97584a39133e55239ffda36feb11568
                                            • Instruction ID: 5a2c61850ecb3ac3a67c7ea53fbf666f01d960248f9f8d839d2ed3b54fa5523e
                                            • Opcode Fuzzy Hash: e753256a9c69109c394c64ad4d9ba809a97584a39133e55239ffda36feb11568
                                            • Instruction Fuzzy Hash: 29F01775D406089FDB05CFE0D464B9DBBB2EF88300F10846AD34BAE2A4DF3A5A44DB61
                                            Function 00E34F2A Relevance: .0, Instructions: 26COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 383753807a74ea23ebc6a58d958fb47807a0570c74f33631f7d60805ad8b515f
                                            • Instruction ID: aaa4575b2a11c3c7a92aa63981edef4199ff66bac3c320a776fe6393f4ef4fdc
                                            • Opcode Fuzzy Hash: 383753807a74ea23ebc6a58d958fb47807a0570c74f33631f7d60805ad8b515f
                                            • Instruction Fuzzy Hash: 0DF01275E4061A8FDB158F90D868BEDBB75FF49700F1080FAD31AAA2A0DF354A44AF51
                                            Function 00F10725 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389231627.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_f10000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 046689a312ed3949e6dc80462e523f7abbff6738d41041fdc0f34e72b2c7688b
                                            • Instruction ID: 4b801be963e200011a2c0ec4930d151db4e02a537573ba2169d74d2f5aa611c2
                                            • Opcode Fuzzy Hash: 046689a312ed3949e6dc80462e523f7abbff6738d41041fdc0f34e72b2c7688b
                                            • Instruction Fuzzy Hash: B9E08C792496C49FC7078B20D9664E47F72AE472007AEC0E7D0898F6B3C6298848CF02
                                            Function 00F1076D Relevance: .0, Instructions: 24COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389231627.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_f10000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8abc8bbbf48657d01f1c3fa5c412da65b278de7f6a13ff3fc83542924163fa91
                                            • Instruction ID: d883cd63390b006aa4178aff38be498f420e018dbecc083ec8154c9cec80d668
                                            • Opcode Fuzzy Hash: 8abc8bbbf48657d01f1c3fa5c412da65b278de7f6a13ff3fc83542924163fa91
                                            • Instruction Fuzzy Hash: 1AF06D3250E7C45FC70357745C24AA9BF716E8711071E81CBE4C5CB6A3C6684819DBA6
                                            Function 00E31CF9 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e25d36469121fa78e008a076c3f28934a6cec62bd469c468312f57d4fb620db3
                                            • Instruction ID: 3e1110c25e0ddfc4b05c50e1e16c6ce7bd6944bb104eb24099ca31a492b7652d
                                            • Opcode Fuzzy Hash: e25d36469121fa78e008a076c3f28934a6cec62bd469c468312f57d4fb620db3
                                            • Instruction Fuzzy Hash: CAE09275944295CFDB08CF90C80AAAD7FB5FB06310F50518AEA01BB752C7345942CB73
                                            Function 00F10521 Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389231627.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_f10000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 67e8fbc4ac2e6b43e54bb6204e1a4353df904287f5a2f1f0e6759280bdeed49e
                                            • Instruction ID: 326e48aa1c43db19b6fc308f17b7caeefa06bfee0e31acc84cf26fe67c6134b8
                                            • Opcode Fuzzy Hash: 67e8fbc4ac2e6b43e54bb6204e1a4353df904287f5a2f1f0e6759280bdeed49e
                                            • Instruction Fuzzy Hash: 61E0BD42A1E3E04FE75752342C301A86F715E8301070E01EBE981DB2E3E94D0C0AA3B3
                                            Function 00F104A5 Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389231627.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_f10000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a53c59ca2f8f5decdacce07c7bafd25b797b5204c64fe36c465216a9f60ca58a
                                            • Instruction ID: 4c21f49a78be5661b644e85a32602ef0fc1b5757d543cdafe185350d1bf4708c
                                            • Opcode Fuzzy Hash: a53c59ca2f8f5decdacce07c7bafd25b797b5204c64fe36c465216a9f60ca58a
                                            • Instruction Fuzzy Hash: 7BE0170560E3E00FC70763386C350A93F704E9B56034F00DBE480DB5E3D5080E0A87A7
                                            Function 00E340FD Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 24130333498b1b8baeb0bacf5a9bc5e0dc9500f7f39c031a0b217f7d79bfff39
                                            • Instruction ID: 75cfceeb384b25c531168ec41b8dc334984e7768c0be6190911892a1533e170d
                                            • Opcode Fuzzy Hash: 24130333498b1b8baeb0bacf5a9bc5e0dc9500f7f39c031a0b217f7d79bfff39
                                            • Instruction Fuzzy Hash: A2F06570A006099FDF548F90C8547DEBBB2EF99300F0440E9D24AAA2A0DF310A809F42
                                            Function 00E33C17 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9f0ac0bfd8ec1dd3771b9a8529a400a69b1159122274602260e208f708afbdfc
                                            • Instruction ID: e82434cc212f842ee9475e98dcfa456ff108f28e004cd1e5badc38ed813450da
                                            • Opcode Fuzzy Hash: 9f0ac0bfd8ec1dd3771b9a8529a400a69b1159122274602260e208f708afbdfc
                                            • Instruction Fuzzy Hash: A0F0C07194061ADFDB148F94D864B9DBAB6EF98300F1081AAD20AAA2A0DB754A449F61
                                            Function 00E34192 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0e1f3f9b38cbd2d266fae3d73b95d1c4ffefb9ac17f9d846f27ab1515d29148a
                                            • Instruction ID: f74ade1df62e93b2c1df3ee3693bacd0c7ee8ba6eb2023b9a5fe72196c7b9b6c
                                            • Opcode Fuzzy Hash: 0e1f3f9b38cbd2d266fae3d73b95d1c4ffefb9ac17f9d846f27ab1515d29148a
                                            • Instruction Fuzzy Hash: BAF0C071900615DFDB55CFA0C954B9DBA77EB44700F0084EAC20AAA260DF354A84DF62
                                            Function 00E34594 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d33bce04e3f6069b167d53a04383f32f4c060c708b6d612ce17e8b49a95ad157
                                            • Instruction ID: f5538f346a7b8f5a9373c188c65cf05ecd87841ba60b5d2477679a941fd237d6
                                            • Opcode Fuzzy Hash: d33bce04e3f6069b167d53a04383f32f4c060c708b6d612ce17e8b49a95ad157
                                            • Instruction Fuzzy Hash: DDF0C071D006599FCB499FA4C9557DDBA72EB84700F0084A6D30BBA2A0DF714A849B51
                                            Function 00E35292 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: af3c6267ad8c5d5eb3c2cb21bc5fb21757b3bf168ce1474417caa284feae95fd
                                            • Instruction ID: f33f57191b0aeebac4260d68c9b39da8c9b74bb35968559197f4796643ceef86
                                            • Opcode Fuzzy Hash: af3c6267ad8c5d5eb3c2cb21bc5fb21757b3bf168ce1474417caa284feae95fd
                                            • Instruction Fuzzy Hash: 46E09231D04A16EFCF61CBA4D9486EABBB2FB98301F00499A850AAA660CB310A519F51
                                            Function 00E337D7 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b17279ecc45832c0e9e428d6f0d6fadde91615926d17b3c4422f7b900c01751d
                                            • Instruction ID: 21ee050e5c27c42ac22d96575aab015b9ff4ccdf3f7f648ee4f6f631d6d2512b
                                            • Opcode Fuzzy Hash: b17279ecc45832c0e9e428d6f0d6fadde91615926d17b3c4422f7b900c01751d
                                            • Instruction Fuzzy Hash: 72F03031D005199FDB158BA0C8547DDBBB2EB58700F0085A9C31AA72A0DB764A909F50
                                            Function 00E31CDD Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e0c86e77580cb1db8e395dd76135bae4433d922b394154b85639c0447b9c0bb7
                                            • Instruction ID: 0b3ccb7beea0a3aeaaa1bb38e4f33ea8899e608f83b7a4d0ad724f8b5898195c
                                            • Opcode Fuzzy Hash: e0c86e77580cb1db8e395dd76135bae4433d922b394154b85639c0447b9c0bb7
                                            • Instruction Fuzzy Hash: 0AE0CD305042888EDB0CDE90C81A7FD7FB4EB46300F60709E9502F7651DA301D00C722
                                            Function 00E35925 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d3084170902349e0b584c3d6a1ab843dc3a3f3eb1482e99509b62c18969cf28f
                                            • Instruction ID: 081ab942a15d50c49b03a7835070c5082e339792cd29e34355801e41482f7bea
                                            • Opcode Fuzzy Hash: d3084170902349e0b584c3d6a1ab843dc3a3f3eb1482e99509b62c18969cf28f
                                            • Instruction Fuzzy Hash: 67F0A5B9A50524CFC788DF28CA98D587BB0FF4D214B1181D9EA069B3B1DA30EC00DF00
                                            Function 00E33766 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 328006d565edac3829476df7d9ee980a97689b52211f76985c72369d9677e982
                                            • Instruction ID: 1f4c8d3236c158edf948d0c7b6c6385b0d17e4a83de09d978b5244dd351c1739
                                            • Opcode Fuzzy Hash: 328006d565edac3829476df7d9ee980a97689b52211f76985c72369d9677e982
                                            • Instruction Fuzzy Hash: 96E086719007069FDB058FA4845569EBFB2EF44340F144465D106AB360DF318642D710
                                            Function 00F10090 Relevance: .0, Instructions: 17COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389231627.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_f10000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 58372bfe1eae5a06dd03382aa420bef8b22e0e1429e52c7ae58b4048b16a764e
                                            • Instruction ID: 4462541e78eb84704872419c0218f3bcf48dbe0daaa65b48bb85a26c3815e4e6
                                            • Opcode Fuzzy Hash: 58372bfe1eae5a06dd03382aa420bef8b22e0e1429e52c7ae58b4048b16a764e
                                            • Instruction Fuzzy Hash: 7CD05E35B20209CF87189A6DC0147667396AFCD61576080B8D0058B662DE71DCC16A06
                                            Function 00F10740 Relevance: .0, Instructions: 17COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389231627.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_f10000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fc033abf493703039a8a494c32558a8379bef3fa328ae5644659c2a960629266
                                            • Instruction ID: 9c8f51a75efd007a6b38e9ba7160afd127a69a56c8ff950ef0d6bb9cc3dd2bc4
                                            • Opcode Fuzzy Hash: fc033abf493703039a8a494c32558a8379bef3fa328ae5644659c2a960629266
                                            • Instruction Fuzzy Hash: ABD05E34B002098F8B48A61DC0105A137A76FC97103348864D0098B2A1DEB0ACC0AE01
                                            Function 00F10788 Relevance: .0, Instructions: 14COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389231627.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_f10000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 95364a0ea747a489595846e4822e68596c8fb36987310e0b7d42dc9f06040c99
                                            • Instruction ID: be7274d84c54aafb8d54ab8e3ee8d873ed0ec300bd4d4e5a95e1dbb26f9f2b87
                                            • Opcode Fuzzy Hash: 95364a0ea747a489595846e4822e68596c8fb36987310e0b7d42dc9f06040c99
                                            • Instruction Fuzzy Hash: A7C0123260011C678B052A95A800AAE7B9EFBC8671B108416FD8987310CF714D21A7D5
                                            Function 00E350ED Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ab9303538d2acbd143245904b262701e5033441a8f3a80454186dffa392f36cb
                                            • Instruction ID: a21a18f8fc81cc436390a6620591554b1f228388ac853a4c3583be6253f58dfe
                                            • Opcode Fuzzy Hash: ab9303538d2acbd143245904b262701e5033441a8f3a80454186dffa392f36cb
                                            • Instruction Fuzzy Hash: DED02229E002217FC702CF3884885AEBFE5EA80300F209D200800AA301E2B093868AA8
                                            Function 00E31458 Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9937445806d7d3b1b74cbf2d19c7da738941dabf700c01b24175bcb51a36a2c4
                                            • Instruction ID: 38260db7b79935430e64b4b710fcf91d83430b732d89564d10543c07a072c53b
                                            • Opcode Fuzzy Hash: 9937445806d7d3b1b74cbf2d19c7da738941dabf700c01b24175bcb51a36a2c4
                                            • Instruction Fuzzy Hash: 50D0C9742045089FD384FBA4E89562DBB66EF85708B54C069A80E8B766DEB2AC42CB40
                                            Function 00E35D64 Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7b37353162f708b1369f15819645088208cae77ba4112ab84cf4cb4495af43be
                                            • Instruction ID: 37a4b5725f6226d122f7fbabc4b6f0269eadcd877ac991a44fdf6ec6bb90423c
                                            • Opcode Fuzzy Hash: 7b37353162f708b1369f15819645088208cae77ba4112ab84cf4cb4495af43be
                                            • Instruction Fuzzy Hash: A8D02EA1808A899A8B0ADBB0808A4ABBEA48E02120F95509FD492AF083C2204040C2B1
                                            Function 00E340C4 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7236f1ad246a8d7a81a05292163e1309a9a982f831effdf4b04fd141b0d79b02
                                            • Instruction ID: 002104696eb0eb83ca7361709e3d15a6035c1ab185aaa2cbd6dda1bfd30bd292
                                            • Opcode Fuzzy Hash: 7236f1ad246a8d7a81a05292163e1309a9a982f831effdf4b04fd141b0d79b02
                                            • Instruction Fuzzy Hash: 90D05E71E0060D9FDB158FA0D8986AEBA72FF88300F1049A9D34FA6260DB358A819B51
                                            Function 00E35061 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ab0dd4c4eb33b59991a2c8a076f2c26fe91dc444268b5f44275f0a1ab306eb36
                                            • Instruction ID: fb88b2d8674603e45b6bf78f557fd4945845f72b9b5715b1941bc7ce111ba015
                                            • Opcode Fuzzy Hash: ab0dd4c4eb33b59991a2c8a076f2c26fe91dc444268b5f44275f0a1ab306eb36
                                            • Instruction Fuzzy Hash: 0FD05E719001059FCB458FA0C8A5BEDFFB2EB85300F1085A6C30EA6260DF354A819F01
                                            Function 00E35195 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f4d859c5d44a287e473a73409cbacb72f5236e52ea1a6151a1a136cc2842e6b9
                                            • Instruction ID: d4a6537738be8946769478d1a4e8b4e34f0d21bbb6852d7903f9609168210d69
                                            • Opcode Fuzzy Hash: f4d859c5d44a287e473a73409cbacb72f5236e52ea1a6151a1a136cc2842e6b9
                                            • Instruction Fuzzy Hash: 97D05E729006099FCB06CFE0C59469EBFB2EF88300F1088698206EA260DB725A119B21
                                            Function 00E35129 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9d4394d666ae41d7d25a9f4b6fefcfd81f90f955b3caaec9cce5b2ed79632541
                                            • Instruction ID: fc4686b9691623af9b9c6ceed358026d7b5d2679e36c348a34f26da1d2e2c7f4
                                            • Opcode Fuzzy Hash: 9d4394d666ae41d7d25a9f4b6fefcfd81f90f955b3caaec9cce5b2ed79632541
                                            • Instruction Fuzzy Hash: 73D01775910304ABCB04CFA0C554AADBBB2EB88700F205826C20AAA260EB308A00DB55
                                            Function 00E336F9 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 39d97576888b885145c8af19d1e7796d11b94fd3c602cb53c4ef7a720d935ef5
                                            • Instruction ID: 77637381b19e3baa115f80b3a827afbfe34eec558f18b4dbbb6f9aa42c110400
                                            • Opcode Fuzzy Hash: 39d97576888b885145c8af19d1e7796d11b94fd3c602cb53c4ef7a720d935ef5
                                            • Instruction Fuzzy Hash: 56D05E30900705DFDB099FA4C85479EFEB6EB84340F108426C20AAF260DF318641DB10
                                            Function 00E33A87 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7f5698e647c912e4fd28a90444a419fab2895ef9dea43bb8a4ca7a78eb4c35b8
                                            • Instruction ID: 9de0b3cc7d5d890b4e94b05eec09e9cb1bf95059b3d4719e5239b4dcc9469045
                                            • Opcode Fuzzy Hash: 7f5698e647c912e4fd28a90444a419fab2895ef9dea43bb8a4ca7a78eb4c35b8
                                            • Instruction Fuzzy Hash: C3D05B719003549FCF04CF60C86479EBB73FB84300F1144E6D156A6150DB305B459F41
                                            Function 00E35224 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e59eb205e358f571d83e723192049a93d22131363d773cb416c91f5cd073a898
                                            • Instruction ID: e8fadafec5e868d595c4f7399c8b27f70bab19fcc549ea5e33c48ed10a2e3d01
                                            • Opcode Fuzzy Hash: e59eb205e358f571d83e723192049a93d22131363d773cb416c91f5cd073a898
                                            • Instruction Fuzzy Hash: 62D01230900655DFCF15CBA0D958AD9BB72BB98301F1045968206AA2A0DB714A409A41
                                            Function 00E34181 Relevance: .0, Instructions: 11COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1e49a49257b27b435636b8ec56f860075be190fc3d4e8a30dda425ebb3b964a7
                                            • Instruction ID: 1b55790a15504190a62d2d5ab53f2eb6e7778d4cf39db3a281f101401fcc596a
                                            • Opcode Fuzzy Hash: 1e49a49257b27b435636b8ec56f860075be190fc3d4e8a30dda425ebb3b964a7
                                            • Instruction Fuzzy Hash: 49C01260824B5A5A4F54CF3555445DBBE71EAC5300BD4EC698045AA596C131A651C541
                                            Function 00E32428 Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ed476de2e5ca1c14983e05590d181e21943bf590f57a9926a7c70b754db26473
                                            • Instruction ID: 073f2bc12019ef5cbe905c040e9617950b1ec38792f6e5bb6157f9db8ca71afb
                                            • Opcode Fuzzy Hash: ed476de2e5ca1c14983e05590d181e21943bf590f57a9926a7c70b754db26473
                                            • Instruction Fuzzy Hash: A3D01275908118CFDB0CDA94C966AAF7FB8AB8C310F322059E40277B91CE305D41CB21
                                            Function 00E32EDF Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 954b6ee329afbb2a27fa0903d492b5dfacfcd52fc89f93ed8d378c91cc31864f
                                            • Instruction ID: 9b990ba92effa51d5bd3a2a6b10ee0b857bde803979fd19c292cee555e06d09d
                                            • Opcode Fuzzy Hash: 954b6ee329afbb2a27fa0903d492b5dfacfcd52fc89f93ed8d378c91cc31864f
                                            • Instruction Fuzzy Hash: 0BC0C07400404501CF0CF374CC518EBEF5E6981380718838F0813FE003DB200409C371
                                            Function 00E37003 Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f7fa450c25eaa2d143016c98513c068540bcb1a03a44d7db3b10407549c4aa03
                                            • Instruction ID: cfc89680b4db50f3e58ee7665af758070f0aa9b2e340583b8bb7c27d2a7cfc56
                                            • Opcode Fuzzy Hash: f7fa450c25eaa2d143016c98513c068540bcb1a03a44d7db3b10407549c4aa03
                                            • Instruction Fuzzy Hash: 7AC080E27011294BC318E760C695205EB55FBD4700F92D395C0069F18AD130CA11D5C5
                                            Function 00E328C3 Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e7c25da5e0da52b3ec5b21bbe66968081d5914ad708de61b776bdc324356d3e3
                                            • Instruction ID: f60de62bed54043ac346cd549a6b4873f49a790febdb192c333dc0dd4e73cf31
                                            • Opcode Fuzzy Hash: e7c25da5e0da52b3ec5b21bbe66968081d5914ad708de61b776bdc324356d3e3
                                            • Instruction Fuzzy Hash: B5C08C7090000886CA4CD1A8C226ABEBAA987C8310F20D00B991772180CD2448028722
                                            Function 00E31EDF Relevance: .0, Instructions: 7COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a83b5cc2033673e88ac7596f1a562ef4a972af6c827cb616253dfde56dcb2dac
                                            • Instruction ID: 9d7035d202af9191260c4baae44ba08bdca73f8228d7a1c4b0b0e732a4efc7d8
                                            • Opcode Fuzzy Hash: a83b5cc2033673e88ac7596f1a562ef4a972af6c827cb616253dfde56dcb2dac
                                            • Instruction Fuzzy Hash: 63B09279A0800D8BDB48D6C4C864BBEB6BAABC9300F20905B5516B7682DD285801C732
                                            Function 00E322B4 Relevance: .0, Instructions: 7COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d0cd0742f8188507d4a89ba4dc36f3c690a77567af3fc68f79bd0807171eda0b
                                            • Instruction ID: ca2530c9571ba435183c99ece28c7cf058ce09083303203c40343a0e9e87b998
                                            • Opcode Fuzzy Hash: d0cd0742f8188507d4a89ba4dc36f3c690a77567af3fc68f79bd0807171eda0b
                                            • Instruction Fuzzy Hash: BEB0123030400C47CB58E6D8C96477EA5DF6BD4320F20A05E3006F3281CC244D00C336
                                            Function 00E31B32 Relevance: .0, Instructions: 7COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389076205.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dd5a9e1f342d1c87ff022f364f4431f097ab831ca0d3370fceeae177bd6182a2
                                            • Instruction ID: fcc6bc8c186ad7f8334a67a210346976e0f9635399b21ea2f6570377f9297f2f
                                            • Opcode Fuzzy Hash: dd5a9e1f342d1c87ff022f364f4431f097ab831ca0d3370fceeae177bd6182a2
                                            • Instruction Fuzzy Hash: 60B0127470400A4BCB48D2C5842477EB5DF8FC4310F20505E1206F32D5CC204C00D336

                                            Non-executed Functions

                                            Function 04EBA162 Relevance: .5, Instructions: 452COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 53e3f05f95acb7403c0748e5cf64276d27b7ccaf86fb92dcc0fb59ad4afe4fc5
                                            • Instruction ID: d8cd68ef6f7feabd8bafceb1bfbae01ccf372d621dd2db5a68bdc2d8eb7b12e9
                                            • Opcode Fuzzy Hash: 53e3f05f95acb7403c0748e5cf64276d27b7ccaf86fb92dcc0fb59ad4afe4fc5
                                            • Instruction Fuzzy Hash: D8212EB1D056588FDB29CF6A9D543DABBF2AFC5300F04C1BAC448A7265D734164ACB51
                                            Function 04EB2880 Relevance: .2, Instructions: 232COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: acb73da82ba4efd30c34626022cb9b93adead48764b0bb62207685b347a00942
                                            • Instruction ID: 3eeb325a002d131c8e75a60a712fe6a2c62b3372f699db1fff0a71da9e5074cb
                                            • Opcode Fuzzy Hash: acb73da82ba4efd30c34626022cb9b93adead48764b0bb62207685b347a00942
                                            • Instruction Fuzzy Hash: 0A81B675A04114CFC704CF78C8999EABBB5FF55310B0582A6E8959B362D730FD46DB80
                                            Function 04EB2A6C Relevance: .1, Instructions: 116COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389754965.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4eb0000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 35609abea94e58cbb637597b422c878ae7eb411e45526fa8fa334b489ade24eb
                                            • Instruction ID: c4c4f9b50d8dcf5d14ef7e77eed3125e4f956dd972e701d563788b406dca2ca6
                                            • Opcode Fuzzy Hash: 35609abea94e58cbb637597b422c878ae7eb411e45526fa8fa334b489ade24eb
                                            • Instruction Fuzzy Hash: A1318271B08244CFC7059B74C9EE4E77B71DB55200744516BDD868B722E624FA07D791
                                            Function 00F6E58C Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389288686.0000000000F6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                                            • Associated: 00000000.00000002.1389259653.0000000000F30000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389273349.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389309869.0000000001002000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_f30000_6ab092aeab924edb854b3ff21ea579df.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1aa0e1eb6315e82243e7f7f0c4133ed2653521d754011729fca37cab7eafb791
                                            • Instruction ID: ef448b997bb976aee67420314695416fc70dc9a4970a3a97ff1c95047c12b04f
                                            • Opcode Fuzzy Hash: 1aa0e1eb6315e82243e7f7f0c4133ed2653521d754011729fca37cab7eafb791
                                            • Instruction Fuzzy Hash: 69216A67B892150B970C483EEEA426B45C747CE22139DE73E654FCBFDDDC288D0A0150

                                            Execution Graph

                                            Execution Coverage:11.7%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:3
                                            Total number of Limit Nodes:0
                                            execution_graph 12036 183d160 12037 183d1a4 SetWindowsHookExW 12036->12037 12039 183d1ea 12037->12039

                                            Executed Functions

                                            Function 0183AB6C Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 104 183ab6c-183b1fc CheckRemoteDebuggerPresent 107 183b205-183b240 104->107 108 183b1fe-183b204 104->108 108->107
                                            APIs
                                            • CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 0183B1EF
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3841818050.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: CheckDebuggerPresentRemote
                                            • String ID:
                                            • API String ID: 3662101638-0
                                            • Opcode ID: cfab07d546f9a8f2e27df702f8184bd60dce5ffcf61cb137e76faf2285b9e5dd
                                            • Instruction ID: 5711ddef872b22f45ede7b7a7b15964f3b440072db4ffa3a48fc288cce0c33c8
                                            • Opcode Fuzzy Hash: cfab07d546f9a8f2e27df702f8184bd60dce5ffcf61cb137e76faf2285b9e5dd
                                            • Instruction Fuzzy Hash: AE2139B19002598FDB14DF9AC484BEEBBF4EF88310F14841AE455A3240D7789A44CFA0
                                            Function 0183B170 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 97 183b170-183b1fc CheckRemoteDebuggerPresent 100 183b205-183b240 97->100 101 183b1fe-183b204 97->101 101->100
                                            APIs
                                            • CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 0183B1EF
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3841818050.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: CheckDebuggerPresentRemote
                                            • String ID:
                                            • API String ID: 3662101638-0
                                            • Opcode ID: 2a88e5671a4fee5ea5cf65b61d2cbe7e1b8dd42aa8c95dc30f38c60ddfedf54a
                                            • Instruction ID: 498a9ef0a1362045f2468206e18f3f60f1064561c0510fe9d47eb161ac0ea0dc
                                            • Opcode Fuzzy Hash: 2a88e5671a4fee5ea5cf65b61d2cbe7e1b8dd42aa8c95dc30f38c60ddfedf54a
                                            • Instruction Fuzzy Hash: 82217CB19002598FCB14CF9AC8847EEBBF4FF88310F144419E454A3340D7789A44CFA0
                                            Function 0183D158 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 111 183d158-183d1aa 114 183d1b6-183d1e8 SetWindowsHookExW 111->114 115 183d1ac 111->115 116 183d1f1-183d216 114->116 117 183d1ea-183d1f0 114->117 118 183d1b4 115->118 117->116 118->114
                                            APIs
                                            • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 0183D1DB
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3841818050.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: ae2eec41a8c2dee387ba3e68d983a8877a36f71bf0e7828fe27d42190619fba0
                                            • Instruction ID: 3c457d6b32ed114376296e8f484ae5391ce92f51fa8fff90da77f3bda9414b0b
                                            • Opcode Fuzzy Hash: ae2eec41a8c2dee387ba3e68d983a8877a36f71bf0e7828fe27d42190619fba0
                                            • Instruction Fuzzy Hash: A62135719002099FDB14DFAAC844BEEFBF9FF88310F148429E414A7250CB74AA45CFA0
                                            Function 0183D160 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 122 183d160-183d1aa 124 183d1b6-183d1e8 SetWindowsHookExW 122->124 125 183d1ac 122->125 126 183d1f1-183d216 124->126 127 183d1ea-183d1f0 124->127 128 183d1b4 125->128 127->126 128->124
                                            APIs
                                            • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 0183D1DB
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3841818050.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1830000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: 458cc96b3ae38885d6bb91eed0c9fb4c3055ea1f5a5edffe189260b42f1088ae
                                            • Instruction ID: 9f6ba5c0afd69d7fa0d9944a31462ecc0b95782b8b64e8c5f9ca1fe462938d3e
                                            • Opcode Fuzzy Hash: 458cc96b3ae38885d6bb91eed0c9fb4c3055ea1f5a5edffe189260b42f1088ae
                                            • Instruction Fuzzy Hash: EE2115759002098FDB14DFAAC844BEEFBF9AF88310F148429E515A7250CB74AA44CFA0
                                            Function 017BD43C Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3841243036.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_17bd000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9d141a1805bf054d24ef2b6dd20b6d6bdebd9ddb4c0539bd816ea3aceabbf76e
                                            • Instruction ID: 5b27b90e38d481c84f9edb4371f7627b79a7c5dae012eca20597ef1c1ed335cd
                                            • Opcode Fuzzy Hash: 9d141a1805bf054d24ef2b6dd20b6d6bdebd9ddb4c0539bd816ea3aceabbf76e
                                            • Instruction Fuzzy Hash: 382124B1104200DFDB25DF44D9C0B96FB61FB88228F24C5A9EC090B246C33AE416C6A1
                                            Function 017CD1CC Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3841386945.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_17cd000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a44e7228bebf44fbc084154e91c2c034517e75e834d9049f4677904db4424f91
                                            • Instruction ID: c2449b00db3ad9a8d28b76149d7a6643baf6ef1830222c18c6f7f39f8c6be1c2
                                            • Opcode Fuzzy Hash: a44e7228bebf44fbc084154e91c2c034517e75e834d9049f4677904db4424f91
                                            • Instruction Fuzzy Hash: 6521F5B56083049FDB25DF94D9C4B16FB66FB84B24F20C5BDD8094B246C336D846CBA1
                                            Function 017CD2B4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3841386945.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_17cd000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c6e3f535466421165c5611db46a1b102812ee86ecc958cd87090be406d63c741
                                            • Instruction ID: 0dfb9fd2d74279d120a9b63ec4eaa1703c26c4232888703a50c0cccdbde9a85c
                                            • Opcode Fuzzy Hash: c6e3f535466421165c5611db46a1b102812ee86ecc958cd87090be406d63c741
                                            • Instruction Fuzzy Hash: D42100B5604304DFDB11DF94D984B26FB61FB88B24F20C5BDE8490B242C33AD806CBA1
                                            Function 017BD437 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3841243036.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_17bd000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                            • Instruction ID: 1c8ec5ed011555c645fe7eeb1a2e30a930873fb273d8e2561c8021e0b381bac6
                                            • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                            • Instruction Fuzzy Hash: 4811CD76504240DFCB16CF44D9C0B56BF62FB88228F24C5A9D8094B656C33AD456CBA1
                                            Function 017CD2AF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3841386945.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_17cd000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                            • Instruction ID: df59ddf848bd81e85035fb6792ad682c6bf308d124a174192a152a67fd1d4037
                                            • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                            • Instruction Fuzzy Hash: 2F11AC75504640CFCB12CF54D5C0B15FB61FB44714F24C6AED8494B252C33AD40ACBA1
                                            Function 017CD1C7 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3841386945.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_17cd000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                            • Instruction ID: 400439865d5d8897634d2c6a1382870e4f1140f1899adda1208dfbd9d2302ef8
                                            • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                            • Instruction Fuzzy Hash: DD11BB79508284DFDB12CF54D5C0B15FBA2FB84724F24C6ADD8494B297C33AD40ACBA1

                                            Executed Functions

                                            Function 036DB470 Relevance: .3, Instructions: 261COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a64c4589fd7ca38ca900466d8af6255f8cd1f3e40f423057f6fcd6d6be74f4c3
                                            • Instruction ID: c939038fb2fe17eb6f79e2cbdf829d97a5c7ae10909706b4a6a14866be6da551
                                            • Opcode Fuzzy Hash: a64c4589fd7ca38ca900466d8af6255f8cd1f3e40f423057f6fcd6d6be74f4c3
                                            • Instruction Fuzzy Hash: 28918D75F007199BDB15EFB898106AEBBE2EFC4A00B10892DE846AB340DF355E058BD5
                                            Function 036DB490 Relevance: .3, Instructions: 252COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ea2a42308cc720a19bd6115547bec80962faee60357de9b4e17905cbf75692b4
                                            • Instruction ID: 118376c2f75375ac6d15b6117ae81ca9f61d4d54eef299b51ccea9c2b97e6a63
                                            • Opcode Fuzzy Hash: ea2a42308cc720a19bd6115547bec80962faee60357de9b4e17905cbf75692b4
                                            • Instruction Fuzzy Hash: 92917E75F007199BDB19EFF898106AEBBE2EFC4A00B10892DE446AB344DF355E058BD5
                                            Function 036DE610 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: piGk
                                            • API String ID: 0-1747316285
                                            • Opcode ID: 3f6cb227b3710b82f6971e3cb8548ac4330083098a39adc0c981dd72560a160a
                                            • Instruction ID: 24eea8529a2c668214f96edd423d7063f74a1cb049604bc88291dc5bcc74f669
                                            • Opcode Fuzzy Hash: 3f6cb227b3710b82f6971e3cb8548ac4330083098a39adc0c981dd72560a160a
                                            • Instruction Fuzzy Hash: 1C41BE34A003459FCB11DF78D894A9DBFF2BF89204F1486ADE815AB395CB316D05CB91
                                            Function 036DE640 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: piGk
                                            • API String ID: 0-1747316285
                                            • Opcode ID: 980b191bea0d7df8a3d2c65b4855855d20db2d0ca3093d3156bfaf56be5f940d
                                            • Instruction ID: 09ec10477c5f0c99481b0cbfe140f559fce9da713b3181961206c881c97c1e2a
                                            • Opcode Fuzzy Hash: 980b191bea0d7df8a3d2c65b4855855d20db2d0ca3093d3156bfaf56be5f940d
                                            • Instruction Fuzzy Hash: 7A319034A00305DFCB54EF79D994A9EBBF2FF88604F148628E815AB384DB31AD05CB90
                                            Function 036DF3C1 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: W
                                            • API String ID: 0-655174618
                                            • Opcode ID: e81decbeba917551aedadd7c347998e71dea18089a86e1da591dc7dd79da848e
                                            • Instruction ID: 14bee540c113964e69d252448650546b846ef298f862037c0fa39da9d4084b66
                                            • Opcode Fuzzy Hash: e81decbeba917551aedadd7c347998e71dea18089a86e1da591dc7dd79da848e
                                            • Instruction Fuzzy Hash: 5401ED71D1474ADFCB14DFA4C9445EEBBB1FF99300F10471AE015A6A05D7B425868B41
                                            Function 07D43CE8 Relevance: .6, Instructions: 581COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1447576003.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7d40000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f48e629ef986d789a6247fc3441c18aea36e70512917ba5e613c9461557db592
                                            • Instruction ID: 891bbfc74cb901c6804b9073e0dc5e22fec1eeb458b15440d13f8afa4c226260
                                            • Opcode Fuzzy Hash: f48e629ef986d789a6247fc3441c18aea36e70512917ba5e613c9461557db592
                                            • Instruction Fuzzy Hash: BE127AF1B003568FDB159B6CC90176AFBA2AFC6211F14807AD945DF392DB32D882C7A1
                                            Function 07D42700 Relevance: .3, Instructions: 321COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1447576003.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7d40000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a7633cba54c31d84ae2ce422d80676ee9fcb7498b2e1485e8c141ec0940edf29
                                            • Instruction ID: e0aa2b36838fa4fa133ff0391592b7ecdf7eb4e85bd2a3d1550880463cabd80e
                                            • Opcode Fuzzy Hash: a7633cba54c31d84ae2ce422d80676ee9fcb7498b2e1485e8c141ec0940edf29
                                            • Instruction Fuzzy Hash: 68B1F5B2B003159FDB249B68C9417ABFBE5BFCA321F148076E985DB251CB31E941C7A1
                                            Function 036D29F0 Relevance: .2, Instructions: 213COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6ca045ee19fc91f3aa24ce817de22a254827bc51e3bd8458019949a9d8691552
                                            • Instruction ID: e28668b498731e45acad51ecc9bd9085b43cf3fd226c5f445fa3c1fac8a1a882
                                            • Opcode Fuzzy Hash: 6ca045ee19fc91f3aa24ce817de22a254827bc51e3bd8458019949a9d8691552
                                            • Instruction Fuzzy Hash: BE917E74A006058FCB15CF58C5A4ABEFBB1FF89310B288599D815AB365C736FC51CBA0
                                            Function 036DE419 Relevance: .2, Instructions: 165COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ad86e87908736f031a6fcfe4712e926acd3c3eb16ee203c082ccee7856523251
                                            • Instruction ID: f94d8e621f5a6f7e4f92724102449bf8f5ef34fbeb5b8419ba45041e27180a7c
                                            • Opcode Fuzzy Hash: ad86e87908736f031a6fcfe4712e926acd3c3eb16ee203c082ccee7856523251
                                            • Instruction Fuzzy Hash: 42516D74B003058FDB11EF6CC584A6ABBE6EFCD61075885A9E849CF351EB75DC028BA1
                                            Function 036D7740 Relevance: .2, Instructions: 156COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 07797a1f24c59de9d2c858ae0020f9944a5a4c3b5b16403dd72f25846afa9bab
                                            • Instruction ID: 464cabcc3f59f69ffb87f81e9895e9c4c4f2cae442d66818d0285758de3e13a9
                                            • Opcode Fuzzy Hash: 07797a1f24c59de9d2c858ae0020f9944a5a4c3b5b16403dd72f25846afa9bab
                                            • Instruction Fuzzy Hash: 9151E0347042059FD714DB79D854A2AB7EAFFC8211F2945BAE409CB352DB31EC02CBA1
                                            Function 036DBAC0 Relevance: .2, Instructions: 155COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ad493de2620596da31e7fb10b7e219821756578dc616654a7adee3adea106ff8
                                            • Instruction ID: 230e024b464ad27d4b53abc634110498b773236309c0fbc4111a6e0f4432fa69
                                            • Opcode Fuzzy Hash: ad493de2620596da31e7fb10b7e219821756578dc616654a7adee3adea106ff8
                                            • Instruction Fuzzy Hash: D2610571E002489FDB14DFA9D984B9DFBF1FF88310F19812AE809AB354EB309841CB60
                                            Function 036DBAB0 Relevance: .1, Instructions: 149COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1e7985d4ae17698e2172751e50edb197826b50279d8f648ccccfbad939aaa9f4
                                            • Instruction ID: 82a9cbcdc389cf76efeee297d40974b215e99f3d56006dcb487a963b40fb8e8c
                                            • Opcode Fuzzy Hash: 1e7985d4ae17698e2172751e50edb197826b50279d8f648ccccfbad939aaa9f4
                                            • Instruction Fuzzy Hash: 76511575E012489FDB14DFA9D984B9DFBF1FF88310F198169E809AB354DB309845CB61
                                            Function 07D43CCC Relevance: .1, Instructions: 137COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1447576003.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7d40000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 92bcce105d4ac7e97900a64a9bb547a739d1355e704b5674e365d34ac845a2c7
                                            • Instruction ID: c9296abfc7b8a97f6ce6138d0a8c4a671a5197b5d80e730abf6a563c576dd021
                                            • Opcode Fuzzy Hash: 92bcce105d4ac7e97900a64a9bb547a739d1355e704b5674e365d34ac845a2c7
                                            • Instruction Fuzzy Hash: 5441F5F1A01202DFCF25CE5CC641A7AFBA69F85214B1981BAD800AF796C731ED46C7A5
                                            Function 036DE428 Relevance: .1, Instructions: 130COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b6814a3614d19415a1b139036b477f20cece13f56439a6e9696df2e05a0d90f9
                                            • Instruction ID: 4963d8ab4ab338944037d0559ae5fc3a2401170d9c7585dd8315b6dea9fe30be
                                            • Opcode Fuzzy Hash: b6814a3614d19415a1b139036b477f20cece13f56439a6e9696df2e05a0d90f9
                                            • Instruction Fuzzy Hash: 51411B74B003058FDB14EF68C594E2AB7E6FFC965475884A8E809CF355EB75EC028BA1
                                            Function 036D6FB0 Relevance: .1, Instructions: 126COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b664ad4edbe835af6945137fff02f741c3af2820d3c37cd5bce1de6a51a1289e
                                            • Instruction ID: f3a1609f36adf6dcf2415e73f74aa6beb18dad6d14867fbdda82ee945b64b338
                                            • Opcode Fuzzy Hash: b664ad4edbe835af6945137fff02f741c3af2820d3c37cd5bce1de6a51a1289e
                                            • Instruction Fuzzy Hash: 8241D474A042458FCB01CF64D964AAEBFF1AF8E215F1941D9D841EB3A2CB32DC06CB61
                                            Function 036D6FE0 Relevance: .1, Instructions: 114COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: db3a0a33a429139178f9d36f850836e722ce7d413ce3511cd18a2df32ebb4d57
                                            • Instruction ID: f9d02a2b5b6d38c547d3d579c398bfc2d264e934dcff7c2684d0d237d6e724d1
                                            • Opcode Fuzzy Hash: db3a0a33a429139178f9d36f850836e722ce7d413ce3511cd18a2df32ebb4d57
                                            • Instruction Fuzzy Hash: 15414A34B042048FDB18DF64D568AAEBBF2EF8D615F1854A9E806AB395CB35DC01CB61
                                            Function 036DE469 Relevance: .1, Instructions: 104COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 359516eef9ad7bcf0fb4ea2b2b0f907e4da6eba8d9cfe93556dfd73a8ca9348d
                                            • Instruction ID: 4bb9cea99713d91a0fb7efca0b0c89cb7ced6c8715bd9a09e233ef6c7056af02
                                            • Opcode Fuzzy Hash: 359516eef9ad7bcf0fb4ea2b2b0f907e4da6eba8d9cfe93556dfd73a8ca9348d
                                            • Instruction Fuzzy Hash: D8416E74B003058FDB14EF68C594A6EB7E6FFC96147548468E409CF355EB75DC028BA2
                                            Function 036DC388 Relevance: .1, Instructions: 101COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2104e44ee4c6094647c6b347fdecbf250fd673ca7e36f28910fc73ce4703f216
                                            • Instruction ID: 792bf4fe27510dc123705e24b3be858117db49eeda5c4f7b8ee62ffdb9498c85
                                            • Opcode Fuzzy Hash: 2104e44ee4c6094647c6b347fdecbf250fd673ca7e36f28910fc73ce4703f216
                                            • Instruction Fuzzy Hash: F931BC353007149FD705EB78E840BAEBBA2EFC4611F048639E50ACB751DF71A806CBA1
                                            Function 036DAE60 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6961d10375d080e70e726469a2cb81bd6b7228bdfa36844ca7afad4ee9e2c0a8
                                            • Instruction ID: 24d4c3665d5649ec573eb1dfc8d3e4dec683203b0fad4c7044c5cfbdd93da949
                                            • Opcode Fuzzy Hash: 6961d10375d080e70e726469a2cb81bd6b7228bdfa36844ca7afad4ee9e2c0a8
                                            • Instruction Fuzzy Hash: 72314774E052098FDB14DFA9D594BAEBBF6EFC8301F148069E505EB750EB348C428BA5
                                            Function 036DAE70 Relevance: .1, Instructions: 84COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dec4d63b5c74e71ff50d40e40da7ae6525fea64f4f5192c36f8509223094cfc5
                                            • Instruction ID: 352201066f2d7cfa25029fe2b050c69cd4796fff8511b07f628d2aa2ed94c300
                                            • Opcode Fuzzy Hash: dec4d63b5c74e71ff50d40e40da7ae6525fea64f4f5192c36f8509223094cfc5
                                            • Instruction Fuzzy Hash: A7316B74E052099FDB14DFA9C594BAEBBF6EFC8300F148069E505EB350EB348C028BA5
                                            Function 036DAD28 Relevance: .1, Instructions: 82COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 183eddd1a147fae5377a6900b954222e9a9cabd0d6cbd1d7daac5f82a829dc7e
                                            • Instruction ID: fdc789d669a237f83719c7997ea9a1d205e92ef91652beea58f27ff48364c174
                                            • Opcode Fuzzy Hash: 183eddd1a147fae5377a6900b954222e9a9cabd0d6cbd1d7daac5f82a829dc7e
                                            • Instruction Fuzzy Hash: 01317CB8A002099FDB05EFA4D854BAE7BB2EF84700F25847DE515AF395CB399D01CB61
                                            Function 036DE049 Relevance: .1, Instructions: 81COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f2438ce0514430789c5bf8d86334b7a5168e89c27b517fce70f7ca64c9d23d75
                                            • Instruction ID: 9ec5fb64fd8a6ed4b225ee4d7d835a15750a1fb0a8737b95f0048b9d97d480e2
                                            • Opcode Fuzzy Hash: f2438ce0514430789c5bf8d86334b7a5168e89c27b517fce70f7ca64c9d23d75
                                            • Instruction Fuzzy Hash: AA318C35A002049FCB14EF68D898A9EBBF2AF8C214F14456DE406EB365CB719C45CB91
                                            Function 036DAF98 Relevance: .1, Instructions: 81COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cf64df1817388e8190b2a32f213bc4c31b158b32a684d7bb68cc0ee14e234a19
                                            • Instruction ID: 0eec87919e2608d11c7c94fb642fb5252d9cbc81949cb99bbc19b41f14babd79
                                            • Opcode Fuzzy Hash: cf64df1817388e8190b2a32f213bc4c31b158b32a684d7bb68cc0ee14e234a19
                                            • Instruction Fuzzy Hash: 2621B275E043588FCB14DFAAD400B9EBFF5EF89620F14846ED408A7340CB7599058BA5
                                            Function 07D426FB Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1447576003.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7d40000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: de31efa8144955707e042eaf114a47070efd49400ff871f3fedece28b7a3dfe1
                                            • Instruction ID: 39ffd48ffa86d5136dd16343c4243da6a1796d42a4e87b9d2feb79ae317b615c
                                            • Opcode Fuzzy Hash: de31efa8144955707e042eaf114a47070efd49400ff871f3fedece28b7a3dfe1
                                            • Instruction Fuzzy Hash: 95219FB5A10206DFDF248F59C945BAAF7E1BB45361F049066F8889B250C334F984CBA1
                                            Function 036DE058 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2ea09e8b5dfb057e7bababdda1a97cca0460df0a71b8c727aee1e5af0839a70e
                                            • Instruction ID: cf7bfe0bf6a8b13d38cff9b9111c8a0b6e4f223162d751acbc744788a453b870
                                            • Opcode Fuzzy Hash: 2ea09e8b5dfb057e7bababdda1a97cca0460df0a71b8c727aee1e5af0839a70e
                                            • Instruction Fuzzy Hash: 09314835A002049FCB14DF68D898A9EBBF2AF8C215F145569E406EB394CF71AC45CB90
                                            Function 036DAD38 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2d9f52ab7f0e719634f533abd341fd3b909ed64497b028dd0d6099dc5aa26b46
                                            • Instruction ID: f1c72cf3f877fe47fb3b163f885c34e2617d684fe5b0d8ce37a74ba033718018
                                            • Opcode Fuzzy Hash: 2d9f52ab7f0e719634f533abd341fd3b909ed64497b028dd0d6099dc5aa26b46
                                            • Instruction Fuzzy Hash: 783150B8E002099FDB05EFA4D854BAE77B2EFC4700F208479E511AF394DB399D018BA4
                                            Function 0365F3D8 Relevance: .1, Instructions: 76COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438125641.000000000365D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0365D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_365d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f5dd079379a433d1af3f838a38dfbe70e468da9bfe39842526a73cada1b18bdf
                                            • Instruction ID: 6669145c2078750892b8e6ead01dc75443d82986f8a0d44519b46d12d32918b2
                                            • Opcode Fuzzy Hash: f5dd079379a433d1af3f838a38dfbe70e468da9bfe39842526a73cada1b18bdf
                                            • Instruction Fuzzy Hash: D721DE76608300EFDB05DF10DAC4B26BB66FB88215F24C5A9ED094E357C73AD456CBA2
                                            Function 036D93F0 Relevance: .1, Instructions: 73COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4d76fa515ef11085fef297aca9b31796b63e711b7dd6adcff619aaaa089400df
                                            • Instruction ID: 583e509137286229c93b6c6a64a9f4bf6d5ffd1d3669571f77f949e37067bf6d
                                            • Opcode Fuzzy Hash: 4d76fa515ef11085fef297aca9b31796b63e711b7dd6adcff619aaaa089400df
                                            • Instruction Fuzzy Hash: 44318970E027448EDB60CF6AC58879AFFE2EF88310F28846ED84D9B205C77454458B61
                                            Function 0365F02C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438125641.000000000365D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0365D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_365d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 63ecec5f03145df925b1c638ff09d20ee3498586b34ee3970d81165e3a3e0261
                                            • Instruction ID: e5c1ca475219cf7cc03129df5fb7da44fe941c468d68881d7b7c1d28643b195d
                                            • Opcode Fuzzy Hash: 63ecec5f03145df925b1c638ff09d20ee3498586b34ee3970d81165e3a3e0261
                                            • Instruction Fuzzy Hash: 4B210076604200DFDB10DF20D994B16BBA5EB84224F28C5B9EC0A4F346C37AD446CA62
                                            Function 0365F4CC Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438125641.000000000365D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0365D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_365d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: af6aa4a3d556728326daf5ff70629e4419e63501121386bf5c8323e6cc39ded6
                                            • Instruction ID: d5a5b52ba192edfc0da8e4d26c4db038f7bfdf328cd33231188862a6e781c21a
                                            • Opcode Fuzzy Hash: af6aa4a3d556728326daf5ff70629e4419e63501121386bf5c8323e6cc39ded6
                                            • Instruction Fuzzy Hash: C621D1B1604240DFDB14EF14D584B26BBA5EB94614F24C5BDED494F342C73AD446CA62
                                            Function 036D9400 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 62f036c63a76467f2a3e7a40b1ec2eb1a2161ca01a31b9ae5715f7aab899ee9c
                                            • Instruction ID: 6ee5bbef3a0d2847722b67e2334f440c719e6a5825779f56019defeac54abbb4
                                            • Opcode Fuzzy Hash: 62f036c63a76467f2a3e7a40b1ec2eb1a2161ca01a31b9ae5715f7aab899ee9c
                                            • Instruction Fuzzy Hash: 1C217770E017448EDB60CF6AC48878AFBF6EB88320F28C42ED80D97345DB7464818B61
                                            Function 036D767C Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e9a623c06a3194a8b1907f96fede76fb9e5984b740b7019fc2b5a042e1f47762
                                            • Instruction ID: dcfcc58d0f2f7b65df9dc69164ca0bcb0278b75e4efb620a7fe8a768fe2fa5b7
                                            • Opcode Fuzzy Hash: e9a623c06a3194a8b1907f96fede76fb9e5984b740b7019fc2b5a042e1f47762
                                            • Instruction Fuzzy Hash: B0112B39B002188FCF04DFA8E950ADDB7F6EBCC662B1440A9E909DB351DB31DC118B91
                                            Function 0365F3D3 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438125641.000000000365D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0365D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_365d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 05050efde7f80e2bacd3aed6f2bd0425f272660e14b98707f66944896a751249
                                            • Instruction ID: ba4afa0a276ecbd6eb696c47c1fea62747af9a918de8983544ea7b218b6e0615
                                            • Opcode Fuzzy Hash: 05050efde7f80e2bacd3aed6f2bd0425f272660e14b98707f66944896a751249
                                            • Instruction Fuzzy Hash: 37216A76508240DFCF06CF10DAC4B16BB72FB88214F28C5A9ED494E657C33AD46ACBA1
                                            Function 0365F027 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438125641.000000000365D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0365D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_365d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bb2c615d30f077614c2f6e701b51ce97adb4e7859af34b9b872f5e3f8473804e
                                            • Instruction ID: 30044e5b6f93a909ad1cf2dade6a0faed57810f56da9a7bcbcedaedaf997c398
                                            • Opcode Fuzzy Hash: bb2c615d30f077614c2f6e701b51ce97adb4e7859af34b9b872f5e3f8473804e
                                            • Instruction Fuzzy Hash: F311A97A504280CFCB11CF14D690B15BFA2EB84224F28C6AAEC494B756C33AD44ACB61
                                            Function 0365F4C7 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438125641.000000000365D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0365D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_365d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f21fc1f25a234081c78c2705e564ac0b006ac508c56e38c22ed648c76ef104d6
                                            • Instruction ID: 597071d58e3b5dfb36a346ed14159a17a5360532a4cf01edde5702d32f0d1397
                                            • Opcode Fuzzy Hash: f21fc1f25a234081c78c2705e564ac0b006ac508c56e38c22ed648c76ef104d6
                                            • Instruction Fuzzy Hash: 8611CAB5604280CFCB15DF24D6C4B25BBA1FB88314F28C6ADE8494B752C33AD44ACB92
                                            Function 036DBCE0 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 886bbec58cda03c8d5db61d010aa63eb69f2b69e57e64cef497ecadf63dd25a1
                                            • Instruction ID: 5ee2d05f174609acceb5baf568690e4ac32baac94efc9b6945beb72c08b22237
                                            • Opcode Fuzzy Hash: 886bbec58cda03c8d5db61d010aa63eb69f2b69e57e64cef497ecadf63dd25a1
                                            • Instruction Fuzzy Hash: 4D01F5316083445FDB14DB75D594A59BFF4EF4A610F1888EEE08ACB7A2CB30E844C701
                                            Function 036D79C2 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7014d53e1d292dbfa5643101730a276afe54a81dc1fbabd9008ebe00a6b108f9
                                            • Instruction ID: ad4303050750aebf7f566248c96861c67a02653069f7b773e8260ac47bae61de
                                            • Opcode Fuzzy Hash: 7014d53e1d292dbfa5643101730a276afe54a81dc1fbabd9008ebe00a6b108f9
                                            • Instruction Fuzzy Hash: 2C01F972B053454FDB11CB69AC50A7F7BE5EB86121704066EE44BDB341DA215D0187A1
                                            Function 036DDF20 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 527bcb71b6a2216c83832a76f70a57b60b42904ce768f73661665052cf983bbc
                                            • Instruction ID: 6cd5613331542cf17c5ceeb1dc811f1da4a18bef009d6c4e9ace2c6a8555d227
                                            • Opcode Fuzzy Hash: 527bcb71b6a2216c83832a76f70a57b60b42904ce768f73661665052cf983bbc
                                            • Instruction Fuzzy Hash: 33018C35B002149FCB219F74EC18AAEBBF5FB88315B14406DF51AD3642DB329902CB91
                                            Function 036DDE98 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b2a63b1edddd51d6907b77f9d9c55016f8419b836dc01963d87683965747611d
                                            • Instruction ID: 0362d7b7f8953a6add29b823f38b26b11aec337511c386b7e7f5ed3aa8c2169a
                                            • Opcode Fuzzy Hash: b2a63b1edddd51d6907b77f9d9c55016f8419b836dc01963d87683965747611d
                                            • Instruction Fuzzy Hash: 77111B34204750CFC728DF75D480996BBF6EF8921576489ADD48A87BA1CB32F845CF50
                                            Function 0365D005 Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438125641.000000000365D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0365D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_365d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b5547e56d5f90c4a9b39fb0355e7d6531b58b46ca2bd88187ea71f7e168bc8d7
                                            • Instruction ID: 6b2958c0c91409e46580f107716a5dfc50a48b702c813c2ac4f90e7f8e928d7d
                                            • Opcode Fuzzy Hash: b5547e56d5f90c4a9b39fb0355e7d6531b58b46ca2bd88187ea71f7e168bc8d7
                                            • Instruction Fuzzy Hash: A6012D6240D3C45FD7128B258D94B56BFA8DF43624F1984DBEC888F2D3C2695C45C772
                                            Function 0365D01D Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438125641.000000000365D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0365D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_365d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 836d0bee691418dc77ab241a771c870cb02282f357f3320ad77a044f543ca878
                                            • Instruction ID: 3a4d8d6bf9fd122d6bce45edf408d74955c0b376025e63d4461c1d08c0b0eba5
                                            • Opcode Fuzzy Hash: 836d0bee691418dc77ab241a771c870cb02282f357f3320ad77a044f543ca878
                                            • Instruction Fuzzy Hash: AC01A7724043449AE7209E15CD84B67FF98EF41625F18C469FD484B7C2C6799442C7B2
                                            Function 036DBF10 Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 670668ada43f056a3e106882635088db7bf28d697f7ead0dee43aec42cdb6c59
                                            • Instruction ID: 6603bf8f4e19ea51cff8a3f573381fd27bdcd3bdbae6cab7bd16289e9d402c77
                                            • Opcode Fuzzy Hash: 670668ada43f056a3e106882635088db7bf28d697f7ead0dee43aec42cdb6c59
                                            • Instruction Fuzzy Hash: 90F0A4353093901FD7018A799C549B77FE9DB9A62071941AAF484CB362C974CD048760
                                            Function 036D7958 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 03071e9a6438031aef5ee0d47e7c902793efc00f4431e99a315de4cd46c0170b
                                            • Instruction ID: b330a887d4c00c7a039f082ed91ea64e0bf5bdc2f886a0077c73e1f78831fe50
                                            • Opcode Fuzzy Hash: 03071e9a6438031aef5ee0d47e7c902793efc00f4431e99a315de4cd46c0170b
                                            • Instruction Fuzzy Hash: B1F046727053405FCB11C76A9C409AF7BE8EB8A562B000A2EE44ADB341DE645C0287B1
                                            Function 036DDE37 Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3c1a2131692d72a9c6545b769954a2621e2a79ab6391fefaf7f85558eb61a7e1
                                            • Instruction ID: 78ba37e3dcab0c8b385bb5c139b01dee0c6a8a2da2c86ce163c7e84a02279884
                                            • Opcode Fuzzy Hash: 3c1a2131692d72a9c6545b769954a2621e2a79ab6391fefaf7f85558eb61a7e1
                                            • Instruction Fuzzy Hash: EFF034367052518F8309EB1CE494862BBF6AFDE62532901AAE049CB362CA61DC028B90
                                            Function 0365D993 Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438125641.000000000365D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0365D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_365d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ac6f93298f8f8eb73d81e2c25bf0bbc143a7daac21660abfd6b4c2ebfafe69fe
                                            • Instruction ID: 8e08d02a47c0ab182677fe9faaa0a68498a2b236a5fa82adafef5deb4ef4f0e6
                                            • Opcode Fuzzy Hash: ac6f93298f8f8eb73d81e2c25bf0bbc143a7daac21660abfd6b4c2ebfafe69fe
                                            • Instruction Fuzzy Hash: 4AF0E776200600AF9724CF0AD984C27FBA9EBD4670719C56AEC4A8B752C671E842CAA1
                                            Function 036D90D8 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f52ba180be63b4c39a96201c99935163ed6b423a29427524f1d8dc124f99402b
                                            • Instruction ID: 04d4e8f858649c197004ab378be4b529447c9357f604ea728ca85c1736bf9a99
                                            • Opcode Fuzzy Hash: f52ba180be63b4c39a96201c99935163ed6b423a29427524f1d8dc124f99402b
                                            • Instruction Fuzzy Hash: 9EF0C279A042509FD301EB28C4583AB7BA1DBC5315F14819FD4158B785CE391806CBA1
                                            Function 0365D984 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438125641.000000000365D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0365D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_365d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4bd7501e74806d599275379face2ef19b5aea59e5af394c96c000810b0a8d952
                                            • Instruction ID: c628fc39209fdf83f1392c246123161f20dae79324abab1e4aa4fc0b48c24def
                                            • Opcode Fuzzy Hash: 4bd7501e74806d599275379face2ef19b5aea59e5af394c96c000810b0a8d952
                                            • Instruction Fuzzy Hash: 9EF0F976104A40AFD725CF06CD84D23BBB9EB95620B19849DBC5A8B752C731FC42CFA1
                                            Function 036DF3D0 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6c43b2c15c3add08ef2970f35b0080f8b4113f23c64184f947ee018e7cb64fa8
                                            • Instruction ID: 2c6e204fad7499bf78c4ddcb5c27464504ad1bea35c7d664f607a5c35db4dd7b
                                            • Opcode Fuzzy Hash: 6c43b2c15c3add08ef2970f35b0080f8b4113f23c64184f947ee018e7cb64fa8
                                            • Instruction Fuzzy Hash: 8F01D271D1475ADFCB04DFE4C8446EDBBB0FF99300F10472AE015A6A05EBB066868B81
                                            Function 036D7968 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4750d9e4a1e897ebdc9bf1d12603668ab7abe549d29192c281704399bad324f2
                                            • Instruction ID: 683fa45c0d1048be3c506f49e182b455795d9dc834e0cee1d216fababe0286ae
                                            • Opcode Fuzzy Hash: 4750d9e4a1e897ebdc9bf1d12603668ab7abe549d29192c281704399bad324f2
                                            • Instruction Fuzzy Hash: B4F0A0367007149FC710DA6AE884A6FB7E9EBCA661B00092DE90ADB340DF30AC0187A5
                                            Function 036D9158 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 74ce709f6803c2627cbccaefa279d789280d11f473341f5fbb6e0899d8726f33
                                            • Instruction ID: c2d24e5aa0b9b2b07d36a26455abadddc3bac2c87cc81f489e452151f13e2af5
                                            • Opcode Fuzzy Hash: 74ce709f6803c2627cbccaefa279d789280d11f473341f5fbb6e0899d8726f33
                                            • Instruction Fuzzy Hash: 73F05E70A093404FD761DB78D8DC39A7FF1EB06311F1444AEE55ACB282CB796885C750
                                            Function 036D90E8 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d40202eb1e0b4860e2521c649ce6e80c254704f95856e99cd3384fac0ae68e68
                                            • Instruction ID: 8a039b262a73bd6048c6294d3ff13fe27f4d9be8bd60366735a360bdeb2a7a5b
                                            • Opcode Fuzzy Hash: d40202eb1e0b4860e2521c649ce6e80c254704f95856e99cd3384fac0ae68e68
                                            • Instruction Fuzzy Hash: 7DF027796002149BD300EF68C4083AB77A6DBC0755F10812ED90A4B784CE3E6C06C7E0
                                            Function 036D7697 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4d3535f4b670becbe2dd281f2180b4c949be74f929357c83ed06acaa51b5bb0b
                                            • Instruction ID: f02c029c4721d636238d0e3c9b6770427b9d7e4dc01d340bb73f7001d8bc6f73
                                            • Opcode Fuzzy Hash: 4d3535f4b670becbe2dd281f2180b4c949be74f929357c83ed06acaa51b5bb0b
                                            • Instruction Fuzzy Hash: 0AF0A7397001048FCB10CB6CD900A597BA6EBCCA567154195E909DB310EF30CC118B91
                                            Function 036DDC88 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 11575259324d7f7408e19e6332f0ef527e01c77303dde189e0f409358a340a1a
                                            • Instruction ID: 030c4db7dc04f129d06b9897207752ec809e40f52c098eed8dc610c751b7059d
                                            • Opcode Fuzzy Hash: 11575259324d7f7408e19e6332f0ef527e01c77303dde189e0f409358a340a1a
                                            • Instruction Fuzzy Hash: 19F0A03560AB905FC313E32DA81089E7FAA9DCB16031941AEE045CB252CAA4880687A6
                                            Function 036DDE48 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b9f80f7708603c5370da86fdada1be2f401734cf28e28d6bd29cb8417885299b
                                            • Instruction ID: c28b6d3e8e9cac4501d4cef7c53848b4e04f1a2a6940ba2413183d6ef43464b2
                                            • Opcode Fuzzy Hash: b9f80f7708603c5370da86fdada1be2f401734cf28e28d6bd29cb8417885299b
                                            • Instruction Fuzzy Hash: 1BE0E535B002119F8614EB5DD498D26B7FAEFCEA6531910A9E549CB731DA61EC018B90
                                            Function 036DDCD8 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 05d3a060e23cc9aa4547bec17f895d590ddbf53951f79e36e9c5618e8e21bed5
                                            • Instruction ID: 0807534e738a995393ab10cfc6e16c7559a75824eeaa3425f846ebe599df70ef
                                            • Opcode Fuzzy Hash: 05d3a060e23cc9aa4547bec17f895d590ddbf53951f79e36e9c5618e8e21bed5
                                            • Instruction Fuzzy Hash: D7E0E530A000809BCB08DB6CD4144E9BFA5AFCD225B1880BED405AB610C6711812CB91
                                            Function 036D9168 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5deabd9dbf58f9d6d9db360ac29fca71080d054812713565f8e397af20833f27
                                            • Instruction ID: 21751c80dbcf3c39f2f4a45ed7ba2c45bf03a15bb1c950617153391a10c09e8b
                                            • Opcode Fuzzy Hash: 5deabd9dbf58f9d6d9db360ac29fca71080d054812713565f8e397af20833f27
                                            • Instruction Fuzzy Hash: 48F06D709003048BD360DB78E89C39A7BE9EB45311F00446DE50EC7340DB3968818B90
                                            Function 036DAF88 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0c42d6a3a375d164783fc02568c3762d98af3084b75136039ab92f73866277f1
                                            • Instruction ID: 604f25a01afa4beb11bfbb616697a48053fca1963fccd10e1ab30a27650932a1
                                            • Opcode Fuzzy Hash: 0c42d6a3a375d164783fc02568c3762d98af3084b75136039ab92f73866277f1
                                            • Instruction Fuzzy Hash: 16E0C21A70D3D51F5B16A17EA8204567FEB8ECF42030E80FAF588CF302CC568C0683A1
                                            Function 036D8978 Relevance: .0, Instructions: 24COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: abc58b16cf5fe989fa5e520a3051a908d1fe69a7a05fcaa26db36baa7b2b4f08
                                            • Instruction ID: 2a4e428210605ddb241a7655ce13e8318baeeb041d863d40e488a40679bb0144
                                            • Opcode Fuzzy Hash: abc58b16cf5fe989fa5e520a3051a908d1fe69a7a05fcaa26db36baa7b2b4f08
                                            • Instruction Fuzzy Hash: 4CE0263970831057CB0A7775A90C3AE7A5AEBC4726F00002EFA0687381CF79580283E9
                                            Function 036D8973 Relevance: .0, Instructions: 24COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 22142c4c7fe792b240cfc216360eb559e680d18dfe82745572fb6a4ba79de037
                                            • Instruction ID: d787fa75e087e04448fa646a937d27ce82cf951ca631999d0ee03e2e3e14ef50
                                            • Opcode Fuzzy Hash: 22142c4c7fe792b240cfc216360eb559e680d18dfe82745572fb6a4ba79de037
                                            • Instruction Fuzzy Hash: 72E0DF39B0425197DF0A6B34A94C3AE7A62EBC8726F00002FFA1687381CF790802C3D9
                                            Function 036D9549 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2427572664c6a0e09b54398e6eda641bf98cbbb468ed928607f84becea5156ff
                                            • Instruction ID: fa7093ef39c590f698758d51015138bbdff4d00b1326ce7157ac6592d9755489
                                            • Opcode Fuzzy Hash: 2427572664c6a0e09b54398e6eda641bf98cbbb468ed928607f84becea5156ff
                                            • Instruction Fuzzy Hash: 3CD05B36F115110B5A54F5F95A44BB655DBCFC415530D413ED945CB740ED60CC0243E8
                                            Function 036D9550 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f85d71fa0044f9c2f4b20f2af18b7c42cc70b1acbd25c6ea27c0380925f49748
                                            • Instruction ID: 672f490d16f2729f60180e648849738ca6c9d211850c244caf289d3f44c0d469
                                            • Opcode Fuzzy Hash: f85d71fa0044f9c2f4b20f2af18b7c42cc70b1acbd25c6ea27c0380925f49748
                                            • Instruction Fuzzy Hash: 3DD05E26F01621174658F1FA5904BBBA1CE8FC54A1709013ADA09CB341ED40DC0243F9
                                            Function 036DDCE8 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                            • Instruction ID: d49943418ba112b10dc99dc299c4c5ca7ccaa53ca5752d837dd3838653879d5f
                                            • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                            • Instruction Fuzzy Hash: A8E08631B1005497CB08DAA9D4104EDF7AADFCC221F04807AD90AA7340DA32591687E1
                                            Function 036DDC98 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5b484b463508795b71964a28a776468bf7aa614903c6ca1d00ce8db559f12b3c
                                            • Instruction ID: 9ed64c0f6f97afbe7b36e65990ccdfa437b648ea53374ed7f06b7b40e1aa4b81
                                            • Opcode Fuzzy Hash: 5b484b463508795b71964a28a776468bf7aa614903c6ca1d00ce8db559f12b3c
                                            • Instruction Fuzzy Hash: 73E08C36B00B18478216A61EA81085EB69EDEC99B1314447EE4098B340DF64DC0247EA
                                            Function 036DF460 Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1b104fddfdd7f377fe7dfe3d06726025f6e73a7d94c295557997388df8c84a10
                                            • Instruction ID: 80e07052cda383aed1cc89a8374336ac5461dd136608268f127cbdef32eb06c1
                                            • Opcode Fuzzy Hash: 1b104fddfdd7f377fe7dfe3d06726025f6e73a7d94c295557997388df8c84a10
                                            • Instruction Fuzzy Hash: 24E04F74D042099F8780EFBC98425AAFFF4AB48200F1085BAD909DB311E63286128BE1
                                            Function 036D8739 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8cf6571ea56f481fe72d0b39f5827fa5d54be478b676d4671c0e07545d171875
                                            • Instruction ID: a5fb0d183097fbe4529aaf2d2ab59beaf19dcd6706e7fed706f067143dd352b7
                                            • Opcode Fuzzy Hash: 8cf6571ea56f481fe72d0b39f5827fa5d54be478b676d4671c0e07545d171875
                                            • Instruction Fuzzy Hash: 48E08631E05045CFCF09FBA4EC5D5EE7F70EA15302B40019DE85762852DA710547CB81
                                            Function 036D8800 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fa081e8e147902f1bd37f1402d15b5eeee2fa57778014ea792894141544f0683
                                            • Instruction ID: e11afd916626286c7152ab10dab3499b085efbad7257a61b9c2f42478ffbb9a4
                                            • Opcode Fuzzy Hash: fa081e8e147902f1bd37f1402d15b5eeee2fa57778014ea792894141544f0683
                                            • Instruction Fuzzy Hash: ABE08670D052468FCB55EFB8D94546ABFF1EB59209B1442AEF9459B741D6310842CF81
                                            Function 036DF470 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                            • Instruction ID: 5c9f34d79edc901b7f356b36baa31a4c38e72f6215d5c1c9260c63a7f0446ec7
                                            • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                            • Instruction Fuzzy Hash: ECD067B0D042099F8780EFADC94156EFBF4EB48200F6085AA8919E7301E7329A12CBD1
                                            Function 036D8748 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1ee75946c9fac41ab17e3b7c66cf7246ef3ef576fd4a2d1fac3ca7f8837de53a
                                            • Instruction ID: 0a50af1e2df024554081d86c0ed7a38dd07f6a19dfabce1ad92871664d143f4f
                                            • Opcode Fuzzy Hash: 1ee75946c9fac41ab17e3b7c66cf7246ef3ef576fd4a2d1fac3ca7f8837de53a
                                            • Instruction Fuzzy Hash: C8D06731C041098BCB18EBA5EC5A5BDBB74FA14302F40416DE91762592EA315A5BCAC5
                                            Function 036D8810 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a810c1bc3df54aa731690dabf95abc50d98a4ea6982b496faf0700230a1e8f03
                                            • Instruction ID: 338f20e35844cddbe618322dbb70464de479eea58ee62ee46f3539095533f16c
                                            • Opcode Fuzzy Hash: a810c1bc3df54aa731690dabf95abc50d98a4ea6982b496faf0700230a1e8f03
                                            • Instruction Fuzzy Hash: 3ED01274D0420A9BC754DFA4D84656DBBB4EB44201F004159E94593740EA305802CBC1
                                            Function 036D7EA0 Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e2b8e02424a7c547849072c22cf2ec515749bd7033425228fd3c5109d090704
                                            • Instruction ID: 8c815e60f2ae2cea767ca368c23aabcdd7014a53665f808c2d0b82b200ef3e25
                                            • Opcode Fuzzy Hash: 5e2b8e02424a7c547849072c22cf2ec515749bd7033425228fd3c5109d090704
                                            • Instruction Fuzzy Hash: 9CC04CD19193914EEF4292350C7610D3E71955351570A86D69941DA066E8558906C792
                                            Function 036D7932 Relevance: .0, Instructions: 11COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 73c434a47143e96879c197d1f1006908895a1f5580ebdda72511c7f188ba02c5
                                            • Instruction ID: a15206437e040468a8eb72d4d2d497d04bf0901038e3b97eea4b4cb38e58c733
                                            • Opcode Fuzzy Hash: 73c434a47143e96879c197d1f1006908895a1f5580ebdda72511c7f188ba02c5
                                            • Instruction Fuzzy Hash: D1C04CB684E3C65ACF528AB458B50542F204B5307931A14CFD45D9E4A7B487054EA767
                                            Function 036D7940 Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1438408189.00000000036D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_36d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5676fa81a401d49fadc5403d7b5ddc2706e6bba1daa6603339ed489fd338d97f
                                            • Instruction ID: ea38601ef6d574e3e42050c71a3376282fefec3219662c433b1884782b237e18
                                            • Opcode Fuzzy Hash: 5676fa81a401d49fadc5403d7b5ddc2706e6bba1daa6603339ed489fd338d97f
                                            • Instruction Fuzzy Hash: B4B09230048708CFC2486FB6A4448167729AB4222638008A9ED1E0A2939E37E885CA44

                                            Execution Graph

                                            Execution Coverage:6.2%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:0%
                                            Total number of Nodes:3
                                            Total number of Limit Nodes:0
                                            execution_graph 20172 8ad6428 20173 8ad646b SetThreadToken 20172->20173 20174 8ad6499 20173->20174

                                            Executed Functions

                                            Function 04AFB490 Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 306 4afb490-4afb4a9 307 4afb4ae-4afb7f5 call 4afacbc 306->307 308 4afb4ab 306->308 308->307
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: {YRn^$YRn^
                                            • API String ID: 0-979770880
                                            • Opcode ID: 100bb18439f8ba9d95d74da7cf9736b4a2fe3fd9000d060a8ff378062f9623a5
                                            • Instruction ID: 13b3e686dee6fcc17f40400b066fdae892a9f4b072fead98b70b3a8052726a97
                                            • Opcode Fuzzy Hash: 100bb18439f8ba9d95d74da7cf9736b4a2fe3fd9000d060a8ff378062f9623a5
                                            • Instruction Fuzzy Hash: F3914270B007159BEB29EFF498105AE7BE3EFC4614B04892DD516AB340EF35AE068BD5
                                            Function 07962308 Relevance: 8.2, Strings: 6, Instructions: 656COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1487196703.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7960000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: piGk$piGk$piGk$piGk$piGk$|,Ik
                                            • API String ID: 0-985158771
                                            • Opcode ID: fc422df546473917b95360484f0022e7d109e832d37078d0ba0e1af9b199c3f0
                                            • Instruction ID: 7f71280c85d488ef5f5977f391d2eced1032e036fcb361cb1167d7c39fb46dfc
                                            • Opcode Fuzzy Hash: fc422df546473917b95360484f0022e7d109e832d37078d0ba0e1af9b199c3f0
                                            • Instruction Fuzzy Hash: 6F2258B1B003069FDB209F68C949BAAB7E5BFCA215F14857AD805CB281DB71DC41C7A2
                                            Function 079617B8 Relevance: 2.8, Strings: 2, Instructions: 340COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 208 79617b8-79617da 209 79617e0-79617e5 208->209 210 7961969-79619b5 208->210 211 79617e7-79617ed 209->211 212 79617fd-7961801 209->212 220 7961b04-7961b0e 210->220 221 79619bb-79619c0 210->221 213 79617f1-79617fb 211->213 214 79617ef 211->214 215 7961807-796180b 212->215 216 7961914-796191e 212->216 213->212 214->212 218 796180d-796181e 215->218 219 796184b 215->219 222 7961920-7961929 216->222 223 796192c-7961932 216->223 218->210 245 7961824-7961829 218->245 229 796184d-796184f 219->229 239 7961b17-7961b34 220->239 240 7961b10-7961b15 220->240 227 79619c2-79619c8 221->227 228 79619d8-79619dc 221->228 224 7961934-7961936 223->224 225 7961938-7961944 223->225 230 7961946-7961966 224->230 225->230 236 79619cc-79619d6 227->236 237 79619ca 227->237 232 7961ab4-7961abe 228->232 233 79619e2-79619e4 228->233 229->216 235 7961855-7961859 229->235 243 7961ac0-7961ac9 232->243 244 7961acc-7961ad2 232->244 241 79619e6-79619f2 233->241 242 79619f4 233->242 235->216 246 796185f-7961863 235->246 236->228 237->228 248 7961b36-7961b42 239->248 249 7961b44 239->249 240->239 250 79619f6-79619f8 241->250 242->250 252 7961ad4-7961ad6 244->252 253 7961ad8-7961ae4 244->253 254 7961841-7961849 245->254 255 796182b-7961831 245->255 256 7961886 246->256 257 7961865-796186e 246->257 260 7961b46-7961b48 248->260 249->260 250->232 261 79619fe-7961a16 250->261 263 7961ae6-7961b01 252->263 253->263 254->229 264 7961835-796183f 255->264 265 7961833 255->265 262 7961889-7961911 256->262 258 7961875-7961882 257->258 259 7961870-7961873 257->259 266 7961884 258->266 259->266 267 7961b7c-7961b86 260->267 268 7961b4a-7961b50 260->268 282 7961a30-7961a34 261->282 283 7961a18-7961a1e 261->283 264->254 265->254 266->262 278 7961b90-7961b96 267->278 279 7961b88-7961b8d 267->279 273 7961b52-7961b54 268->273 274 7961b5e-7961b79 268->274 273->274 280 7961b9c-7961ba8 278->280 281 7961b98-7961b9a 278->281 284 7961baa-7961bc1 280->284 281->284 290 7961a3a-7961a41 282->290 286 7961a22-7961a2e 283->286 287 7961a20 283->287 286->282 287->282 293 7961a43-7961a46 290->293 294 7961a48-7961aa5 290->294 297 7961aaa-7961ab1 293->297 294->297
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1487196703.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7960000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ul$ul
                                            • API String ID: 0-759701873
                                            • Opcode ID: c17fda9f482ebc88fa04f7687bef59caea1e6e1d830771536067280b504f8bcb
                                            • Instruction ID: 62535a0b46aa5d41f79e98036a336d1efcb2a0aaef2b1aaf990dafc0853530f0
                                            • Opcode Fuzzy Hash: c17fda9f482ebc88fa04f7687bef59caea1e6e1d830771536067280b504f8bcb
                                            • Instruction Fuzzy Hash: 33B178B1B4020EDFDB149B79D4087AABBE6EFC6215F18C57AD805CB251EB31D841C7A1
                                            Function 08AD6420 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 370 8ad6420-8ad6463 371 8ad646b-8ad6497 SetThreadToken 370->371 372 8ad6499-8ad649f 371->372 373 8ad64a0-8ad64bd 371->373 372->373
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1491986357.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_8ad0000_powershell.jbxd
                                            Similarity
                                            • API ID: ThreadToken
                                            • String ID:
                                            • API String ID: 3254676861-0
                                            • Opcode ID: cd8f2ea8040a7f14b6b0dc55b0e3ebda9f144e896e715fd89d98e526260d3e02
                                            • Instruction ID: d18010c661c3f9885b80b272cddac6a6f7ec28674fc139f6b329a695ef5fdb29
                                            • Opcode Fuzzy Hash: cd8f2ea8040a7f14b6b0dc55b0e3ebda9f144e896e715fd89d98e526260d3e02
                                            • Instruction Fuzzy Hash: BE1146B58003488FDB10DFAAD884BDEFBF4AF89324F24845EE459A7650C774A944CFA1
                                            Function 08AD6428 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 376 8ad6428-8ad6497 SetThreadToken 378 8ad6499-8ad649f 376->378 379 8ad64a0-8ad64bd 376->379 378->379
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1491986357.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_8ad0000_powershell.jbxd
                                            Similarity
                                            • API ID: ThreadToken
                                            • String ID:
                                            • API String ID: 3254676861-0
                                            • Opcode ID: 9bdbecb5ece2b1b030e642d1dd258219da5b15cf858358d98c487fcce7b399ac
                                            • Instruction ID: 28ae0b71e232e1496d2e05403c4580f92be023091cf15585b96046680d5553ca
                                            • Opcode Fuzzy Hash: 9bdbecb5ece2b1b030e642d1dd258219da5b15cf858358d98c487fcce7b399ac
                                            • Instruction Fuzzy Hash: 511133B59003098FDB10DF9AC984BDEFBF8EB88724F24841AD419A7750C774A944CFA4
                                            Function 04AFDC88 Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 382 4afdc88-4afdcad 384 4afdcaf 382->384 385 4afdcb6 382->385 384->385 386 4afdcbe-4afdcc8 385->386 388 4afdcca call 4afdcd9 386->388 389 4afdcca call 4afdce8 386->389 387 4afdcd0-4afdcd3 388->387 389->387
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: +/Rn^
                                            • API String ID: 0-426686015
                                            • Opcode ID: 29f4911be0ca5bbb59da5819815ae836b6a402fa8480d31420cfb8b4a6e3e848
                                            • Instruction ID: 77d537501a195fb4d93d421f9bc69c00e6f89aa936c0799b0a6e9df3c7d3599b
                                            • Opcode Fuzzy Hash: 29f4911be0ca5bbb59da5819815ae836b6a402fa8480d31420cfb8b4a6e3e848
                                            • Instruction Fuzzy Hash: 43F0A0312097805B8327937DA814C9F7FAA9EC757030401AEE14ACB252DA54D80687B6
                                            Function 04AFDC98 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 390 4afdc98-4afdcad 392 4afdcaf 390->392 393 4afdcb6-4afdcc8 390->393 392->393 396 4afdcca call 4afdcd9 393->396 397 4afdcca call 4afdce8 393->397 395 4afdcd0-4afdcd3 396->395 397->395
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: +/Rn^
                                            • API String ID: 0-426686015
                                            • Opcode ID: d566bdc4e7840311f3e6c1e0583ee906c1f20c5e8a3d3877f74e8bffa5a07df1
                                            • Instruction ID: f7d3d163c99184081b2d5222492a4c9c4c831a5c6bca576bbe7da77446f86d78
                                            • Opcode Fuzzy Hash: d566bdc4e7840311f3e6c1e0583ee906c1f20c5e8a3d3877f74e8bffa5a07df1
                                            • Instruction Fuzzy Hash: E7E08C31700A1047922AA66EE81085EB7DBDEC9575310402EE51A8B340EF64EC0647EA
                                            Function 07963CE8 Relevance: .6, Instructions: 587COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 543 7963ce8-7963d0d 544 7963d13-7963d18 543->544 545 7963f00-7963f0a 543->545 546 7963d30-7963d34 544->546 547 7963d1a-7963d20 544->547 553 7963f13-7963f1e 545->553 554 7963f0c-7963f11 545->554 551 7963eb0-7963eba 546->551 552 7963d3a-7963d3c 546->552 549 7963d24-7963d2e 547->549 550 7963d22 547->550 549->546 550->546 555 7963ebc-7963ec5 551->555 556 7963ec8-7963ece 551->556 557 7963d3e-7963d4a 552->557 558 7963d4c 552->558 561 7963f27-7963f4a 553->561 562 7963f20-7963f23 553->562 554->553 563 7963ed4-7963ee0 556->563 564 7963ed0-7963ed2 556->564 560 7963d4e-7963d50 557->560 558->560 560->551 567 7963d56-7963d75 560->567 565 7963f50-7963f55 561->565 566 79640ce-79640d6 561->566 562->561 568 7963ee2-7963efd 563->568 564->568 570 7963f57-7963f5d 565->570 571 7963f6d-7963f71 565->571 579 79640df-79640e6 566->579 580 79640d8-79640de 566->580 593 7963d77-7963d83 567->593 594 7963d85 567->594 572 7963f61-7963f6b 570->572 573 7963f5f 570->573 577 7963f77-7963f79 571->577 578 7964080-796408a 571->578 572->571 573->571 581 7963f7b-7963f87 577->581 582 7963f89 577->582 583 7964097-796409d 578->583 584 796408c-7964094 578->584 587 79640ef-7964112 579->587 588 79640e8-79640ea 579->588 580->579 590 7963f8b-7963f8d 581->590 582->590 591 79640a3-79640af 583->591 592 796409f-79640a1 583->592 595 7964228-7964232 587->595 596 7964118-796411d 587->596 588->587 590->578 597 7963f93-7963fb2 590->597 598 79640b1-79640cb 591->598 592->598 599 7963d87-7963d89 593->599 594->599 613 7964234-796423a 595->613 614 796423b-796425d 595->614 600 7964135-7964139 596->600 601 796411f-7964125 596->601 634 7963fb4-7963fc0 597->634 635 7963fc2 597->635 599->551 603 7963d8f-7963d96 599->603 608 796413f-7964141 600->608 609 79641da-79641e4 600->609 604 7964127 601->604 605 7964129-7964133 601->605 603->545 617 7963d9c-7963da1 603->617 604->600 605->600 611 7964143-796414f 608->611 612 7964151 608->612 615 79641e6-79641ee 609->615 616 79641f1-79641f7 609->616 619 7964153-7964155 611->619 612->619 613->614 620 796425f-7964281 614->620 621 796428b-7964295 614->621 622 79641fd-7964209 616->622 623 79641f9-79641fb 616->623 624 7963da3-7963da9 617->624 625 7963db9-7963dc8 617->625 619->609 628 796415b-796415d 619->628 660 79642d5-79642fe 620->660 661 7964283-7964288 620->661 630 7964297-796429c 621->630 631 796429f-79642a5 621->631 629 796420b-7964225 622->629 623->629 632 7963dad-7963db7 624->632 633 7963dab 624->633 625->551 652 7963dce-7963dec 625->652 638 7964177-796417e 628->638 639 796415f-7964165 628->639 641 79642a7-79642a9 631->641 642 79642ab-79642b7 631->642 632->625 633->625 636 7963fc4-7963fc6 634->636 635->636 636->578 644 7963fcc-7964003 636->644 648 7964196-79641d7 638->648 649 7964180-7964186 638->649 645 7964167 639->645 646 7964169-7964175 639->646 651 79642b9-79642d2 641->651 642->651 674 7964005-796400b 644->674 675 796401d-7964024 644->675 645->638 646->638 655 796418a-7964194 649->655 656 7964188 649->656 652->551 670 7963df2-7963e17 652->670 655->648 656->648 676 7964300-7964326 660->676 677 796432d-796435c 660->677 670->551 690 7963e1d-7963e24 670->690 678 796400f-796401b 674->678 679 796400d 674->679 680 7964026-796402c 675->680 681 796403c-796407d 675->681 676->677 688 7964395-796439f 677->688 689 796435e-796437b 677->689 678->675 679->675 686 7964030-796403a 680->686 687 796402e 680->687 686->681 687->681 693 79643a1-79643a5 688->693 694 79643a8-79643ae 688->694 701 79643e5-79643ea 689->701 702 796437d-796438f 689->702 695 7963e26-7963e41 690->695 696 7963e6a-7963e9d 690->696 699 79643b4-79643c0 694->699 700 79643b0-79643b2 694->700 706 7963e43-7963e49 695->706 707 7963e5b-7963e5f 695->707 715 7963ea4-7963ead 696->715 704 79643c2-79643e2 699->704 700->704 701->702 702->688 712 7963e4d-7963e59 706->712 713 7963e4b 706->713 714 7963e66-7963e68 707->714 712->707 713->707 714->715
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1487196703.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7960000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e0186589f8edf56ed67d9fa4dd7b94ed1d8370a12c57241788fe14c1c21c08d9
                                            • Instruction ID: d2d857ad9e115aff5bb84b6f7b6b06aef105ba74401b84a103912205c50ed560
                                            • Opcode Fuzzy Hash: e0186589f8edf56ed67d9fa4dd7b94ed1d8370a12c57241788fe14c1c21c08d9
                                            • Instruction Fuzzy Hash: E8128BF17043528FDB159BA889147AABBB69FC2314F24857AD905CF392CB32DD42C7A1
                                            Function 04AF29F0 Relevance: .2, Instructions: 207COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 933 4af29f0-4af2a1e 934 4af2af5-4af2b37 933->934 935 4af2a24-4af2a3a 933->935 939 4af2b3d-4af2b56 934->939 940 4af2c51-4af2c61 934->940 936 4af2a3f-4af2a52 935->936 937 4af2a3c 935->937 936->934 944 4af2a58-4af2a65 936->944 937->936 942 4af2b5b-4af2b69 939->942 943 4af2b58 939->943 942->940 950 4af2b6f-4af2b79 942->950 943->942 946 4af2a6a-4af2a7c 944->946 947 4af2a67 944->947 946->934 951 4af2a7e-4af2a88 946->951 947->946 952 4af2b7b-4af2b7d 950->952 953 4af2b87-4af2b94 950->953 954 4af2a8a-4af2a8c 951->954 955 4af2a96-4af2aa6 951->955 952->953 953->940 956 4af2b9a-4af2baa 953->956 954->955 955->934 957 4af2aa8-4af2ab2 955->957 958 4af2baf-4af2bbd 956->958 959 4af2bac 956->959 960 4af2ab4-4af2ab6 957->960 961 4af2ac0-4af2af4 957->961 958->940 964 4af2bc3-4af2bd3 958->964 959->958 960->961 965 4af2bd8-4af2be5 964->965 966 4af2bd5 964->966 965->940 969 4af2be7-4af2bf7 965->969 966->965 970 4af2bfc-4af2c08 969->970 971 4af2bf9 969->971 970->940 973 4af2c0a-4af2c24 970->973 971->970 974 4af2c29 973->974 975 4af2c26 973->975 976 4af2c2e-4af2c38 974->976 975->974 977 4af2c3d-4af2c50 976->977
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2018c7ccdc43e806398dcc99962537de079a073373131d051653e38e32b28949
                                            • Instruction ID: f0400e87492599bafdef1b38b20b6dd2d917a8acc4c8e428313aed096f3ea972
                                            • Opcode Fuzzy Hash: 2018c7ccdc43e806398dcc99962537de079a073373131d051653e38e32b28949
                                            • Instruction Fuzzy Hash: B9917D75A006058FCB15CF99C8D4AAEFBB1FF88310B248599E915AB365C736FC51CBA0
                                            Function 04AFBAB0 Relevance: .2, Instructions: 157COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1113 4afbab0-4afbab8 1114 4afbaeb-4afbb50 1113->1114 1115 4afbaba-4afbae5 1113->1115 1119 4afbb56-4afbb61 1114->1119 1120 4afbb52 1114->1120 1115->1114 1121 4afbb66-4afbbc0 call 4afaf98 1119->1121 1122 4afbb63 1119->1122 1120->1119 1129 4afbbc2-4afbbc7 1121->1129 1130 4afbc11-4afbc15 1121->1130 1122->1121 1129->1130 1133 4afbbc9-4afbbec 1129->1133 1131 4afbc17-4afbc21 1130->1131 1132 4afbc26 1130->1132 1131->1132 1134 4afbc2b-4afbc2d 1132->1134 1135 4afbbf2-4afbbfd 1133->1135 1136 4afbc2f-4afbc50 1134->1136 1137 4afbc52 1134->1137 1138 4afbbff-4afbc05 1135->1138 1139 4afbc06-4afbc0f 1135->1139 1140 4afbc5a-4afbc5e 1136->1140 1137->1140 1141 4afbc55 call 4afa978 1137->1141 1138->1139 1139->1134 1143 4afbc97-4afbcc6 1140->1143 1144 4afbc60-4afbc89 1140->1144 1141->1140 1144->1143
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a17410152c9bc6a883b9f1bd131f55ab49a0af8d403047a57ced1c1bc65ee676
                                            • Instruction ID: 79fab59c07b83f2cd61dcffb53f0f458ee450b7e5c65e53899340cffb4a47ff4
                                            • Opcode Fuzzy Hash: a17410152c9bc6a883b9f1bd131f55ab49a0af8d403047a57ced1c1bc65ee676
                                            • Instruction Fuzzy Hash: E0613971E002499FDB14DFA9C884A8DFFF1FF88310F14816AE919AB351EB34A845CB60
                                            Function 04AFBAC0 Relevance: .2, Instructions: 155COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b80251ff80701398b4f188181fe6a205a418be07fd4fd55e1c9124bf9b1fa36c
                                            • Instruction ID: 04b5e86b352fea095a13498d193d7f27c771de1e606b67c4d2dbd04b0af35769
                                            • Opcode Fuzzy Hash: b80251ff80701398b4f188181fe6a205a418be07fd4fd55e1c9124bf9b1fa36c
                                            • Instruction Fuzzy Hash: A4611671E002499FDB14DFA9C984B9DFBF1FF88310F14812AE919AB254EB34AD45CB60
                                            Function 04AF7728 Relevance: .2, Instructions: 153COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 806cd2e8e91e20ecd7cb0603d851d498162b4e0827fe0ac95be9aa72db408570
                                            • Instruction ID: e058a224f0f2120c8240085e2504174ec77e82bef3dbb15626f37387f12ce85a
                                            • Opcode Fuzzy Hash: 806cd2e8e91e20ecd7cb0603d851d498162b4e0827fe0ac95be9aa72db408570
                                            • Instruction Fuzzy Hash: 49518E397002059FE714DBA9DC54B6ABBEAFFC9254F158469E609CB351EB31EC01CBA0
                                            Function 07963CCC Relevance: .1, Instructions: 125COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1487196703.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7960000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9feed5261f78b010b4e59cbae199f065a829664a4496bf660b9d972c3075c641
                                            • Instruction ID: b9ff93da5b4962c845c8e2ead551d763c35085f3b6e43aaa96b57daa55cc007f
                                            • Opcode Fuzzy Hash: 9feed5261f78b010b4e59cbae199f065a829664a4496bf660b9d972c3075c641
                                            • Instruction Fuzzy Hash: AC4149F5A00302DFCB218E14C6547BA7BAA9F82348F1482A9D9059F752C731ED45C7A1
                                            Function 04AF6FC8 Relevance: .1, Instructions: 114COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 080a08fcef3da150c79c755eebb41cb1dcd59abfe0fd0e5e991cc34446d9ca49
                                            • Instruction ID: d9f1fa3b88cdb896fcb856131c54490f7ff89549137ca44646dcd58a01361f50
                                            • Opcode Fuzzy Hash: 080a08fcef3da150c79c755eebb41cb1dcd59abfe0fd0e5e991cc34446d9ca49
                                            • Instruction Fuzzy Hash: E7411B34B042048FEB14DFA4C954AADBBF2AF8D711F1440A9E946EB391DB35ED01CB61
                                            Function 04AF2B00 Relevance: .1, Instructions: 106COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ce949044a83d44850435e1baa9cfc3cee58518ded0fccf28cd109dd94a35707
                                            • Instruction ID: f037501b3198714ba65c44467de7a7ea3e4603ef2d7063624f4adf4e04c0f4d1
                                            • Opcode Fuzzy Hash: 0ce949044a83d44850435e1baa9cfc3cee58518ded0fccf28cd109dd94a35707
                                            • Instruction Fuzzy Hash: 88412A75A006058FCB05CF99C9D8AAAF7B1FF48310B158599E915AB364C736FC51CFA0
                                            Function 04AFC388 Relevance: .1, Instructions: 101COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 42817c61beb8a86b5773b20f13dbdeedc642d65c477529ee947d9c6a9981f46c
                                            • Instruction ID: 1c701259ace12bf862872db08c97aa6164315c2b21391cc26fdf732859914b39
                                            • Opcode Fuzzy Hash: 42817c61beb8a86b5773b20f13dbdeedc642d65c477529ee947d9c6a9981f46c
                                            • Instruction Fuzzy Hash: 2E319C313002019FE715EB79E854B9ABBE2FFC4225F048639E60ACB355DF71A815CBA1
                                            Function 04AF6FA0 Relevance: .1, Instructions: 101COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 75148af84a20b8c1a7bb1243fc491b1e92932d698fae8a0f86227648f50b4938
                                            • Instruction ID: 57da5906c6030e20f741d235de55271bead907d52dd32af390a42942690dbd29
                                            • Opcode Fuzzy Hash: 75148af84a20b8c1a7bb1243fc491b1e92932d698fae8a0f86227648f50b4938
                                            • Instruction Fuzzy Hash: 19310B34B042058FDB15CFA4C954AA9BBF5EF8D311F1480A8EA46EB391DB35ED41CB60
                                            Function 04AFAE60 Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 715d1b8d092efc09515313de98349620586061918e0e9df71b829fb00fb103e1
                                            • Instruction ID: fa5fe293ffc888ef4d5f3201346dbb9fb273bc5cb7653305e50e05a1590c12ea
                                            • Opcode Fuzzy Hash: 715d1b8d092efc09515313de98349620586061918e0e9df71b829fb00fb103e1
                                            • Instruction Fuzzy Hash: F6314C70A006099FDB05DFA9D994BEEBBF6AFC8710F148029E509EB350EB349C458B61
                                            Function 04AFAD28 Relevance: .1, Instructions: 84COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ce588b57c8a8d596338dc4d97b86613d1851fd7e7c3b21614db2a82854abbe26
                                            • Instruction ID: e60c8ed782d716632e25cfda1df61058aced974fbab699f8488b9e5470a782d8
                                            • Opcode Fuzzy Hash: ce588b57c8a8d596338dc4d97b86613d1851fd7e7c3b21614db2a82854abbe26
                                            • Instruction Fuzzy Hash: DB31AFB4A002459FEB05DBB4D894AEEBBB2EFC4304F1584B9D604AB391CA75AD01CB61
                                            Function 04AFAE70 Relevance: .1, Instructions: 84COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7aad34b4b5665194e96d75c84f8f6decc098c76bb6fbf790fc8c6a2d94c23267
                                            • Instruction ID: ab95662aefde8122429fbf9eb8f5639d979f981740e9b9180fdc162bae212070
                                            • Opcode Fuzzy Hash: 7aad34b4b5665194e96d75c84f8f6decc098c76bb6fbf790fc8c6a2d94c23267
                                            • Instruction Fuzzy Hash: 40315070A006099FDB04DFA9C9947EEBBF6EFC8710F108029E509EB350EB349C058B61
                                            Function 04AFDFC0 Relevance: .1, Instructions: 82COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a363bfcd0a815cd8b12bc7cf459df3e837e5d7f0eff368ba0a1e3f18f6bfb74b
                                            • Instruction ID: 201798f478418bd772ae4cdd7dc0ad56de88a43ea1e6521bc67acd341ac2e972
                                            • Opcode Fuzzy Hash: a363bfcd0a815cd8b12bc7cf459df3e837e5d7f0eff368ba0a1e3f18f6bfb74b
                                            • Instruction Fuzzy Hash: BB314D70A002049FDB14DFB8D458A9EBBF2FF89614F04456DE806EB361DB75AD81CB90
                                            Function 04AFAF98 Relevance: .1, Instructions: 81COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7df27c522fe836cdc07733fc3313c1eac2a1fb9f470a48afa281d9b4f0140331
                                            • Instruction ID: d4a9bcbc0e3a1ae4a24c3a82044b5f5e84e4d7623f54d3f996da08c0a2fa0715
                                            • Opcode Fuzzy Hash: 7df27c522fe836cdc07733fc3313c1eac2a1fb9f470a48afa281d9b4f0140331
                                            • Instruction Fuzzy Hash: 1B21B271A043488FDB15DBAAD804B9EBBF5EFC9320F14846EE508A7340CB75A905CBA5
                                            Function 04AFAD38 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1f29830ff58faa630041934ac4fe2931d6ffb619e7266f8bca3aa42a2fe454fa
                                            • Instruction ID: 653162e1d88dc8213a6545293c2262fe647042007e2e2af422893645e7fed925
                                            • Opcode Fuzzy Hash: 1f29830ff58faa630041934ac4fe2931d6ffb619e7266f8bca3aa42a2fe454fa
                                            • Instruction Fuzzy Hash: 433150B4B002099FEB04EBB4D854AEEB7B2EFC4304F108478D615AB394DA75AD018B90
                                            Function 04AFDFD0 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b08b8ef77b407ddde71f4f71607691abdb32b04fc0f75d99a058148e80bc6fe2
                                            • Instruction ID: 71729febc9d5bba389990341206c13d93de45dcbb9424ed3632d007ed0468080
                                            • Opcode Fuzzy Hash: b08b8ef77b407ddde71f4f71607691abdb32b04fc0f75d99a058148e80bc6fe2
                                            • Instruction Fuzzy Hash: 36311870B002048FDB14DFA8D458A9EBBF2FF88714F144569E806EB3A0DB75AC45CB90
                                            Function 0494F3D8 Relevance: .1, Instructions: 76COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469040502.000000000494D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0494D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_494d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a999d3ebdf00624c138301dbfc97cea0e031d20e9bee0cf0c5b060b161cb1045
                                            • Instruction ID: 490b37854cf6b7a3d6dfde008322bc5f71e515341da6bd393b6dc359b58ce13d
                                            • Opcode Fuzzy Hash: a999d3ebdf00624c138301dbfc97cea0e031d20e9bee0cf0c5b060b161cb1045
                                            • Instruction Fuzzy Hash: 3A21E576604301DFDB05DF10D9C8F16BB66FBC8314F24C5A9E9090A25AC736E456CBA1
                                            Function 04AF93F0 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b91876ad7df52953ee9aa115b82c04c2dbe01010cf5c524c0f1fc3257f7019bc
                                            • Instruction ID: 8c15d67ae0577eb3dba2f4bc45d515a86b2908339e847873b6e54fdb15bfee4b
                                            • Opcode Fuzzy Hash: b91876ad7df52953ee9aa115b82c04c2dbe01010cf5c524c0f1fc3257f7019bc
                                            • Instruction Fuzzy Hash: F631BCB0A057448EDB60CFAAD4887CAFFF6EF88310F28C02DE94D97245C6746445CB61
                                            Function 0494F02C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469040502.000000000494D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0494D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_494d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bf9a7647ed98228377e717a1a72db3a813c1d78c6eb06e4f09c32fd59b6c1e64
                                            • Instruction ID: afaeb8d3dac77c40dc4196cc4ab1d38ada144627b5d371c870456cf7a0c4b38a
                                            • Opcode Fuzzy Hash: bf9a7647ed98228377e717a1a72db3a813c1d78c6eb06e4f09c32fd59b6c1e64
                                            • Instruction Fuzzy Hash: BC2103756042419FDB14DF10D984F16BBA5EBC4324F20C979DA094B24AC376E446CA62
                                            Function 04AF9400 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e5a5e556521e1810822920d0dc9cf3584d7ab79e0e4ad5a3c6b653279a8789cf
                                            • Instruction ID: 4a47cd887d0bcc681e0a9ef1c8d0614e96ff9d40c7ecca503b8a5f6c4f798200
                                            • Opcode Fuzzy Hash: e5a5e556521e1810822920d0dc9cf3584d7ab79e0e4ad5a3c6b653279a8789cf
                                            • Instruction Fuzzy Hash: 55217CB0A017448EEB60DFAAC48878AFFF6EB88310F28C41EE95D97245D6746445CB61
                                            Function 04AF7664 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f105383537c5f9e4916654209c7c1e1563471ffc195952640ba18f602272e9c3
                                            • Instruction ID: efef0d978fc76d23c7c90369ae935d25ed641da7e328b285ffcc8b4c00e69278
                                            • Opcode Fuzzy Hash: f105383537c5f9e4916654209c7c1e1563471ffc195952640ba18f602272e9c3
                                            • Instruction Fuzzy Hash: E2112B397001188FDB14DFA8E840ADDB7F6EFCC625B0540A4EA09DB350DB30EC118BA0
                                            Function 0494F3D3 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469040502.000000000494D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0494D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_494d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 05050efde7f80e2bacd3aed6f2bd0425f272660e14b98707f66944896a751249
                                            • Instruction ID: 92704722297ebaaeebd39cf9313829b77f77f8682eb2622111ad7392ffaab8ad
                                            • Opcode Fuzzy Hash: 05050efde7f80e2bacd3aed6f2bd0425f272660e14b98707f66944896a751249
                                            • Instruction Fuzzy Hash: D5219D76504241DFCF06CF10D9C4B16BF72FB88314F24C5A9D9494A65AC73AD46ACF91
                                            Function 0494F027 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469040502.000000000494D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0494D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_494d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bb2c615d30f077614c2f6e701b51ce97adb4e7859af34b9b872f5e3f8473804e
                                            • Instruction ID: 900bca1a63b4922c79e972f183fea30c04a7a65bc7d469da015ad8d355328f79
                                            • Opcode Fuzzy Hash: bb2c615d30f077614c2f6e701b51ce97adb4e7859af34b9b872f5e3f8473804e
                                            • Instruction Fuzzy Hash: 65119D7A504284DFCB15CF14D5C4B15BFA1FB84328F28C6AED9494B65AC33AE44ACB62
                                            Function 04AFBCE0 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9644c3d82e6fca2d90fe66e7ec80d58037381d06d955c822471493d70984e916
                                            • Instruction ID: 6693ccbc06a5bec6ac596b958e6d5f216c4ef9b5020caf97089385efb9a30210
                                            • Opcode Fuzzy Hash: 9644c3d82e6fca2d90fe66e7ec80d58037381d06d955c822471493d70984e916
                                            • Instruction Fuzzy Hash: 6201F9312087445FD725DB75D854A5A7FF4EF46220F1444EEE18EC76A2D621F845C711
                                            Function 04AFE100 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0c5d5596bdfa83cf9c367e85e0de191ad2ed3f2f1c2ba9900e2c8f5cfc60d5ae
                                            • Instruction ID: 28368873c89d1c15ee79faf4a5554563c33af4f5883b84623c9e8f5ccedbae9b
                                            • Opcode Fuzzy Hash: 0c5d5596bdfa83cf9c367e85e0de191ad2ed3f2f1c2ba9900e2c8f5cfc60d5ae
                                            • Instruction Fuzzy Hash: 9B11F734204750CFC728DF75D480996BBF6AF8921576089ADD48A87BA1CB32E845CB50
                                            Function 04AFDE98 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 37cbe84ce2f723cfd47df58d8af27d4777e5574c1173a95546a980ced4158507
                                            • Instruction ID: f2066903041a59801d7a2353147fe33598a880dfbcd440d461e79a125deb3a84
                                            • Opcode Fuzzy Hash: 37cbe84ce2f723cfd47df58d8af27d4777e5574c1173a95546a980ced4158507
                                            • Instruction Fuzzy Hash: E8018035700214DFCB119F78E8086AEFBF5FB88215B04416DE51AD3252DB31A915CB90
                                            Function 04AFBF10 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ab944a806369583021c3f942b84975383402dc273cae76a3aeba67c5244878e7
                                            • Instruction ID: 977fa6f811ce33b48fd078b368a1a091ed45fcebf934baa46a9cf86cee738c1d
                                            • Opcode Fuzzy Hash: ab944a806369583021c3f942b84975383402dc273cae76a3aeba67c5244878e7
                                            • Instruction Fuzzy Hash: 5F0181313093901FD7128A7A9C549677FE9DF87621B0944AAF994CB2A2CAB0CD048B71
                                            Function 0494D01D Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469040502.000000000494D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0494D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_494d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 57bea068152a3d5e73c2a058054f6304c50aa0441b697f1e93cb9f5edb522eab
                                            • Instruction ID: 2684b9e968b030418cf63a45cb11efe51760f52e05ed810905920c6745496e51
                                            • Opcode Fuzzy Hash: 57bea068152a3d5e73c2a058054f6304c50aa0441b697f1e93cb9f5edb522eab
                                            • Instruction Fuzzy Hash: A301F275505304AAE7204F21EC84F67BF9CEFC1625F18C62AEC480B682C279A941CBB2
                                            Function 0494D005 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469040502.000000000494D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0494D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_494d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 211fc37f5654644e24fbb6d74b37d6c3d71bb5097fe4d47f05e4a55fcb655e9d
                                            • Instruction ID: 5641ed8e9ff931c3cbbf06a9ee06cf99bcd484a759e12a61d651e03ca5541b13
                                            • Opcode Fuzzy Hash: 211fc37f5654644e24fbb6d74b37d6c3d71bb5097fe4d47f05e4a55fcb655e9d
                                            • Instruction Fuzzy Hash: 4B01757100E3C45FD7124B25DC94B52BFA8DF83224F1885EBE8888F193C2695C45C771
                                            Function 04AFF7C1 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 755811604ea4d554d9eca393b7f7b5ca6c6ce92d2c741ebea74d770dab94b01b
                                            • Instruction ID: 7a05191996cbf4bad3dee7c2bf90a8cf95979fcc063b7364ed34158bd0375155
                                            • Opcode Fuzzy Hash: 755811604ea4d554d9eca393b7f7b5ca6c6ce92d2c741ebea74d770dab94b01b
                                            • Instruction Fuzzy Hash: 8401D771D00B4AABCB00DFE4C9446EEBBB1BF9A300F14461EE155A6651EBB02695CB80
                                            Function 04AF7940 Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e0e33fef55ca3c14a0e2203a50cb9b7edfcbda28e4c458086b19852f812507c0
                                            • Instruction ID: df3ef7f8b72087f61158fbca5423d529a08caeef48d1251f6bd142ca140edd0a
                                            • Opcode Fuzzy Hash: e0e33fef55ca3c14a0e2203a50cb9b7edfcbda28e4c458086b19852f812507c0
                                            • Instruction Fuzzy Hash: 87F09071705714AFD724AA69DC40A6E77E9FB89725F00092DE50AD3750DF71AC4187A0
                                            Function 04AF90D8 Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9cbecf063abe7bf7217a2b7ca084ca673661de5c0115cbd469269d313cdac4e2
                                            • Instruction ID: 33a2cdb57cc1ec9da42dbf2758ef9519c47a32a1d6c220e6dc1deb7200299d73
                                            • Opcode Fuzzy Hash: 9cbecf063abe7bf7217a2b7ca084ca673661de5c0115cbd469269d313cdac4e2
                                            • Instruction Fuzzy Hash: D0F0C8716086409FE311AB78C4157AB7BA5DFC1314F14816FD5055B386CE392806D7A1
                                            Function 0494D993 Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469040502.000000000494D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0494D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_494d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b420e20267d5205bb2192454d5c4f77fb61a7a0d39da72cdb3cfa59ede150a83
                                            • Instruction ID: e33c72299d7545068860afc72c51c1c63a076899ef907a1526d6eb340252f66b
                                            • Opcode Fuzzy Hash: b420e20267d5205bb2192454d5c4f77fb61a7a0d39da72cdb3cfa59ede150a83
                                            • Instruction Fuzzy Hash: E6F0E776201600AF97248F0ADD84C27FBADEBD4770319C56AEC4A8B652C671FC41CAA0
                                            Function 04AFDE38 Relevance: .0, Instructions: 34COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 79cd4389c9a8fadd4ee777bc86600d65195ebd658f558f9c742c56fb64e46691
                                            • Instruction ID: 6cbc3a93944be2952ae21bf9af197ea09539decc9d0d8245a3357bae461fe2f9
                                            • Opcode Fuzzy Hash: 79cd4389c9a8fadd4ee777bc86600d65195ebd658f558f9c742c56fb64e46691
                                            • Instruction Fuzzy Hash: 32F05E383051808FC3118B2CE894CA6BBF6AFCA7153294099E585CB732DA61DC01CB90
                                            Function 04AFF7D0 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3016391a3f6e85ee343bf90656b7d8fdd24427b1d03ec9140343f76ea9921632
                                            • Instruction ID: 3bc1d0d166a57c5acd5c6ac630de1421a4115dcbdd6902f17f4a03fde4eb73a5
                                            • Opcode Fuzzy Hash: 3016391a3f6e85ee343bf90656b7d8fdd24427b1d03ec9140343f76ea9921632
                                            • Instruction Fuzzy Hash: 8501D271D0074AEBCB04DFE4C8446EEFBB0FF99300F10472AE005A6640EBB02695CB80
                                            Function 04AF9158 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d6bcc011908dbef95654a3f26eb2b4f45c98abe90612f0078e31615578baab2d
                                            • Instruction ID: a9ad819497260d03c343be91073cffdc12a28a8be7fb1827d5e5224a0ca2c0a7
                                            • Opcode Fuzzy Hash: d6bcc011908dbef95654a3f26eb2b4f45c98abe90612f0078e31615578baab2d
                                            • Instruction Fuzzy Hash: CCF054705093445FD7619F78D89879ABFF5EB42350F0444AEE54ED7282CB356844C750
                                            Function 04AF7950 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 145e8cf3fac28e63a3036f9d6270fe7aa5a68ee7cad04f9dbf9daab5614f4c30
                                            • Instruction ID: 29ed65e6e4d96e42e1522361d0e24e22f56be14810f2c1846b2f896f0edf9c41
                                            • Opcode Fuzzy Hash: 145e8cf3fac28e63a3036f9d6270fe7aa5a68ee7cad04f9dbf9daab5614f4c30
                                            • Instruction Fuzzy Hash: 3EF0A7317047149FD714AB69DC4496F77E9FBC8675B00052DE50AD3740DF30AC0187A0
                                            Function 0494D984 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469040502.000000000494D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0494D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_494d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 148b2c9b34d9ddf070d86da5bc1f362ed8563b87ab63426bfc51c0102f0f586a
                                            • Instruction ID: f532613b37310aebc8996aded96b7fd9508b138a65d7ab23627247936800bf81
                                            • Opcode Fuzzy Hash: 148b2c9b34d9ddf070d86da5bc1f362ed8563b87ab63426bfc51c0102f0f586a
                                            • Instruction Fuzzy Hash: 52F0F979101A40AFD725CF06CD84D23BBB9EBD9720B198599AC5A8B752C671FC42CFA0
                                            Function 04AF767F Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3fe9606674f832dbb196c82581fabc77085edfbe331ad81d706a0cf5c8c1c074
                                            • Instruction ID: 0d22f7bea61eb942dcb9ee8173f7de21a70fda407844b2a03b1822b6c612bdaf
                                            • Opcode Fuzzy Hash: 3fe9606674f832dbb196c82581fabc77085edfbe331ad81d706a0cf5c8c1c074
                                            • Instruction Fuzzy Hash: B8F030397001148FDB50EBADDC40A9977A6EFCC6567158168FA09CB354DF34EC064B90
                                            Function 04AF90E8 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 18d17d5540e05fd92ffdc6cbd1e7896dc3140556febcc4752e6376e23624d8ab
                                            • Instruction ID: 8096f08ed12e68994b0657bc2ba77e76ba282cd30a012d2d7c1e51a785cd12f8
                                            • Opcode Fuzzy Hash: 18d17d5540e05fd92ffdc6cbd1e7896dc3140556febcc4752e6376e23624d8ab
                                            • Instruction Fuzzy Hash: E5F0E2717045049BE310BBB8C40879BB7A6EBC0318F10812AC90A57384CE3A380687E0
                                            Function 04AFDE48 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c82c3a862f5924fb639a352e65459822ed649e9447345eb29349bceaaff4cf9d
                                            • Instruction ID: 8d1060c575ff40d2a987296f6c0b29e025468900931c7933b2fd55250d07de6d
                                            • Opcode Fuzzy Hash: c82c3a862f5924fb639a352e65459822ed649e9447345eb29349bceaaff4cf9d
                                            • Instruction Fuzzy Hash: 5DE0ED353001108F83149B5DD454C66B7FAEFCE65531540A9F649CB321DA61EC01CB90
                                            Function 04AF9542 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 94a73f3876c4b9261ab034d2ef74af5b193348ff12c7d0f8b1848e139ea2d4ec
                                            • Instruction ID: 0d8699ad7f727e8eb9724c813244a860ce250becbd80ad248e81328ce5e1de1c
                                            • Opcode Fuzzy Hash: 94a73f3876c4b9261ab034d2ef74af5b193348ff12c7d0f8b1848e139ea2d4ec
                                            • Instruction Fuzzy Hash: E1E0DF2134A2D50E875673F81D506BB6FDA4FC70A970900BFEB49DB253DD48AC0A83B2
                                            Function 04AFDCD9 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c0c2bf2c55926b074ae69de8425b952c81ff671490561b7bd8d71694324c420e
                                            • Instruction ID: 7190cd086adcafc388db942c9e80f7b2b9576d837cafdf6ec46f3231ff4f66aa
                                            • Opcode Fuzzy Hash: c0c2bf2c55926b074ae69de8425b952c81ff671490561b7bd8d71694324c420e
                                            • Instruction Fuzzy Hash: D8E09B35714090A7CB19866DD8448FABF75DFCA320F04807EF64BA7241DA316516D7E1
                                            Function 04AF896A Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 19ec2ec3d0116ea01b31b43b0bed2680eeafd494ca24db24a90a5c76aed5bd00
                                            • Instruction ID: 7ed953fcecf71477cd7f638ba716061bf2366a302c4e6411deb4dfafbbd47d88
                                            • Opcode Fuzzy Hash: 19ec2ec3d0116ea01b31b43b0bed2680eeafd494ca24db24a90a5c76aed5bd00
                                            • Instruction Fuzzy Hash: C1F0A03430D2905BDB0A2778A8189AE7FA59FC6664F0400AED60687283CF28081993A5
                                            Function 04AFAF88 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cc6406f943b011217ec8811f969a300111d50778484a9e36fbfbf8d29d6b51b9
                                            • Instruction ID: e126079cdbe72c2f66e813be85cfe2e4d465ef1fb5d39cf2087e3486a20fe32f
                                            • Opcode Fuzzy Hash: cc6406f943b011217ec8811f969a300111d50778484a9e36fbfbf8d29d6b51b9
                                            • Instruction Fuzzy Hash: 85E0D81630D2D11A8B16827D6C504E6AF778EC763130981FAF188CF687D8515C0683A1
                                            Function 04AF9168 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ce1cc8110f5933cafcae2670c1bf36ab62d7a1fe332a7fb6b28534a0937ddc16
                                            • Instruction ID: 9513970643eb419c811588fee00a7be7dcd20f56ff3d267bdba0a1b0532f57de
                                            • Opcode Fuzzy Hash: ce1cc8110f5933cafcae2670c1bf36ab62d7a1fe332a7fb6b28534a0937ddc16
                                            • Instruction Fuzzy Hash: DCF0ED70A053049BD7649FB9D89C79ABBE9EB44360F00456DE65ED7340DB3968848B90
                                            Function 04AF8978 Relevance: .0, Instructions: 24COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c7efedecc890f3370b3547c17c874d5a8dcd3595251a4ec382b70a2ab3e8e73b
                                            • Instruction ID: a3c17bd63d664013cc787dc026c05825c32c2d01e69b8b2649f28230e7cbc2a8
                                            • Opcode Fuzzy Hash: c7efedecc890f3370b3547c17c874d5a8dcd3595251a4ec382b70a2ab3e8e73b
                                            • Instruction Fuzzy Hash: A7E0863570C61457DB0937B9A41C6AEBA9AEBC4769F04002EEA0683382CF79691593D9
                                            Function 04AF9550 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 900c9fd5549f1c2fb355329ac79f0880b9b78403a0b8e776d9fc2e0be4e989f5
                                            • Instruction ID: 765f3d09ca61bc206c9db2dbcf2707205400602ae7f9a0093e3140f92eb9b193
                                            • Opcode Fuzzy Hash: 900c9fd5549f1c2fb355329ac79f0880b9b78403a0b8e776d9fc2e0be4e989f5
                                            • Instruction Fuzzy Hash: 9BD09E1274152517569476FA1E507BBA5CF8BC94A9705013ABB09D7341EE49FC0643F2
                                            Function 04AFDCE8 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                            • Instruction ID: 2577b858167825ddef4da6bf2bc5c20d3cfe26ebc15c90b619a77008eb872bb0
                                            • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                            • Instruction Fuzzy Hash: 10E08631B10014978B089999D8104EDFBBADBCC220F04807AEA0AA7340DA32691586E1
                                            Function 04AF8739 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 28018d783088160b98f7669f9525e5719c3df23293ca3e351376bebf436630a4
                                            • Instruction ID: 80e33086ef913348e05476e1512b1d8198df7675626f51f3293d6574096c3e6f
                                            • Opcode Fuzzy Hash: 28018d783088160b98f7669f9525e5719c3df23293ca3e351376bebf436630a4
                                            • Instruction Fuzzy Hash: 55E04F359041499BCF09ABA8EC5A8FEBF34EA15301F40419CEAA753192EA61595ACBC0
                                            Function 04AFF860 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 46f8f3338110743dbbfb2c5168525f61db67ca19a86de38c2f6e514697617d9d
                                            • Instruction ID: 166ebd166e9dbd20d9689b8aaf6617ee4ee1eb5bd6a580c14057f472c58dc0c1
                                            • Opcode Fuzzy Hash: 46f8f3338110743dbbfb2c5168525f61db67ca19a86de38c2f6e514697617d9d
                                            • Instruction Fuzzy Hash: 26E01270D00209DF8740DFE8C842559FBF4EB09210B5085EED948DB205E7325A42DBD1
                                            Function 04AF8800 Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: de8b06a5f32943b984325d0293239f3dec946c04a74425c783a1865f062a5c17
                                            • Instruction ID: b0244e890c7720f9bd53235d8370ca56c879bf976b7300b97a5ac4af6d39005e
                                            • Opcode Fuzzy Hash: de8b06a5f32943b984325d0293239f3dec946c04a74425c783a1865f062a5c17
                                            • Instruction Fuzzy Hash: 05E048349082469BCB05DBB8E44686EFFB0EB46210F04429DEA4997747D6311455DF81
                                            Function 04AFF870 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                            • Instruction ID: a9b548255f4da00cb67e0317b058aa51959a922120a8e4d47cc361179b9369bb
                                            • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                            • Instruction Fuzzy Hash: 3ED067B0E042099F8780EFEDC94156EFBF4EB48200F6085AA9919E7301F7329A12DBD1
                                            Function 04AF8748 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a08ebf97bc8e6bfa1fb631c774f3bc48f05fb4779528fbd214e09890695b5166
                                            • Instruction ID: 0c8896b1a66ef6a75d1e4baf167e0a2b174c4c918dbbfbf8b75f64bfc73343e7
                                            • Opcode Fuzzy Hash: a08ebf97bc8e6bfa1fb631c774f3bc48f05fb4779528fbd214e09890695b5166
                                            • Instruction Fuzzy Hash: 69D067319051098BCF08ABA9E85A4BDFB74FA14301F40416DEA1753191EB316A6ADEC5
                                            Function 04AF8810 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e4c028a5203c6879bae93d45b91d2628a0387d9fc9d8ff96230340813e55b8ab
                                            • Instruction ID: 5b8675bba43d33b3465ec187a40b1f4f2024afc125dc5cbc5d93d085b1f26b85
                                            • Opcode Fuzzy Hash: e4c028a5203c6879bae93d45b91d2628a0387d9fc9d8ff96230340813e55b8ab
                                            • Instruction Fuzzy Hash: 50D01234A0820A8F8B04EFA8D44646DFBB4E744200F004159D90593381EA306855DBC1
                                            Function 04AF7E90 Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9e19f92bd5f9094f2fe6638600bf18b1dc777802f4b13134e748de8d3a0de646
                                            • Instruction ID: b49c59b61ad93a21efe4306e1f82a9b7b6e804c697a4110d9baab4b094dbad34
                                            • Opcode Fuzzy Hash: 9e19f92bd5f9094f2fe6638600bf18b1dc777802f4b13134e748de8d3a0de646
                                            • Instruction Fuzzy Hash: 10C092337923008FFF0F9A38CC163267FA2AF83701F0289988003C6060CEB48400CA24
                                            Function 04AF7920 Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4cbdd850e57e6c318fdabc4b82b4a13be8daee847a2c094a9c4f90ec9bdfc97e
                                            • Instruction ID: 8aa78affab3ecbc97d3fd1896ab6fbc506bcaf2de8766535d1da87c4ab94c487
                                            • Opcode Fuzzy Hash: 4cbdd850e57e6c318fdabc4b82b4a13be8daee847a2c094a9c4f90ec9bdfc97e
                                            • Instruction Fuzzy Hash: 5DC08C30004708CFC6083FB494018043F68EB403323410498E90F1A2A39A36A841CA10
                                            Function 04AF7928 Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1469874381.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_4af0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b0a16aea54bd7519ff45e0b016a6ff29c643eddacdc37465bd080bfe85d3c60e
                                            • Instruction ID: 1d6b07e6cb9c5063119c52ffe1d291bddb5418cffa54b67a9485dd83d919fc72
                                            • Opcode Fuzzy Hash: b0a16aea54bd7519ff45e0b016a6ff29c643eddacdc37465bd080bfe85d3c60e
                                            • Instruction Fuzzy Hash: 3CB09230049708CFC2486FB5A4048147729AB4022638004A9ED1E0A2939E37E885CA44